- Daily - CERT.at

Tageszusammenfassung - 13.10.2017
by Daily end-of-shift report 13 Oct '17

13 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-10-2017 18:00 − Freitag 13-10-2017 18:00 Handler: Olaf Schwarz Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Android DoubleLocker Ransomware Activates Every Time You Hit Home Button ∗∗∗ --------------------------------------------- A new ransomware targeting Android devices has been spotted in the wild. Codenamed DoubleLocker, the ransomware abuses Androids Accessibility service and reactivates itself every time the user presses the phones Home button. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-doublelocker-ransomw… ∗∗∗ Fehler in WSUS-Update: Windows-Clients booten nicht mehr ∗∗∗ --------------------------------------------- Fehlerhafte Update-Pakete für Windows 10 und Windows Server 2016, die Microsoft am letzten Patchday veröffentlicht hat, legten in den vergangenen Tagen Rechner in Unternehmensnetzwerken lahm. Betroffen waren nur Umgebungen mit WSUS und SCCM. --------------------------------------------- https://www.heise.de/newsticker/meldung/Fehler-in-WSUS-Update-Windows-Clien… ∗∗∗ Bug auf T-Mobile-Website ermöglichte den Abruf vertraulicher Kundendaten ∗∗∗ --------------------------------------------- In der Website t-mobile.com klaffte ein Sicherheitsleck, das die Abfrage von Kundendatensätzen durch potenzielle Angreifer erlaubte. --------------------------------------------- https://heise.de/-3860676 ∗∗∗ Malvertising on Equifax, TransUnion tied to third party script ∗∗∗ --------------------------------------------- Equifaxs website is once again infected, this time with malvertising that redirects to a fake Flash player. Further investigation reveals TransUnion was also targeted. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/10/equifax-transunion-we… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Patch Update - October 2017 ∗∗∗ --------------------------------------------- Critical Patch Update - October 2017 - Pre-Release Announcement --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html ∗∗∗ ProMinent MultiFLEX M10a Controller ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-01 ∗∗∗ WECON Technology Co., Ltd. LeviStudio HMI Editor ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-02 ∗∗∗ Envitech Ltd. EnviDAS Ultimate ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-03 ∗∗∗ NXP Semiconductors MQX RTOS ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-04 ∗∗∗ Siemens BACnet Field Panels ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-05 ∗∗∗ DFN-CERT-2017-1812/">Xen: Mehrere Schwachstelle ermöglichen u.a. das Eskalieren von Privilegien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1812/ ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2, v5.0.2 and v5.0.2.1. (CVE-2017-10115 and CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009234 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009543 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008951 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by Open Source XStream Vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004066 ∗∗∗ Java SE vulnerability CVE-2017-10115 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91024405 ∗∗∗ Java SE vulnerability CVE-2017-10108 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52342540 ∗∗∗ Vulnerability in windows antivirus products (IK-SA-2017-0001) ∗∗∗ --------------------------------------------- http://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-w… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2017
by Daily end-of-shift report 12 Oct '17

12 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-10-2017 18:00 − Donnerstag 12-10-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices ∗∗∗ --------------------------------------------- Posted by Gal Beniamini, Project ZeroIn this blog post we’ll complete our goal of achieving remote kernel code execution on the iPhone 7, by means of Wi-Fi communication alone.After developing a Wi-Fi firmware exploit in the previous blog post, we are left with the task of using our newly acquired access to gain control over the XNU kernel. To this end, we’ll begin by investigating the isolation mechanisms present on the iPhone. Next, we’ll explore the ways in which the host --------------------------------------------- http://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploitin… ∗∗∗ Kritische Sicherheitslücke in Thunderbird 52.4 geschlossen ∗∗∗ --------------------------------------------- Die Entwickler von Thunderbird haben sich in der aktuellen Version um mehrere Schwachstellen gekümmert. Wer die neue Version nicht installiert, könnte sich unter Umständen Schadcode einfangen. --------------------------------------------- https://heise.de/-3858847 ∗∗∗ Bankingtrojaner Retefe für macOS in deutscher Sprache ∗∗∗ --------------------------------------------- Eine neue Version vom Retefe-Schädling tarnt sich unter anderem als OS-X-Update und wird derzeit etwa über gefälschte DHL-Mails verteilt. Auch Windows-Nutzer sind gefährdet. --------------------------------------------- https://heise.de/-3859911 ∗∗∗ Hacker stahlen sensible Daten der australischen Rüstungsindustrie ∗∗∗ --------------------------------------------- Rüstungsminister Pyne sieht keine Gefahr für das Militär --------------------------------------------- http://derstandard.at/2000065885898 ∗∗∗ Kritische Lücke in Microsoft Office ermöglicht Remote Code Execution ∗∗∗ --------------------------------------------- Researcher haben eine schwerwiegende Sicherheitslücke in Microsoft Office entdeckt. Beschreibung: Wenn ein Benutzer eine speziell präparierte Datei im Microsoft Excel-Format oder Microsoft Word-Format öffnet, kann in Folge ein Angreifer beliebigen Code, mit den Rechten des angemeldeten Benutzers, auf dem System ausführen. --------------------------------------------- http://www.cert.at/warnings/all/20171011.html ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3997 wordpress - security update ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in Wordpress, a web blogging tool.They would allow remote attackers to exploit path-traversal issues, perform SQLinjections and various cross-site scripting attacks. --------------------------------------------- https://www.debian.org/security/2017/dsa-3997 ∗∗∗ DSA-3998 nss - security update ∗∗∗ --------------------------------------------- Martin Thomson discovered that nss, the Mozilla Network Security Servicelibrary, is prone to a use-after-free vulnerability in the TLS 1.2implementation when handshake hashes are generated. A remote attackercan take advantage of this flaw to cause an application using the nsslibrary to crash, resulting in a denial of service, or potentially toexecute arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3998 ∗∗∗ JSA10809 - 2017-10 Security Bulletin: SRX Series: Cryptographic weakness in SRX300 Series TPM Firmware (CVE-2017-10606) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10809&actp=RSS ∗∗∗ JSA10810 - 2017-10 Security Bulletin: Junos: rpd core due to receipt of specially crafted BGP packet (CVE-2017-10607) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10810&actp=RSS ∗∗∗ JSA10817 - 2017-10 Security Bulletin: Junos OS: Denial of service vulnerabilities in telnetd (CVE-2017-10614, CVE-2017-10621) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10817&actp=RSS ∗∗∗ JSA10819 - 2017-10 Security Bulletin: Contrail: hard coded credentials (CVE-2017-10616) and XML External Entity (XXE) vulnerability (CVE-2017-10617) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10819&actp=RSS ∗∗∗ Java SE vulnerability CVE-2017-10078 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41815723 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2017
by Daily end-of-shift report 11 Oct '17

11 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-10-2017 18:00 − Mittwoch 11-10-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Antivirus: Symantec will keine Code-Reviews durch Regierungen mehr ∗∗∗ --------------------------------------------- Aus Angst vor Spionage will die Sicherheitsfirma Symantec nach Angaben ihres CEO keine Regierungen mehr in den eigenen Code schauen lassen. Anlass war offenbar eine Anfrage der russischen Regierung. --------------------------------------------- https://www.golem.de/news/antivirus-symantec-will-keine-code-reviews-durch-… ∗∗∗ Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket ∗∗∗ --------------------------------------------- Global consulting firm Accenture is the latest giant organization leaving sensitive internal and customer data exposed in a publicly available Amazon Web Services S3 storage bucket. --------------------------------------------- http://threatpost.com/internal-accenture-data-customer-information-exposed-… ∗∗∗ October 2017 security update release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/10/10/october-2017-security-u… ∗∗∗ Credit Card Stealer Investigation Uncovers Malware Ring ∗∗∗ --------------------------------------------- During a recent investigation, I found a new piece of malicious code being used to steal credit card information from compromised Magento sites. What I didn’t know was how many domains would be uncovered as part of the malware campaign. Each of the malicious domain names was specifically chosen to appear as legitimate as possible to the website .. --------------------------------------------- https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-… ∗∗∗ iOS: So einfach lassen sich Passwörter von Apple-Nutzern stehlen ∗∗∗ --------------------------------------------- Softwareentwickler zeigt, wie leicht täuschend echt aussehende Passwort-Anfragen erstellt werden können --------------------------------------------- http://derstandard.at/2000065785641 ∗∗∗ BSI warnt nicht vor Kaspersky-Produkten ∗∗∗ --------------------------------------------- Russische Hacker sollen Virenscanner der russischen Firma genutzt haben --------------------------------------------- http://derstandard.at/2000065833977 ∗∗∗ October 2017 Office Update Release ∗∗∗ --------------------------------------------- The October 2017 Public Update releases for Office are now available! This month, there are 26 security updates and 27 non-security updates. All of the security and non-security updates are listed in .. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2017/10/10… ===================== = Vulnerabilities = ===================== ∗∗∗ LAVA Computer MFG Inc. Ether-Serial Link ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an authentication bypass by spoofing vulnerability in the LAVA Ether-Serial Links firmware. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-283-01 ∗∗∗ JanTek JTC-200 ∗∗∗ --------------------------------------------- This advisory contains mitigation details for cross-site request forgery and improper authentication vulnerabilities in JanTeks JTC-200 TCP/IP converter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2017
by Daily end-of-shift report 10 Oct '17

10 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 09-10-2017 18:00 − Dienstag 10-10-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ATMii Malware Makes Windows 7 and Windows Vista ATMs Spit Out Cash ∗∗∗ --------------------------------------------- Security researchers have discovered a new ATM malware strain named ATMii that targets only ATMs running on Windows 7 and Windows Vista. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atmii-malware-makes-windows-… ∗∗∗ Changes in Password Best Practices ∗∗∗ --------------------------------------------- NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they dont help that much. Its better to allow people to use pass phrases.Stop it with password expiration. That was an old idea for an old way we used [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html ∗∗∗ The Absurdly Underestimated Dangers of CSV Injection ∗∗∗ --------------------------------------------- In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV. --------------------------------------------- http://georgemauer.net/2017/10/07/csv-injection.html ∗∗∗ Financial Times bekämpft Werbebetrug ∗∗∗ --------------------------------------------- Millionenverluste durch Domain-Spoofing: Werbenetzwerke verkauften Videowerbung für Leser der Financial Times, die aber tatsächlich auf anderen Websites ausgespielt wurde. --------------------------------------------- https://www.heise.de/newsticker/meldung/Financial-Times-bekaempft-Werbebetr… ∗∗∗ Google-Analyse: Microsoft patcht Windows 7/8 teilweise nicht ∗∗∗ --------------------------------------------- Forscher von Google haben nachgewiesen, dass Microsoft Sicherheitslücken in Windows 10 behoben hat, die gleichen Lücken in Windows 7 und 8 jedoch offen ließ. Patches kamen erst, als die Veröffentlichung durch Project Zero drohte. --------------------------------------------- https://heise.de/-3852695 ∗∗∗ Über 37.000 Chrome-Nutzer installierten gefälschte Adblock-Plus-Extension ∗∗∗ --------------------------------------------- Die Browser-Erweiterung Adblock Plus soll vor Werbung und Schadcode schützen. Eine kürzlich aus dem Chrome Web Store entfernte Extension gleichen Namens führte das genaue Gegenteil im Schilde. Im Zweifel ist eine Neuinstallation ratsam. --------------------------------------------- https://heise.de/-3854625 ∗∗∗ Sicherheits-App der Erste Bank ist Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte Erste Bank und Sparkasse-Nachricht. Darin behaupten sie, dass das Konto von Kund/innen eingeschränkt worden sei und sie zur weiteren Benutzung eine Sicherheits-App installieren müssen. Die angebliche Sicherheits-App ist Schadsoftware. Wer sie isntalliert, ermöglicht Kriminellen Zugriff auf das eigene Konto. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/sicherheits-app-der-erste-b… ===================== = Vulnerabilities = ===================== ∗∗∗ SAP Security Patch Day – October 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...] --------------------------------------------- https://blogs.sap.com/2017/10/10/sap-security-patch-day-october-2017/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Host On-Demand ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009289 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center and Client Management Services (CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009293 ∗∗∗ IBM Security Bulletin: WebSphere Application Server Edge Caching Proxy may be vulnerable to HTTP response splitting (CVE-2017-1503) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006815 ∗∗∗ IBM Security Bulletin: Open Source Apache Cordova Android Vulnerabilities affect IBM Worklight and IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000350 ∗∗∗ IBM Security Bulletin:IBM Integration Bus is affected by deserialization RCE vulnerability in IBM WebSphere JMS Client ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008829 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2017
by Daily end-of-shift report 09 Oct '17

09 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-10-2017 18:00 − Montag 09-10-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitssoftware: Schlangenöl oder notwendiges Übel? ∗∗∗ --------------------------------------------- Als Schlangenöl wurden in Zeiten des Wilden Westens vorwiegend medizinische Produkte und Hilfsmittel bezeichnet, deren Wirkung wenig bis keinen Ursprung in den darin verwendeten Zutaten hatte oder schlicht nicht existent war. Der Begriff wird mittlerweile auch im Software-Kontext für Produkte verwendet, die mehr versprechen, als sie halten können. Besonders .. --------------------------------------------- https://www.dfn-cert.de/aktuell/sicherheitssoftware-schlangenoel.html ∗∗∗ Foren-Tool Disqus gehackt: 17,5 Millionen User betroffen ∗∗∗ --------------------------------------------- Der Vorfall, bei dem Usernamen und Passwörter abgegriffen wurden, ereignete sich bereits vor fünf Jahren. Disqus will bis jetzt nichts davon gewusst haben. --------------------------------------------- https://futurezone.at/digital-life/foren-tool-disqus-gehackt-17-5-millionen… ∗∗∗ Passwortmanager im Vergleich: Das letzte Passwort, das du dir jemals merken musst ∗∗∗ --------------------------------------------- Menschen scheinen nicht dafür gemacht, sich sehr viele komplizierte Passwörter zu merken. Abhilfe schaffen Passwortmanager. Wir haben die Lösungen von Keepass, Lastpass, 1Password und Dashlane verglichen - und bei allen Stärken gefunden. --------------------------------------------- https://www.golem.de/news/passwortmanager-im-vergleich-das-letzte-passwort-… ∗∗∗ After selling his site for millions, founder hacked it for a second payday ∗∗∗ --------------------------------------------- Rigzone founder sentenced for data duplication scheme "Operation Resume Hoard" was going well. Initiated around April 1, 2015, it represented David W. Kents plan to build the membership of his oil and gas industry .. --------------------------------------------- www.theregister.co.uk/2017/10/07/after_selling_site_for_millions_founder_ha… ∗∗∗ Dnsmasq: A Reality Check and Remediation Practices ∗∗∗ --------------------------------------------- Dnsmasq is the de-facto tool for meeting the DNS/DHCP requirements of small servers and embedded devices. Recently, Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/dnsmasq-reality-… ∗∗∗ John Kellys Hacked Phone Could Be a Major National Security Issue ∗∗∗ --------------------------------------------- When the former head of the Department of Homeland Security and current White House Chief of Staffs personal smartphone gets hacked, nothing good can happen. --------------------------------------------- https://www.wired.com/story/john-kelly-hacked-phone ∗∗∗ TLS 1.3: Security-Devices verhindern die Einführung ∗∗∗ --------------------------------------------- Alle Security-Experten sind sich einig, dass der Standard TLS 1.3 ein deutlicher Schritt zu mehr Sicherheit im Internet wäre. Doch ausgerechnet Security-Devices, die Verschlüsselung aufbrechen, verhindern die Einführung auf nicht absehbare Zeit. --------------------------------------------- https://heise.de/-3852819 ∗∗∗ Testing Security Keys ∗∗∗ --------------------------------------------- http://www.imperialviolet.org/2017/10/08/securitykeytest.html ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3993 tor - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3993 ∗∗∗ DSA-3994 nautilus - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3994 ∗∗∗ Symantec Endpoint Encryption / Symantec Encryption Desktop DoS ∗∗∗ --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… ∗∗∗ HPESBHF03777 rev.2 - HPE Intelligent Management Center (iMC) PLAT, Remote Denial of Service ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2017
by Daily end-of-shift report 06 Oct '17

06 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-10-2017 18:00 − Freitag 06-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers Hijack Ongoing Email Conversations to Insert Malicious Documents ∗∗∗ --------------------------------------------- A group of hackers is using a sophisticated technique of hijacking ongoing email conversations to insert malicious documents that appear to be coming from a legitimate source and infect other targets participating in the same conversational thread. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-ongoing-email… ∗∗∗ IT-Sicherheit: Für das FBI Botnetze ausschalten ∗∗∗ --------------------------------------------- Der deutsche IT-Sicherheitsforscher Tillmann Werner hat der US-Behörde FBI geholfen, einen gefährlichen Hacker zu jagen. --------------------------------------------- https://www.golem.de/news/it-sicherheit-fuer-das-fbi-botnetze-ausschalten-1… ∗∗∗ Geheimdienste: Wenn Hacker Hacker hacken, scheitert die Attribution ∗∗∗ --------------------------------------------- Einen Hack bis zu seinem Ursprung zurückzuverfolgen, gilt im IT-Sicherheitsbereich als schwieriges Geschäft. Neue Forschungen von Kaspersky zeigen, dass die Situation noch verfahrener ist, als bislang angenommen. --------------------------------------------- https://www.golem.de/news/geheimdienste-wenn-hacker-hacker-hacken-scheitert… ∗∗∗ Whats in a cable? The dangers of unauthorized cables, (Fri, Oct 6th) ∗∗∗ --------------------------------------------- As data speeds have increased over the last few years, and interface ports have become more and more multi-functioning and integrated, cables have started to pose a very particular and real danger. So far, they often have been ignored and considered "dumb wires". But far from that, many cables these days hold logic chips of their own and in some cases even upgradable (replaceable) firmware. --------------------------------------------- https://isc.sans.edu/diary/rss/22904 ∗∗∗ Dumb bug of the week: Apples macOS reveals your encrypted drives password in the hint box ∗∗∗ --------------------------------------------- High Sierra update derided by devs as half-baked | Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/05/apple_patch… ∗∗∗ Wenn Facebook-Freund/innen nach Geld fragen ∗∗∗ --------------------------------------------- Nachdem Facebook-Konten erfolgreich gehackt wurden, versuchen Betrüger daraus Kapital zu schlagen. Aus diesem Grund schreiben sie Kontakte an und erfinden Geschichten, um an schnelles Geld zu kommen. Um kein Opfer dieser Masche zu werden, sollte den Inhalten nicht leichtfertig geglaubt werden. --------------------------------------------- https://www.watchlist-internet.at/facebook-betrug/wenn-facebook-freundinnen… ∗∗∗ Cyber-Sicherheit am Arbeitsplatz: Persönliche Daten im Internet schützen ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/ECSM_BSI_06… ===================== = Vulnerabilities = ===================== ∗∗∗ GE CIMPLICITY ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in GEs CIMPLICITY. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01 ∗∗∗ ZDI-17-838: (0Day) Microsoft Windows WAV File Uninitialized Pointer Denial of Service Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to cause a denial-of-service condition on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-838/ ∗∗∗ DFN-CERT-2017-1757: Ruby: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1757/ ∗∗∗ HPESBHF03786 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Notes ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009253 ∗∗∗ IBM Security Bulletin: Multiple DB2 vulnerabilities affect IBM Spectrum Protect (formerly Tivoli Storage Manger) Server (CVE-2017-1105, CVE-2017-1297) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009194 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in Open Source zlib affect IBM Netezza SQL Extensions ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001212 ∗∗∗ Linux kernel vulnerability CVE-2017-14106 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K62178133 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2017
by Daily end-of-shift report 05 Oct '17

05 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-10-2017 18:00 − Donnerstag 05-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mozilla to End All Firefox Support for XP and Vista in June 2018 ∗∗∗ --------------------------------------------- Mozilla announced today plans to discontinue any support for the Firefox browser on Windows XP and Vista in June 2018. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/software/mozilla-to-end-all-firefox-s… ∗∗∗ Avast: Ccleaner-Malware hat drei Stufen und verschont 64-Bit-PCs ∗∗∗ --------------------------------------------- Die Malware in einer Ccleaner-Version hatte mindestens drei Stufen - von der ersten waren 1,65 Millionen Personen betroffen. Wer ein 64-Bit-Windows nutzt, soll allerdings nichts zu befürchten haben. --------------------------------------------- https://www.golem.de/news/avast-ccleaner-malware-hat-drei-stufen-und-versch… ∗∗∗ Security Awareness Month: How to Help Friends and Family, (Wed, Oct 4th) ∗∗∗ --------------------------------------------- For the last few years, October has been "Security Awareness Month", with various organizations using it to promote security awareness. We have done a few "themed" diaries around security awareness in past years, but for the most part, there isn't that much new to say for our core audience. Security awareness is however still a big issue for the rest of humanity, and if you are looking for advice to help friends and family become more security-aware, then the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22896 ∗∗∗ SYSCON Backdoor Uses FTP as a C&C Channel ∗∗∗ --------------------------------------------- Bots can use various methods to establish a line of communication between themselves and their command-and-control (C&C) server. Usually, these are done via HTTP or other TCP/IP connections. However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C&C server. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Mw_aCJ0nNos/ ∗∗∗ Common Sense in EDI Security ∗∗∗ --------------------------------------------- [...] Looking at these examples, we can see that security is a process, a chain of events; for security measures to succeed, every link in the chain of events must be as secure as possible. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/common-… ∗∗∗ Outsmarting grid security threats ∗∗∗ --------------------------------------------- Almost two-thirds (63 percent) of utility executives believe their country faces at least a moderate risk of electricity supply interruption from a cyberattack on electric distribution grids in the next five years. The Accenture survey of more than 100 utilities executives from over 20 countries revealed interruptions to the power supply from cyberattacks is the most serious concern, cited by 57 percent of respondents. Just as worrying is the physical threat to the distribution grid. --------------------------------------------- https://www.helpnetsecurity.com/2017/10/05/grid-security-threats/ ∗∗∗ PoC for several Magento vulnerabilities released, update now! ∗∗∗ --------------------------------------------- DefenseCode has published proof of concept code for two CSRF and stored XSS vulnerabilities affecting a number of versions of the popular e-commerce platform Magento. Magento is an open source platform that provides merchants with control over their online stores and a shopping cart system, as well as tools to improve the visibility and management of the shop. About the vulnerabilities Security researcher Bosko Stankovic discovered the security flaws during a security audit of Magento [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/10/05/magento-vulnerability-poc-code/ ===================== = Vulnerabilities = ===================== ∗∗∗ iManager 3.0.4 ∗∗∗ --------------------------------------------- Abstract: This patch addresses important issues found since the original release of iManager 3.0. --------------------------------------------- https://download.novell.com/Download?buildid=r_GBmD8A9cU~ ∗∗∗ eDirectory 9.0.4 ∗∗∗ --------------------------------------------- Abstract: This update is being provided to resolve important issues found since the original release of Novell eDirectory 9.0. --------------------------------------------- https://download.novell.com/Download?buildid=WKnTKcctISw~ ∗∗∗ Apple security update for watchOS ∗∗∗ --------------------------------------------- watchOS 4.0.1 includes the security content of watchOS 4 and is available for Apple Watch Series 3 (GPS + Cellular). --------------------------------------------- https://support.apple.com/en-us/HT208163 ∗∗∗ DFN-CERT-2017-1736: Digium Asterisk, Digium Certified Asterisk: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1736/ ∗∗∗ DFN-CERT-2017-1750: cURL: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1750/ ∗∗∗ DFN-CERT-2017-1755: Sophos UTM Manager: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1755/ ∗∗∗ Cisco Security Advisories and Alerts ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-971654 (Last Update 2017-10-05): Authentication Bypass in 7KT PAC1200 Data Manager from the SENTRON Portfolio ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-971654… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2017
by Daily end-of-shift report 04 Oct '17

04 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-10-2017 18:00 − Mittwoch 04-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Announces New Tool to Investigate Memory Corruption Bugs ∗∗∗ --------------------------------------------- Microsoft announced yesterday a new tool that automates the process of detecting the root cause of memory corruption issues. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-new-too… ∗∗∗ New Rowhammer Attack Bypass Previously Proposed Countermeasures ∗∗∗ --------------------------------------------- Security researchers have come up with a variation of the Rowhammer attack that bypasses all previously proposed countermeasures. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rowhammer-attack-bypass-… ∗∗∗ Website Hosting: Security Awareness Can Reduce Costs ∗∗∗ --------------------------------------------- Website hosting security has matured in recent years. Naturally, the types of security issues have changed because of it. For example, cross-contamination over multiple shared hosting accounts used to be a major problem for large website hosting providers, but this isn’t really a huge threat today. However, malware attacks and other website security-related issues at the account level are still very real problems – just ask anyone who has had their website defaced, redirected, or [...] --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/3W5Ls3JO36o/website-hosting-s… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3991 qemu - security update ∗∗∗ --------------------------------------------- Multiple vulnerabilities were found in qemu, a fast processor emulator: --------------------------------------------- https://www.debian.org/security/2017/dsa-3991 ∗∗∗ Apple Releases Security Update for iOS ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 Apple has released iOS 11.0.2 to address vulnerabilities in previous versions of iOS. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Apple-Releases-Sec… ∗∗∗ Apache Releases Security Updates for Apache Tomcat ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 The Apache Software Foundation has released Apache Tomcat 9.0.1 and 8.5.23 to address a vulnerability in previous versions of the software. A remote attacker could exploit this vulnerability to take control of an affected server. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Apache-Releases-Se… ∗∗∗ Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Advisories ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Linux kernel vulnerability CVE-2017-14489 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71796229 ∗∗∗ HPESBMU03753 rev.2 - HPE System Management Homepage for Windows and Linux, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03782 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03776 rev.1 - HPE Intelligent Management Center (iMC) Service Operation Management (SOM), Remote Arbitrary File Download ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03778 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03777 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Denial of Service ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03781 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2017
by Daily end-of-shift report 03 Oct '17

03 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 02-10-2017 18:00 − Dienstag 03-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Three WordPress Plugin Zero-Days Exploited in the Wild ∗∗∗ --------------------------------------------- Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/three-wordpress-plugin-zero-… ∗∗∗ Security Bugs in Dnsmasq Affect Computers, Smartphones, Routers, IoT Devices ∗∗∗ --------------------------------------------- Security researchers at Google have found seven security bugs in the Dnsmasq application that put an inestimable number of desktops, servers, smartphones, routers, and other IoT devices at risk of hacking. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/security-bugs-in-dnsmasq-aff… ∗∗∗ Cyber Security Challenge: Das Team Austria steht fest ∗∗∗ --------------------------------------------- Nach dem Finale ist vor dem Finale: Die Sieger der Austria Cyber Security Challenge trainieren jetzt für den Sieg im europäischen Hacker-Wettbewerb. --------------------------------------------- https://futurezone.at/digital-life/cyber-security-challenge-das-team-austri… ∗∗∗ Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices ∗∗∗ --------------------------------------------- Netgear patches over a dozen vulnerabilities impacting its routers, switches and NAS devices. --------------------------------------------- http://threatpost.com/netgear-fixes-50-vulnerabilities-in-routers-switches-… ∗∗∗ E-Mail Tracking ∗∗∗ --------------------------------------------- Interesting survey paper: on the privacy implications of e-mail tracking: Abstract: We show that the simple act of viewing emails contains privacy pitfalls for the unwary. We assembled a corpus of commercial mailing-list emails, and find a network of hundreds of third parties that track email recipients via methods such as embedded pixels. About 30% of emails leak the recipients email address to one or more of these third parties when they are viewed. In the majority of cases, these leaks are [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/10/e-mail_tracking.html ∗∗∗ Outdated vendor systems leaving finance industry at risk ∗∗∗ --------------------------------------------- BitSight data scientists found that in most cases, companies in the finance industry supply chain are not meeting the same security standards that finance companies hold for their own organizations. The spread of BitSight Security Ratings amongst Finance Firms and monitored Legal, Technology, and Business Services organizations as of September 1st, 2017. "While finance organizations tend to have more sophisticated vendor risk management programs, there is a lot of work to be done to close [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/10/03/outdated-vendor-systems/ ∗∗∗ Threat Hunting Part 2: Hunting on ICS Networks ∗∗∗ --------------------------------------------- In this edition of the Dragos Threat Hunting on ICS network series, we will compare threat hunting on industrial networks with concepts from the wider threat hunting community. We will also look at how the unique characteristics of industrial networks can be used to an advantage as network defense professionals [...] --------------------------------------------- https://dragos.com/blog/20170927-ThreatHuntingSeriesPart2.html ===================== = Vulnerabilities = ===================== ∗∗∗ Dnsmasq Contains Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 Dnsmasq versions 2.77 and prior contain multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Dnsmasq-Contains-M… ∗∗∗ Android Security Bulletin—October 2017 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2017-10-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2017
by Daily end-of-shift report 02 Oct '17

02 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-09-2017 18:00 − Montag 02-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Mobile Forensics Process: Steps & Types ∗∗∗ --------------------------------------------- Introduction: Importance of Mobile Forensics The term "mobile devices" encompasses a wide array of gadgets ranging from mobile phones, smartphones, tablets, and GPS units to wearables and PDAs. What they all have in common is the fact that they can contain a lot of user information. Mobile devices are right in the middle of three[...] --------------------------------------------- http://resources.infosecinstitute.com/mobile-forensics-process-steps-types/ ∗∗∗ Investigating Security Incidents with Passive DNS, (Mon, Oct 2nd) ∗∗∗ --------------------------------------------- Sometimes when you need to investigate a security incident or to check for suspicious activity, you become frustrated because the online resource that youre trying to reach has already been cleaned. We cannot blame system administrators and webmasters who are just doing their job. If some servers or websites remains compromised for weeks, others are very quickly restored/patched/cleaned to get rid of the malicious content. Its the same for domain names. Domains registered only for malicious [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22886 ∗∗∗ DNSSEC Key Signing Key Rollover Postponed ∗∗∗ --------------------------------------------- Original release date: September 29, 2017 The Internet Corporation for Assigned Names and Numbers (ICANN) has announced that the change to the Root Zone Key Signing Key (KSK) scheduled for October 11, 2017, has been postponed. A new date for the Key Roll has not yet been determined.DNSSEC is a set of DNS protocol extensions used to digitally sign DNS information, which is an important part of preventing domain name hijacking. Updating the DNSSEC KSK is a crucial security step, similar to [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/09/29/DNSSEC-Key-Signing… ∗∗∗ European Cyber Security Month: United against Cyber Security Threats ∗∗∗ --------------------------------------------- October 2017 is European Cyber Security Month and this year marks the 5th year anniversary of the European Cyber Security Month campaign. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/european-cyber-security-month-u… ∗∗∗ Good Analysis = Understanding(tools + logs + normal) ∗∗∗ --------------------------------------------- We had a reader send an email in a couple of weeks ago asking about understanding the flags field when looking at data in a report. He didnt understand what the "flags" were referring to or what the actual flags mean. "They don’t appear related to TCP header flags like I’ve normally seen...S is the most common but I occasionally see RSA, RUS and a few others." --------------------------------------------- https://isc.sans.edu/forums/diary/Good+Analysis+Understandingtools+logs+nor… ===================== = Vulnerabilities = ===================== ∗∗∗ eDirectory 9.0.4 ∗∗∗ --------------------------------------------- Abstract: This update is being provided to resolve important issues found since the original release of Novell eDirectory 9.0. --------------------------------------------- https://download.novell.com/Download?buildid=WKnTKcctISw~ ∗∗∗ iManager 3.0.4 ∗∗∗ --------------------------------------------- Abstract: This patch addresses important issues found since the original release of iManager 3.0. --------------------------------------------- https://download.novell.com/Download?buildid=r_GBmD8A9cU~ ∗∗∗ XSA-245 ARM: Some memory not scrubbed at boot ∗∗∗ --------------------------------------------- Impact: Sensitive information from one domain before a reboot might be visible to another domain after a reboot. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-245.html ∗∗∗ Vuln: SolarWinds Network Performance Monitor CVE-2017-9538 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101066 ∗∗∗ DFN-CERT-2017-1723: GitLab: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebiger Befehle ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1723/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-535640 (Last Update 2017-10-02): Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640… ∗∗∗ HPESBMU03753 rev.2 - HPE System Management Homepage for Windows and Linux, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2017
by Daily end-of-shift report 29 Sep '17

29 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-09-2017 18:00 − Freitag 29-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Macs Not Receiving EFI Firmware Security Updates as Expected ∗∗∗ --------------------------------------------- Researchers at Duo Security are expected today at Ekoparty to reveal data and a paper that shows Mac users are not receiving EFI firmware updates at expected. --------------------------------------------- http://threatpost.com/macs-not-receiving-efi-firmware-security-updates-as-e… ∗∗∗ ICANN Postpones Scheduled DNS Crypto Key Rollover ∗∗∗ --------------------------------------------- ICANN, the overseer of the Internet’s namespace, announced this week that it was postponing a scheduled change to the cryptographic key that protects the Domain Name System. --------------------------------------------- http://threatpost.com/icann-postpones-scheduled-dns-crypto-key-rollover/128… ∗∗∗ Fake Plugins, Fake Security ∗∗∗ --------------------------------------------- Update: The plugin name is fake and has nothing to do with well-known WP-SpamShield plugin in the official WordPress plugin repository. WordPress users are becoming increasingly more aware of security threats and as a result they are taking more actions to secure their websites (e.g. by installing security plugins). While this is a good thing, there are always black hats trying to take an advantage of new opportunities to compromise websites. --------------------------------------------- https://blog.sucuri.net/2017/09/fake-plugins-fake-security.html ∗∗∗ WiNX: The Ultra-Portable Wireless Attacking Platform ∗∗∗ --------------------------------------------- When you are performing penetration tests for your customers, you need to build your personal arsenal. Tools, pieces of hardware and software are collected here and there depending on your engagements to increase your toolbox. To perform Wireless intrusion tests, I’m a big fan of the WiFi Pineapple. I’ve one for [...] --------------------------------------------- https://blog.rootshell.be/2017/09/28/winx-ultra-portable-wireless-attacking… ∗∗∗ Anonymisierung: Sicherheitsupdates für Tor Browser und Tails ∗∗∗ --------------------------------------------- Der Tor Browser setzt nun auf eine abgesicherte Version von Firefox ESR. In Tails haben die Entwickler diverse Sicherheitslücken, darunter BlueBorne, geschlossen und raten zu einer zügigen Aktualisierung. --------------------------------------------- https://heise.de/-3847033 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3985 chromium-browser - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in the chromium web browser. --------------------------------------------- https://www.debian.org/security/2017/dsa-3985 ∗∗∗ DSA-3985 chromium-browser - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3985 ∗∗∗ DFN-CERT-2017-1713: OpenVPN: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1713/ ∗∗∗ IBM Security Bulletin: IBM WebSphere Commerce has a vulnerability in Marketing ESpots that could cause a denial of service (CVE-2017-1569) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008547 ∗∗∗ IBM Security Bulletin: eDiscovery Manager is affected by an Open Source Apache POI Vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005630 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, Business Process Manager, IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000343 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM Cloud Orchestrator (CVE-2017-1159) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000328 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-8919) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000322 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2017
by Daily end-of-shift report 28 Sep '17

28 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-09-2017 18:00 − Donnerstag 28-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Threat Landscape for Industrial Automation Systems in H1 2017 ∗∗∗ --------------------------------------------- Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the results of its research on the threat landscape for industrial automation systems for the first six months of 2017. --------------------------------------------- http://securelist.com/threat-landscape-for-industrial-automation-systems-in… ∗∗∗ Incident Response Database ∗∗∗ --------------------------------------------- Incidents often require us to rapidly identify which incident response team is responsible for a particular network, corporation or country. FIRST is developing an automated method to access information on Computer Security Incident Response Teams (CSIRT) and other types of incident handling organizations. --------------------------------------------- https://www.first.org/global/irt-database ∗∗∗ Illusion Gap – Antivirus Bypass Part 1 ∗∗∗ --------------------------------------------- Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; [...] --------------------------------------------- https://www.cyberark.com/threat-research-blog/illusion-gap-antivirus-bypass… ===================== = Vulnerabilities = ===================== ∗∗∗ DFN-CERT-2017-1706: Cisco IOS, Cisco IOS XE: Mehrere Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Cisco IOS und IOS XE, ermöglichen einem entfernten, nicht authentisierten Angreifer das Umgehen von Sicherheitsvorkehrungen, was in einem Fall dazu führen kann, dass der Angreifer die vollständige Kontrolle über ein System erlangen kann, das Ausspähen von Informationen sowie die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe. Ein entfernter, einfach authentisierter Angreifer kann [...] --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1706/ ∗∗∗ ZDI-17-829: Trend Micro OfficeScan tmwfp Memory Corruption Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-829/ ∗∗∗ ZDI-17-828: Trend Micro OfficeScan tmwfp Memory Corruption Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-828/ ∗∗∗ IBM Security Bulletin: Smart Cloud Entry is affected by ISC BIND vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025663 ∗∗∗ IBM Security Bulletin: Open Source GNU glibc Vulnerabilities which is used by IBM OS Images for RedHat Linux in IBM PureApplication Systems (CVE-2017-1000366) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008527 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010641 ∗∗∗ IBM Security Bulletin: Open Source Samba Samba Vulnerabilities which is used by IBM OS Images for RedHat Linux in IBM PureApplication Systems (CVE-2017-7494) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007631 ∗∗∗ IBM Security Bulletin: Cross-site Scripting vulnerabilities affect Rational Engineering Lifecycle Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008785 ∗∗∗ IBM Security Bulletin: IBM Insights Foundation for Energy has vulnerabilites to SQL injection and cross-site scripting ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009039 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008391 ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2017-3511 in IBM Java SDK affects IBM Process Designer used in IBM Business Process Manager ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008324 ∗∗∗ IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by an OpenSSL vulnerability (CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008918 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Planning Analytics Local ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008584 ∗∗∗ SSA-856721 (Last Update 2017-09-28): Vulnerability in Ruggedcom Discovery Protocol (RCDP) of Industrial Communication Devices ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856721… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2017
by Daily end-of-shift report 27 Sep '17

27 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-09-2017 18:00 − Mittwoch 27-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Another Banking Trojan Adds Support for NSAs EternalBlue Exploit ∗∗∗ --------------------------------------------- A third banking trojan has added support for EternalBlue, an exploit supposedly created by the NSA, leaked online by the Shadow Brokers, and the main driving force behind the WannaCry and NotPetya ransomware outbreaks. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/another-banking-trojan-adds-… ∗∗∗ Broadcom Wireless: Google veröffentlicht Exploit für iPhone 7 ∗∗∗ --------------------------------------------- Google hat einen Exploit für erneute Probleme in Broadcom-WLAN-Chips veröffentlicht. Betroffen von dem Fehler sind das iPhone 7, aber auch Android-Geräte. Für Apple ist das eine gute Botschaft. --------------------------------------------- https://www.golem.de/news/broadcom-wireless-google-veroeffentlicht-exploit-… ∗∗∗ Nach Hack: Viele Deloitte-Systeme im Internet auffindbar ∗∗∗ --------------------------------------------- Angebliche Zugangsdaten für Deloitte-Systeme sind aufgetaucht, wo sie nicht sein sollten: bei Github und auf Google Plus. Außerdem haben Sicherheitsforscher zahlreiche Systeme des Unternehmens im Netz gefunden - mit offenen Ports für SMB und RDP. --------------------------------------------- https://www.golem.de/news/nach-hack-viele-deloitte-systeme-im-internet-auff… ∗∗∗ Security baseline for Windows 10 "Fall Creators Update" (v1709) – DRAFT ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the draft release of the recommended security configuration baseline settings for Windows 10 "Fall Creators Update," also known as version 1709, "Redstone 3," or RS3. Please evaluate this proposed baseline and send us your feedback via blog comments below. --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-f… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3984 git - security update ∗∗∗ --------------------------------------------- joernchen discovered that the git-cvsserver subcommand of Git, adistributed version control system, suffers from a shell commandinjection vulnerability due to unsafe use of the Perl backtickoperator. The git-cvsserver subcommand is reachable from thegit-shell subcommand even if CVS support has not been configured(however, the git-cvs package needs to be installed). --------------------------------------------- https://www.debian.org/security/2017/dsa-3984 ∗∗∗ Authentication Bypass Vulnerability in the Management Interface of Citrix NetScaler SD-WAN/CloudBridge 4000, 4100, 5000 and 5100 WAN Optimization Edition Appliances ∗∗∗ --------------------------------------------- A vulnerability has been identified in the management interface of the Citrix NetScaler SD-WAN/CloudBridge 4000, 4100, 5000 and 5100 WAN Optimization Edition appliances. This vulnerability, if exploited, could allow an attacker with access to the management interface of the appliance’s NetScaler ADC instance to gain administrative access to the instance. --------------------------------------------- https://support.citrix.com/article/CTX228091 ∗∗∗ SAP Enterprise Portal and Clients Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017090219 ∗∗∗ ZDI-17-812: (0Day) EMC Data Protection Advisor ScheduledReportResource Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-812/ ∗∗∗ iOS 11.0.1 Security Update ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208143 ∗∗∗ IBM Security Bulletin: API Connect Portal is affected by multiple Drupal vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008902 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cloud Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025664 ∗∗∗ HPESBMU03753 rev.1 - HPE System Management Homepage, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2017
by Daily end-of-shift report 26 Sep '17

26 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 25-09-2017 18:00 − Dienstag 26-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke in Google für Datendiebstahl genutzt ∗∗∗ --------------------------------------------- Eine spezielle Technik um Webseiten auf mobilen Geräten schneller zu laden, wird von Cyberkriminellen missbraucht, um investigative Journalisten auszuspionieren. --------------------------------------------- https://futurezone.at/digital-life/sicherheitsluecke-in-google-fuer-datendi… ∗∗∗ MacOS High Sierra: MacOS-Keychain kann per App ausgelesen werden ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Patrick Wardle hat demonstriert, dass Apples Keychain unter MacOS mit einer App komplett ausgelesen werden kann. Diese muss aber zunächst an Apples Gatekeeper vorbei. --------------------------------------------- https://www.golem.de/news/macos-high-sierra-macos-keychain-kann-per-app-aus… ∗∗∗ "Preparing for Cyber Security Incidents" ∗∗∗ --------------------------------------------- Talk with any incident responder and youll learn that there are a few less glamorous parts of the job. Writing the final report and preparation in advance to an incident are probably top contenders. In this article I want to focus on preparation and explain to [...] --------------------------------------------- http://ics.sans.org/blog/2017/09/26/preparing-for-cyber-security-incidents ∗∗∗ An Elaborate ATM Threat Crops Up: Network-based ATM Malware Attacks ∗∗∗ --------------------------------------------- Infecting automated teller machines (ATMs) with malware is nothing new. It’s concerning, yes. But new? Not really. We’ve been seeing physical attacks against ATMs since 2009. By physical, we mean opening the target machine’s casing, accessing the motherboard and connecting USB drives or CD-ROMs in order to infect the operating system. Once infected, the ATM is at the attackers’ mercy, which normally means that they are able to empty the money cassettes and walk away with [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/GLIB-nW2ilE/ ∗∗∗ Achtung vor neuer Betrugsmasche: Betrüger ergaunern telefonisch Bitcoin Ladebons ∗∗∗ --------------------------------------------- Das Bundeskriminalamt (BK) warnt vor einem bekannten, aber neu adaptierten Betrugsphänomen, bei dem Inhaber und Angestellte von Trafiken, Tankstellen und Postpartnerstellen via Telefon von Betrügern aufgefordert werden, die Codes der Bitcoin Ladebons bekannt zu geben. Die Polizei informiert. --------------------------------------------- http://www.bmi.gv.at/cms/bk/_news/start.aspx?id=47476E2B724F38597A506B3D&pa… ∗∗∗ Source: Deloitte Breach Affected All Company Email, Admin Accounts ∗∗∗ --------------------------------------------- Deloitte, one of the worlds "big four" accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted "very few" clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloittes entire internal email system. --------------------------------------------- https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-com… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Security Updates ∗∗∗ --------------------------------------------- macOS Server 5.4: https://support.apple.com/kb/HT208102 iTunes 12.7 for Windows: https://support.apple.com/kb/HT208141 iTunes 12.7: https://support.apple.com/kb/HT208140 macOS High Sierra 10.13: https://support.apple.com/kb/HT208144 iCloud for Windows 7.0: https://support.apple.com/kb/HT208142 --------------------------------------------- ∗∗∗ Solarwinds LEM Insecure Update Process ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017090206 ∗∗∗ FLIR Systems FLIR Thermal Camera - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ IBM Security Bulletin: Vulnerability in system log on IBM DataPower Gateways WebGUI console (CVE-2017-1591) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008815 ∗∗∗ IBM Security Bulletin: Path Traversal Vulnerability in IBM WebSphere Portal (CVE-2017-1577) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008586 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Web Experience Factory ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007912 ∗∗∗ IBM Security Bulletin: Vulnerability in Node.js affects IBM DataPower Gateways (CVE-2017-11499) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008629 ∗∗∗ IBM Security Bulletin: RMI Dispatcher port used by Security Identity Adapters is not authenticated by default ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007375 ∗∗∗ IBM Security Bulletin: Security Identity Adapter attribute input is not protected against command injection ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007377 ∗∗∗ IBM Security Bulletin: Vulnerability in XDR affects IBM DataPower Gateways (CVE-2017-8804) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008628 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2017
by Daily end-of-shift report 25 Sep '17

25 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-09-2017 18:00 − Montag 25-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Securing The Supply Chain Is As Important As Securing The Front Door ∗∗∗ --------------------------------------------- Today most organisations rely on a number of suppliers for providing services to their customers. Supply chain plays a key role within an organisation allowing them to innovate, create new products or services, increase their profitability and compete with other organisations. To be able to do so, organisations need to allow suppliers to connect to their systems/applications and also allow exchange of sensitive information with their suppliers and partners. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/securing-the-supply-ch… ∗∗∗ 7% of All Amazon S3 Servers Are Exposed, Explaining Recent Surge of Data Leaks ∗∗∗ --------------------------------------------- During the past year, there has been a surge in data breach reporting regarding Amazon S3 servers left accessible online, and which were exposing private information from all sorts of companies and their customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/7-percent-of-all-amazon-s3-s… ∗∗∗ Krypto-Trojaner RedBoot infiziert MBR und zerstört Dateien ∗∗∗ --------------------------------------------- Eine neue Ransomware treibt ihr Unwesen im Master Boot Record von Windows-PCs. Darüber hinaus verschlüsselt sie auch Dateien – ohne jedoch einen Weg zur Entschüsselung zu bieten. --------------------------------------------- https://heise.de/-3840923 ∗∗∗ CCleaner-Malware: Avast veröffentlicht weitere Analyse-Ergebnisse ∗∗∗ --------------------------------------------- In einem neuen Blogeintrag nennt Avast weitere Details zum Schadcode in CCleaner 5.33.6162. Dazu zählen konkrete Angriffsziele und Infektionszahlen sowie weitere Details zu möglichen Herkunftsländern der Täter. --------------------------------------------- https://heise.de/-3840809 ∗∗∗ Gefälschte Apple-Nachricht: Subscription Confirmation ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte Apple-Nachricht. Darin behaupten sie, dass Empfänger/innen eine teure Anwendung gekauft haben. Sollte das nicht der Fall sein, können sie die Bestellung auf einer Website stornieren. Apple-Kund/innen, die den angeblichen Einkauf rückgängig machen wollen, übermitteln ihre Kreditkartendaten an Betrüger/innen. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-apple-nachricht-subs… ∗∗∗ A Historical Perspective on IT & OT Convergence ∗∗∗ --------------------------------------------- Hello IIoT World readers, and thanks for engaging with my column. Over the course of the next few months, I plan to write on a number of topics that are, individually, highly relevant to the IIoT Security realm. Perhaps more importantly, many of these topics can be viewed as being all inter-related in a way that describes some of the things Continue ReadingThe post A Historical Perspective on IT & OT Convergence appeared first on Create a culture of innovation with IIoT World!. --------------------------------------------- http://iiot-world.com/cybersecurity/a-historical-perspective-on-it-ot-conve… ∗∗∗ The Ethics of Running a Data Breach Search Service ∗∗∗ --------------------------------------------- No matter how much anyone tries to sugar coat it, a service like Have I been pwned (HIBP) which deals with billions of records hacked out of other peoples systems is always going to sit in a grey area. There are degrees, of course; at one end of the spectrum [...] --------------------------------------------- https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/ ===================== = Advisories = ===================== ∗∗∗ Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface ∗∗∗ --------------------------------------------- A vulnerability has been identified in the management interface of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that, if exploited, could allow an attacker with access to the NetScaler management interface to gain administrative access to the appliance. --------------------------------------------- https://support.citrix.com/article/CTX227928 ∗∗∗ IBM Security Bulletin: privilege escalation in IBM Business Process Manager (BPM) – CVE-2017-1539 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007451 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager Process Center Console (CVE-2017-1531) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007354 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager Process Admin Console (CVE-2017-1530) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007351 ∗∗∗ IBM Security Bulletin: XML External Entity (XXE) injection vulnerability affects IBM Business Process Manager (CVE-2017-1527) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007346 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (BPM) – CVE-2017-1425 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006265 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21996096 ∗∗∗ Alert for CVE-2017-9805 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-388… ∗∗∗ Apache ActiveMQ vulnerability CVE-2016-6810 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55444705 ∗∗∗ HPESBNS03775 rev.1 - HPE NonStop Samba, Remote Disclosure of Information, Authentication Bypass, Unauthorized Elevation of Privilege ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2017
by Daily end-of-shift report 22 Sep '17

22 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-09-2017 18:00 − Freitag 22-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CLKSCREW Attack Can Hack Modern Chipsets via Their Power Management Features ∗∗∗ --------------------------------------------- A team of three scientists from Columbia University has discovered that by attacking the combo of hardware and software management utilities embedded with modern chipsets, threat actors can take over systems via an attack surface found in almost all modern electronic devices. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/clkscrew-attack-can-hack-mod… ∗∗∗ Ecommerce Security: Fake Jquery Used as CC Scraper ∗∗∗ --------------------------------------------- In the last few months, we noticed an increase in attacks targeting ecommerce platforms aiming to steal credit card information. We saw a similar rise last year after the summer ended, and believe that trend will continue now that the holiday season is quickly approaching. Most of these attacks are based on intercepting the communication between the online store and the payment gateway (the checkout process) in order to send valuable information to the attacker. --------------------------------------------- https://blog.sucuri.net/2017/09/fake-jquery-used-cc-scraper-ecommerce.html ∗∗∗ How I hacked hundreds of companies through their helpdesk ∗∗∗ --------------------------------------------- Months ago I discovered a flaw hackers can use to access a companys internal communications. The flaw only takes a couple of clicks to potentially access intranets, social media accounts such as Twitter, and most commonly Yammer and Slack teams. --------------------------------------------- https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-… ∗∗∗ Passwords to Over a Half Million Car Tracking Devices Leaked Online ∗∗∗ --------------------------------------------- We’ve seen a lot of data breaches this year: some big, some small, some that are dangerous, and some that are just embarrassing. But if we were to name one as the creepiest data breach of 2017, this leak of logins for car tracking devices might take the cake. --------------------------------------------- https://gizmodo.com/passwords-to-access-over-a-half-million-car-tracking-de… ∗∗∗ Tips for Reverse-Engineering Malicious Code ∗∗∗ --------------------------------------------- This cheat sheet outlines tips for reversing malicious Windows executables via static and dynamic code analysis with the help of a debugger and a disassembler. --------------------------------------------- https://zeltser.com/reverse-engineering-malicious-code-tips/ ∗∗∗ Hack the Hacker – Fuzzing Mimikatz On Windows With WinAFL & Heatmaps (0day) ∗∗∗ --------------------------------------------- In this blogpost, I want to explain two topics from a theoretical and practical point of view: How to fuzz windows binaries with source code available (this part is for developers) and How to deal with big input files (aka heatmap fuzzing) and crash analysis (for security consultants; more technical) --------------------------------------------- https://www.sec-consult.com/en/blog/2017/09/hack-the-hacker-fuzzing-mimikat… ===================== = Advisories = ===================== ∗∗∗ Schneider Electric InduSoft Web Studio, InTouch Machine Edition ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a missing authentication for critical function vulnerability in Schneider Electrics InduSoft Web Studio and InTouch Machine Edition. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01 ∗∗∗ Ctek, Inc. SkyRouter ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an improper authentication vulnerability in the Ctek, Inc. SkyRouter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-02 ∗∗∗ Digium Asterisk GUI ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an OS command injection vulnerability in Digiums Asterisk GUI. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-03 ∗∗∗ iniNet Solutions GmbH SCADA Webserver ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an improper authentication vulnerability in iniNet Solutions GmbH’s SCADA Webserver. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-04 ∗∗∗ Saia Burgess Controls PCD Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an information exposure vulnerability in Saia Burgess Controls PCD Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-05 ∗∗∗ DFN-CERT-2017-1682: Perl: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe und das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1682/ ∗∗∗ Security Advisory - Information Leakage Vulnerability on OceanStor ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Notice - Statement on App Lock Bypass Vulnerability in Huawei EMUI ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170922-01-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099638 ∗∗∗ IBM Security Bulletin: API Connect is affected by a vulnerability by which an authenticated user could generate an API token ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008588 ∗∗∗ IBM Security Bulletin: API Connect is affected by a Cross Frame Scripting vulnerability CVE-2017-1551 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008372 ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007168 ∗∗∗ IBM Security Bulletin: HTML injection vulnerability in IBM Business Process Manager (BPM) – CVE-2017-1424 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005112 ∗∗∗ IBM Security Bulletin: Security Identity Adapter data traffic to/from server is not encrypted by default ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007381 ∗∗∗ IBM Security Bulletin: Potential information leakage during process app export in IBM Business Process Manager (CVE-2017-1346) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004654 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability in Business Space Help affects IBM Business Process Manager (BPM) and WebSphere Process Server (WPS) – CVE-2013-0464 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005596 ∗∗∗ EMC M&R Watch4net for SAS Solution Packs WebService Gateway Directory Traversal Flaw Lets Remote Authenticated Users Access and Modify Data and JMX Protocol Flaw Lets Remote Users Deny Service ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039418 ∗∗∗ EMC ViPR SRM WebService Gateway Directory Traversal Flaw Lets Remote Authenticated Users Access and Modify Data and JMX Protocol Flaw Lets Remote Users Deny Service ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039417 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2017
by Daily end-of-shift report 21 Sep '17

21 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-09-2017 18:00 − Donnerstag 21-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Transportverschlüsselung zwischen Mailservern ∗∗∗ --------------------------------------------- Empfehlungen zur Konfiguration mit Beispielen für Postfix und exim --------------------------------------------- https://www.dfn-cert.de/aktuell/smtp-transportverschluesselung.html ∗∗∗ Optimierungsprogramm: Ccleaner-Malware sollte wohl Techkonzerne ausspionieren ∗∗∗ --------------------------------------------- Cisco widerspricht Avast: Die zweite Stufe der mit Ccleaner verteilten Malware sei sehr wohl aktiviert worden. Angeblich sollen die Macher der Kampagne es auf Betriebsgeheimnisse großer Techfirmen abgesehen haben. --------------------------------------------- https://www.golem.de/news/optimierungsprogramm-ccleaner-malware-sollte-wohl… ∗∗∗ FedEX: TNT verliert durch NotPetya 300 Millionen US-Dollar ∗∗∗ --------------------------------------------- Angriffe auf die IT-Infrastruktur sind teuer: Nach Maersk hat auch das Logistikunternehmen TNT einen erheblichen Verlust durch NotPetya bekannt gegeben. Die Reparatur aller Systeme soll bis Ende September abgeschlossen werden. --------------------------------------------- https://www.golem.de/news/fedex-tnt-verliert-durch-notpetya-300-millionen-u… ∗∗∗ Deep-Learning PassGAN Tool Improve Password Guessing ∗∗∗ --------------------------------------------- A deep-learning network known as a GAN has been applied to passwords, and a tool called PassGAN significantly improves the ability to guess user passwords over tools such as Hashcat or John the Ripper. --------------------------------------------- http://threatpost.com/deep-learning-passgan-tool-improve-password-guessing/… ∗∗∗ Introducing Burplay, A Burp Extension for Detecting Privilege Escalations ∗∗∗ --------------------------------------------- The seventh entry on the most recent OWASP Top 10 release (from 2013, due to the 2017 release candidate being rejected!) is "Missing Function Level Access Control", which is essentially what leads to Privilege Escalation issues. This common vulnerability related... --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Burplay,-A-… ∗∗∗ New FinFisher surveillance campaigns: Are internet providers involved? ∗∗∗ --------------------------------------------- New surveillance campaigns utilizing FinFisher, infamous spyware known also as FinSpy and sold to governments and their agencies worldwide, are in the wild. Besides featuring technical improvements, some of these variants have been using a cunning, previously-unseen infection vector with strong indicators of major internet service provider (ISP) involvement. --------------------------------------------- https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campai… ∗∗∗ Intel Management Engine gehackt ∗∗∗ --------------------------------------------- Sicherheitsexperten zeigten, wie sie eine Sicherheitslücke in Intels ME-Firmware nutzen, um unsignierten Code auszuführen. Die ME hat im Prinzip unbeschränkten Zugriff auf die Hardware des Systems, kann aber von Virenscannern nicht überwacht werden. --------------------------------------------- https://heise.de/-3837239 ∗∗∗ Verschlüsselung: Gpg4win 3.0 hält sich dezent im Hintergrund ∗∗∗ --------------------------------------------- Die Windows-Softwaresammlung Gpg4win verwendet Version 2.2 der freien Krypto-Engine GnuPG und sorgt dafür, dass Outlook mit dem OpenPGP/MIME-Standard umgehen kann. --------------------------------------------- https://heise.de/-3837176 ===================== = Advisories = ===================== ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 20, 2017 The Samba Team has released security updates to address several vulnerabilities in Samba. An attacker could exploit any of these vulnerabilities to obtain access to potentially sensitive information.US-CERT encourages users and administrators to review the Samba Security Announcements for CVE-2017-12150, CVE-2017-12151, and CVE-2017-12163 and apply the necessary updates, or refer to their Linux or Unix-based OS vendors for appropriate patches. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/09/20/Samba-Releases-Sec… ∗∗∗ Page Access - Unsupported - SA-CONTRIB-2017-75 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2910306 ∗∗∗ Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2910308 ∗∗∗ Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2907118 ∗∗∗ Security Update for tvOS 11 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208113 ∗∗∗ Security Update for watchOS 4 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208115 ∗∗∗ Cisco Unified Intelligence Center Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wide Area Application Services HTTP Application Optimization Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco UCS Central Software Command Line Interface Restricted Shell Break Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business SPA300, SPA500, and SPA51x Series IP Phones Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business Managed Switches Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FindIT DLL Preloading Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Customer Voice Portal Operations Console Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Intelligence Center Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Intelligence Center User Interface Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Vulnerability in the Linux Kernel affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems (CVE-2017-6214) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099637 ∗∗∗ IBM Security Bulletin: IBM MQ termination of a client application causes denial of service (CVE-2017-1235) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005415 ∗∗∗ IBM Security Bulletin: Open Source OpenSSL, GNUTls, RHEL CVE-2016-8610 'SSL-Death-Alert' affects IBM Cisco switches and directors. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010572 ∗∗∗ IBM Security Bulletin: Multiple Java Vulnerabilities affect DB2 Text Search Stand Alone Accessories Suite ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007190 ∗∗∗ OpenJDK vulnerabilities CVE-2015-2601, CVE-2015-2621, CVE-2015-2632, CVE-2015-4748, and CVE-2015-4749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84947349 ∗∗∗ HPESBHF03705 rev.2 - HPE Integrated Lights-Out 4 and Moonshot Remote Console Administrator (iLO 4 and MRCA) Remote Disclosure of Information ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2017
by Daily end-of-shift report 20 Sep '17

20 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-09-2017 18:00 − Mittwoch 20-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iTerm2 Leaks Everything You Hover in Your Terminal via DNS Requests ∗∗∗ --------------------------------------------- iTerm2, a popular Mac application that comes as a replacement for Apples official Terminal app, just received a security fix minutes ago for a severe security issue that leaked terminal content via DNS requests. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/iterm2-leaks-everything-you-… ∗∗∗ New tool: mac-robber.py, (Tue, Sep 19th) ∗∗∗ --------------------------------------------- On a recent forensic investigation where we couldn't take the Linux system down to image the disks, I was forced to do live response. Fortunately, I was able to get a memory image, but I also wanted a filesystem timeline. I first went to my old friend fls from The SleuthKit (TSK), but for some reason, it failed. So, I tried mac-robber (also from TSK) and it, too, failed. Not one to give up easily, I decided to write my own version of mac-robber in Python. Like the TSK mac-robber, [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22844 ===================== = Advisories = ===================== ∗∗∗ PHOENIX CONTACT mGuard Device Manager ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper access control vulnerabilities within PHOENIX CONTACTs mGuard Device Manager associated with Oracle Java SE. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-262-01 ∗∗∗ WordPress 4.8.2 Security and Maintenance Release ∗∗∗ --------------------------------------------- WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. --------------------------------------------- https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance… ∗∗∗ Apple Security Updates ∗∗∗ --------------------------------------------- iOS 11: https://support.apple.com/en-us/HT208112 Safari 11: https://support.apple.com/en-us/HT208116 Xcode 9: https://support.apple.com/en-us/HT208103 --------------------------------------------- ∗∗∗ DFN-CERT-2017-1665: Apache Foundation Tomcat: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1665/ ∗∗∗ Security Advisory - Two Vulnerabilities in Some Huawei CPE Devices ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - Information Exposure Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - Information Exposure Vulnerability on FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ F5 TMM vulnerability CVE-2017-6147 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43945001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2017
by Daily end-of-shift report 19 Sep '17

19 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 18-09-2017 18:00 − Dienstag 19-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Avast Clarifies Details Surrounding CCleaner Malware Incident ∗∗∗ --------------------------------------------- Avast published earlier today a post-mortem of the CCleaner malware incident, in the hopes to clarify some of the details surrounding the event that many of its users found troubling. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surr… ∗∗∗ Apples FaceID ∗∗∗ --------------------------------------------- This is a good interview with Apples SVP of Software Engineering about FaceID. Honestly, I dont know what to think. I am confident that Apple is not collecting a photo database, but not optimistic that it cant be hacked with fake faces. I dislike the fact that the police can point the phone at someone and have it automatically unlock. So this is important: I also quizzed Federighi about the exact way you "quick disabled" Face ID in tricky scenarios -- like being stopped by police, or [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/09/apples_faceid.html ∗∗∗ Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data ∗∗∗ --------------------------------------------- Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php). The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks. Typical injected scripts look like this: [...] --------------------------------------------- https://blog.sucuri.net/2017/09/old-themes-abandoned-scripts-pitfalls-clean… ∗∗∗ Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks ∗∗∗ --------------------------------------------- Two-factor authentication by SMS? More like SOS Once again, its been demonstrated that vulnerabilities in cellphone networks can be exploited to intercept one-time two-factor authentication tokens in text messages. --------------------------------------------- https://www.theregister.co.uk/2017/09/18/ss7_vuln_bitcoin_wallet_hack_risk/ ∗∗∗ Open Hadoop Service Scanning Project ∗∗∗ --------------------------------------------- If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at the Hadoop Namenode or Datanode web service. The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have one or both of these hadoop services service running. The goal of this project is to identify openly accessible systems that have these services running and report them back to the network owners for [...] --------------------------------------------- https://hadoopscan.shadowserver.org/ ∗∗∗ Call for Papers IT-SECX 2017 - "Future incident response" ∗∗∗ --------------------------------------------- Die IT-SECX ist eine Security-Konferenz mit Vorträgen und Workshops. [...] Das Motto der heurigen IT-SECX ist "Future incident response" mit dem Ziel aktuelle gezielte Angriffe, Malwarekampagnen und Gegenmaßnahmen zu diskutieren. Mit diesem Fokus sind Einreichungen für Vorträge zu folgenden Themen erwünscht: [...] --------------------------------------------- https://itsecx.fhstp.ac.at/call-for-papers/ ∗∗∗ Gefährdeter Datenschutz: Firefox löscht lokale Datenbanken nicht ∗∗∗ --------------------------------------------- Der Firefox-Browser bringt ein großes Datenschutzproblem mit sich. Nur umständlich lässt sich die Firefox-Chronik von Nutzern löschen. Webseiten können mühelos auf zuvor im Browser gespeicherte Daten zugreifen. --------------------------------------------- https://heise.de/-3835084 ∗∗∗ PC-Wahl: CCC demonstriert erneut einen Angriff und bietet Open-Source-Hilfe ∗∗∗ --------------------------------------------- Mit einem demonstrativen Hack macht der CCC auf ein erneutes Sicherheitsproblem der bereits mehrfach nachgebesserten Wahl-Software aufmerksam. Eine Open-Source-Spende soll PC-Wahl jetzt zu einer sicheren Update-Funktion verhelfen. --------------------------------------------- https://heise.de/-3835282 ∗∗∗ Unternehmen im Visier von Cyber-Kriminellen ∗∗∗ --------------------------------------------- Mit gefälschten Zahlungsanweisungen versuchen Kriminelle, von Unternehmen hohe Geldsummen zu stehlen. Ihre Nachrichten richten sich direkt an die Buchhaltung und geben vor, dass sie von der Geschäftsführung stammen. Mitarbeiter/innen, die auf den sogenannten CEO-Betrug hereinfallen, verursachen hohe Verluste. Wir zeigen Ihnen, wie Sie Ihr Unternehmen vor diesem Betrug schützen. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/unternehmen-im-visier-von-cyber… ===================== = Advisories = ===================== ∗∗∗ [20170901] - Core - Information Disclosure ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Severity: Low Versions: 3.7.0 through 3.7.5 Exploit type: Information Disclosure Reported Date: 2017-August-4 Fixed Date: 2017-September-19 CVE Number: CVE-2017-14595 Description A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state. Affected Installs Joomla! CMS versions 3.7.0 through 3.7.5 Solution Upgrade to version 3.8.0 --------------------------------------------- https://developer.joomla.org/security-centre/710-20170901-core-information-… ∗∗∗ [20170902] - Core - LDAP Information Disclosure ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Severity: Medium Versions: 1.5.0 through 3.7.5 Exploit type: Information Disclosure Reported Date: 2017-July-27 Fixed Date: 2017-September-19 CVE Number: CVE-2017-14596 Description Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password. Affected Installs Joomla! CMS versions 1.5.0 through 3.7.5 Solution Upgrade to version 3.8.0 --------------------------------------------- https://developer.joomla.org/security-centre/711-20170902-core-ldap-informa… ∗∗∗ Security Advisory 2017-04: Security Update for all OTRS Versions ∗∗∗ --------------------------------------------- September 18, 2017 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability. Please send information regarding vulnerabilities in OTRS to: security(a)otrs.org --------------------------------------------- https://www.otrs.com/security-advisory-2017-04-security-update-otrs-version… ∗∗∗ DSA-3978 gdk-pixbuf - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3978 ∗∗∗ DSA-3977 newsbeuter - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3977 ∗∗∗ DFN-CERT-2017-1643: Moodle: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1643/ ∗∗∗ Security Advisory - Multiple Vulnerabilities in MTK Platform ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170919-… ∗∗∗ IBM Security Bulletin: API Connect Portal is affected by multiple Drupal vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008323 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect API Connect ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008382 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational Synergy ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008122 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1382) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007663 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1380) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007665 ∗∗∗ Expat vulnerability CVE-2016-0718 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52320548 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2017
by Daily end-of-shift report 18 Sep '17

18 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-09-2017 18:00 − Montag 18-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Machine Learning Myths ∗∗∗ --------------------------------------------- “Machine learning” is the new “it” buzzword in security. As a result, it’s being thrown around fairly loosely on vendor websites and in marketing materials. Not only is that unfortunate for anyone looking to get a straight answer on how machine learning can help their company stay more secure, it is also fostering a general sense of confusion around what the term actually means. To help clear things up, let’s take a closer look at six of the most common [...] --------------------------------------------- https://feeds.feedblitz.com/~/459728214/0/alienvault-blogs~Machine-Learning… ∗∗∗ Optionsbleed: Apache-Webserver blutet ∗∗∗ --------------------------------------------- Beim Apache-Webserver lassen sich in bestimmten Konfigurationen Speicherfragmente durch einen Angreifer auslesen. Besonders kritisch ist diese Lücke in Shared-Hosting-Umgebungen. --------------------------------------------- https://www.golem.de/news/optionsbleed-apache-webserver-blutet-1709-130105-… ∗∗∗ CCleaner: Avast verteilt Malware mit Optimierungsprogramm ∗∗∗ --------------------------------------------- So hatten sich Nutzer die Optimierung des PCs sicher nicht vorgestellt: Eine Version von CCleaner wurde für rund einen Monat mit Malware ausgeliefert. --------------------------------------------- https://www.golem.de/news/ccleaner-avast-verteilt-malware-mit-optimierungsp… ∗∗∗ An (un)documented Word feature abused by attackers ∗∗∗ --------------------------------------------- A little while back we were investigating the malicious activities of the Freakyshelly targeted attack and came across spear phishing emails that had some interesting documents attached to them. They were in OLE2 format and contained no macros, exploits or any other active content. --------------------------------------------- http://securelist.com/an-undocumented-word-feature-abused-by-attackers/8189… ∗∗∗ Malicious Backdoors: Fake Images and Strrev Functions ∗∗∗ --------------------------------------------- When a website is compromised, attackers frequently leave behind a backdoor – according to our research around 70% of all website hacks include a backdoor. These backdoors are not designed to attack a website or destroy data, instead they allow an attacker to re-enter a targeted website with little to no authentication, providing them with unauthorized access to the system. Backdoors can be planted anywhere within a site, file system, or database. --------------------------------------------- https://blog.sucuri.net/2017/09/malicious-backdoors-fake-images-strrev-func… ∗∗∗ Achtung: Aktuelle Spam-Mails fälschen Absender von Mitarbeitern ∗∗∗ --------------------------------------------- Akute Gefahr geht von einer Schädlingswelle aus, die per E-Mail anrollt. Durch eine clevere Wahl der Absender könnten auch versierte Anwender verleitet werden, dem darin enthaltenen Link zu folgen. Er führt zu bislang weitgehend unerkannter Malware. --------------------------------------------- https://heise.de/-3834782 ∗∗∗ Keine Sicherheits-App der Erste Bank installieren ∗∗∗ --------------------------------------------- In einer gefälschten Erste Bank-Nachricht fordern Kriminelle Kund/innen dazu auf, dass sie eine Sicherheits-App für ihr mobiles Endgerät installieren. Das sei angeblich notwendig, damit diese weiterhin ihren OnlineBanking-Zugang nützen können. In Wahrheit ist die Sicherheits-App Schadsoftware. Sie ermöglicht es Unbekannten, auf die Konten ihrer Opfer zuzugreifen. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/keine-sicherheits-app-der-e… ∗∗∗ People cant read (Equifax edition) ∗∗∗ --------------------------------------------- One of these days Im going to write a guide for journalists reporting on the cyber. One of the items Id stress is that they often fail to read the text of what is being said, but instead read some sort of subtext that wasnt explicitly said. This is valid sometimes -- as the subtext is what the writer intended all along, even if they didnt explicitly write it. Other times, though the imagined subtext is not what the writer intended at all. A good example is the recent Equifax breach. --------------------------------------------- http://blog.erratasec.com/2017/09/people-cant-read-equifax-edition.html ===================== = Advisories = ===================== ∗∗∗ DSA-3974 tomcat8 - security update ∗∗∗ --------------------------------------------- Two issues were discovered in the Tomcat servlet and JSP engine. --------------------------------------------- https://www.debian.org/security/2017/dsa-3974 ∗∗∗ DSA-3975 emacs25 - security update ∗∗∗ --------------------------------------------- Charles A. Roelli discovered that Emacs is vulnerable to arbitrary codeexecution when rendering text/enriched MIME data (e.g. when usingEmacs-based mail clients). --------------------------------------------- https://www.debian.org/security/2017/dsa-3975 ∗∗∗ DSA-3976 freexl - security update ∗∗∗ --------------------------------------------- Marcin Icewall Noga of Cisco Talos discovered two vulnerabilities infreexl, a library to read Microsoft Excel spreadsheets, which mightresult in denial of service or the execution of arbitrary code if amalformed Excel file is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-3976 ∗∗∗ ZDI-17-811: EMC Data Protection Advisor Application Service Static Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to escalate privileges on vulnerable installations of EMC Data Protection Advisor. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-811/ ∗∗∗ Magento 2.0.16 and 2.1.9 Security Update ∗∗∗ --------------------------------------------- Magento Commerce and Open Source 2.1.9 and 2.0.16 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. --------------------------------------------- https://magento.com/security/patches/magento-2016-and-219-security-update ∗∗∗ SUPEE-10266 ∗∗∗ --------------------------------------------- SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. --------------------------------------------- https://magento.com/security/patches/supee-10266 ∗∗∗ BlackBerry response to impact of the vulnerabilities known as BlueBorne on BlackBerry products ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Vuln: Moodle CVE-2017-12157 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/100848 ∗∗∗ Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Meeting Server TURN Server Unauthorized Access and Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1634: ChakraCore: Mehrere Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1634/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008401 ∗∗∗ IBM Security Bulletin: A vulnerability in XStream affects IBM InfoSphere Information Governance components ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004784 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-3511, CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006034 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006028 ∗∗∗ IBM Security Bulletin: Sweet32 vulnerability affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-2183) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006040 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1137) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006029 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-1121) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006027 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008182 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® WebSphere Real Time ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006696 ∗∗∗ IBM Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008410 ∗∗∗ OpenJDK vulnerabilities CVE-2015-2621, CVE-2015-2632, CVE-2015-4748, and CVE-2015-4749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84947349 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2017
by Daily end-of-shift report 15 Sep '17

15 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-09-2017 18:00 − Freitag 15-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ten Malicious Libraries Found on PyPI - Python Package Index ∗∗∗ --------------------------------------------- The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-foun… ∗∗∗ Equifax Confirms March Struts Vulnerability Behind Breach ∗∗∗ --------------------------------------------- Equifax divulged on Wednesday that the culprit behind this summers breach of 143 million Americans was an Apache Struts vulnerability, CVE-2017-5638, patched back in March. --------------------------------------------- http://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-br… ∗∗∗ VMware Patches Bug That Allows Guest to Execute Code on Host ∗∗∗ --------------------------------------------- Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, are being encouraged to update to address a series of vulnerabilities, one critical. --------------------------------------------- http://threatpost.com/vmware-patches-bug-that-allows-guest-to-execute-code-… ∗∗∗ Yet Another Android Malware Infects Over 4.2 Million Google Play Store Users ∗∗∗ --------------------------------------------- Even after so many efforts by Google, malicious apps somehow managed to fool its Play Stores anti-malware protections and infect people with malicious software. The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks. Security firm Check Point on --------------------------------------------- https://thehackernews.com/2017/09/play-store-malware.html ∗∗∗ Google veröffentlicht API zum Malware-Schutz für Android ∗∗∗ --------------------------------------------- Mit der SafetyNet Verify Apps API können Apps überprüfen, ob Android-Endgeräte Google Play Protect verwenden. Auch der Zugriff auf die Scan-Funktion ist über die Schnittstelle möglich. --------------------------------------------- https://heise.de/-3832697 ∗∗∗ Bashware: Windows 10 über Linux-Komponente angreifbar ∗∗∗ --------------------------------------------- Die Sicherheitsfirma Checkpoint hat eine Möglichkeit gefunden, wie man Windows-10-Rechner über die optionalen Linux-Komponenten des Betriebssystems angreifen kann. Allerdings übertreiben die Forscher den Ernst der Lage gehörig. --------------------------------------------- https://heise.de/-3833695 ∗∗∗ Malvertising-Kampagne setzt auf Krypto-Mining in fremden Browsern ∗∗∗ --------------------------------------------- Fremde CPU-Leistung mittels Malware zum Mining von Bitcoins und Co. zu missbrauchen, ist eine altbewährte Strategie. Eine aktuelle Malvertising-Kampagne im osteuropäischen Raum verlegt das Mining per JavaScript direkt in den Webbrowser. --------------------------------------------- https://heise.de/-3833536 ===================== = Advisories = ===================== ∗∗∗ LOYTEC LVIS-3ME ∗∗∗ --------------------------------------------- This advisory contains mitigation details for relative path traversal, insufficient entropy, cross-site scripting and insufficiently protected credentials vulnerabilities within LOYTECs LVIS-3ME HMI touch panel. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-257-01 ∗∗∗ VMSA-2017-0015 ∗∗∗ --------------------------------------------- VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0015.html ∗∗∗ USN-3417-1: Libgcrypt vulnerability ∗∗∗ --------------------------------------------- Ubuntu Security Notice USN-3417-1 14th September, 2017 libgcrypt20 vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Summary Libgcrypt could be made to expose sensitive information. Software description libgcrypt20 - LGPL Crypto library Details Daniel Genkin, Luke Valenta, and Yuval Yarom discovered that Libgcrypt was susceptible to an attack via side channels. A local attacker could use this attack to recover Curve25519 private keys. --------------------------------------------- http://www.ubuntu.com/usn/usn-3417-1/ ∗∗∗ IBM Security Bulletin: IBM Spectrum Scale Object Protocols functionality is affected by a security vulnerability in Python (CVE-2017-2592) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010471 ∗∗∗ IBM Security Bulletin: Open Source Apache PDFBox Vulnerabilities in IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21991021 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2017
by Daily end-of-shift report 14 Sep '17

14 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-09-2017 18:00 − Donnerstag 14-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Zerodium Offering $1M for Tor Browser Zero Days ∗∗∗ --------------------------------------------- Exploit acquisition vendor Zerodium said Wednesday it will pay up to $1M for an unknown Tor Browser zero day. --------------------------------------------- http://threatpost.com/zerodium-offering-1m-for-tor-browser-zero-days/127959/ ∗∗∗ Another webshell, another backdoor! ∗∗∗ --------------------------------------------- Im still busy to follow how webshells are evolving... I recently found another backdoor in another webshell called "cor0.id". The best place to find webshells remind pastebin.com. When Im testing a webshell, I copy it in a VM located on a "wild Internet" VLAN in my home lab with, amongst other controls, full packet capture enabled. --------------------------------------------- https://isc.sans.edu/diary/rss/22826 ∗∗∗ Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data ∗∗∗ --------------------------------------------- Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php). The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks. Typical injected scripts look like this ... --------------------------------------------- https://blog.sucuri.net/2017/09/old-themes-abandoned-scripts-pitfalls-clean… ∗∗∗ Samsung’s launches bug bounty program and will reward up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software ∗∗∗ --------------------------------------------- Samsung says,”We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports,”. --------------------------------------------- https://www.techposts.net/samsung-launches-bug-bounty-program-offering-boun… ∗∗∗ Enlarge your botnet with: top D-Link routers (DIR8xx D-Link routers cruisin for a bruisin) ∗∗∗ --------------------------------------------- In this article, we are going to discuss vulnerabilities detected in the top D-Link routers. The devices use the same code, thus giving a magnificent and quite tempting opportunity to attackers to add them to a botnet. Moreover, we have managed to make Mirai for the devices by modifying its compilation script a bit. --------------------------------------------- https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-lin… ∗∗∗ "Display Widgets": WordPress-Plugin mit Backdoor aus Repository entfernt ∗∗∗ --------------------------------------------- Ein Plugin zur Verwaltung von WordPress-Widgets enthielt eine Backdoor, die dessen Herausgeber über Monate hinweg den Fernzugriff ermöglichte. Nun wurde es endgültig aus dem WordPress-Repository entfernt. Ein Update säubert bestehende Installationen. --------------------------------------------- https://heise.de/-3831761 ∗∗∗ Schwere Lücke im Router D-Link DIR-850L: Patches kommen am 19. September ∗∗∗ --------------------------------------------- Die Heimrouter können von Angreifern aus der Ferne übernommen werden. Bisher gibt es kein Update, da der Entdecker der Lücken D-Link vor der Veröffentlichung nicht informiert hat. Nun hat die Firma das Datum mitgeteilt, ab dem es Patches geben soll. --------------------------------------------- https://heise.de/-3832456 ∗∗∗ End of extended support for Office 2007 ∗∗∗ --------------------------------------------- The end of extended support for the Office 2007 family of desktop and server products is coming up next month. See Office 2007 approaching end of extended support for more details and the list of affected products. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2017/09/13… ===================== = Advisories = ===================== ∗∗∗ DSA-3972 bluez - security update ∗∗∗ --------------------------------------------- An information disclosure vulnerability was discovered in the ServiceDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker toobtain sensitive information from bluetoothd process memory, includingBluetooth encryption keys. --------------------------------------------- https://www.debian.org/security/2017/dsa-3972 ∗∗∗ Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074 ∗∗∗ --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-074 Vulnerability: Cross Site Request Forgery Description: The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. --------------------------------------------- https://www.drupal.org/node/2908592 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearQuest (CVE-2017-1289) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007617 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2016-7055, CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002883 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearCase (CVE-2016-7055, CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002863 ∗∗∗ Persistent Cross-Site Scripting in SilverStripe CMS ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/persistent-cross-site-script… ∗∗∗ Authenticated Command Injection in Ubiquiti Networks UniFi Cloud Key ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/authenticated-command-inject… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2017
by Daily end-of-shift report 13 Sep '17

13 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-09-2017 18:00 − Mittwoch 13-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 4,000 ElasticSearch Servers Found Hosting PoS Malware Files ∗∗∗ --------------------------------------------- The Kromtech Security Center has identified over 4,000 instances of ElasticSearch servers that are hosting files specific to two strains of POS (Point of Sale) malware — AlinaPOS and JackPOS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-4-000-elasticsearch-ser… ∗∗∗ Blueborne: Sicherheitslücken gefährden fünf Milliarden Bluetooth-Geräte ∗∗∗ --------------------------------------------- Etwa fünf Milliarden Geräte weltweit sollen von kritischen Bluetooth-Sicherheitslücken betroffen sein. Die Fehler liegen jedoch nicht im Protokoll, sondern in den entsprechenden Stacks von Windows, Linux und Android. Bei Apple sind nur ältere Geräte von Blueborne betroffen. --------------------------------------------- https://www.golem.de/news/bluetooth-kritische-sicherheitsluecken-ermoeglich… ∗∗∗ Exploit for CVE-2017-8759 detected and neutralized ∗∗∗ --------------------------------------------- The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat. The .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-87… ∗∗∗ Hackers Got Into America’s Power Grid. But Don’t Freak Out. ∗∗∗ --------------------------------------------- Last week cybersecurity firm Symantec released a report on what it calls Dragonfly 2.0—a collection of intrusions into industrial and energy-related organizations worldwide. For the last six years, the Dragonfly intrusions and others have regularly gone deeper into the operational networks that control elements of America’s power grid. --------------------------------------------- http://fortune.com/2017/09/11/dragonfly-2-0-symantec-hackers-power-grid/ ∗∗∗ WordPress’ Poor Handling of Plugin Security Exacerbates Malicious Takeover of Display Widgets ∗∗∗ --------------------------------------------- Recently there has been a fair amount of coverage of popular Chrome extensions being modified to include malicious code after the login credentials used to control them in the Chrome Web Store had been compromised .. --------------------------------------------- https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of… ∗∗∗ Adobe stopft Sicherheitslücken in Flash, ColdFusion und RoboHelp ∗∗∗ --------------------------------------------- Auch bei Adobe ist wieder Patchday und der Tradition entsprechend patcht die Firma zu dieser Gelegenheit wieder einmal kritische Lücken im Flash Player. Auch ColdFusion und RoboHelp erhalten Updates. --------------------------------------------- https://heise.de/-3830067 ∗∗∗ Compromised LinkedIn accounts used to send phishing links via private message and InMail ∗∗∗ --------------------------------------------- A recent attack uses existing LinkedIn user accounts to send phishing links to their contacts via private message .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/09/compromised-linkedin-… ∗∗∗ Patchday: Microsoft stopft Staatstrojaner-Schlupfloch ∗∗∗ --------------------------------------------- Lücke in Word und .NET-Framework wurde von FinFisher-Malware ausgenutzt --------------------------------------------- http://derstandard.at/2000064009454 ===================== = Advisories = ===================== ∗∗∗ DSA-3971 tcpdump - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3971 ∗∗∗ DSA-3970 emacs24 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3970 ∗∗∗ DSA-3969 xen - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3969 ∗∗∗ Local File Disclosure in VLC media player iOS app ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/local-file-disclosure-in-vlc… ∗∗∗ Multiple Vulnerabilities in IBM Infosphere Information Server / Datastage ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2017
by Daily end-of-shift report 12 Sep '17

12 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 11-09-2017 18:00 − Dienstag 12-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Miners on the Rise ∗∗∗ --------------------------------------------- Over the last month alone, we have detected several large botnets designed to profit from concealed crypto mining. We have also observed growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the companies’ business processes suffer because data processing speeds fall substantially. --------------------------------------------- http://securelist.com/miners-on-the-rise/81706/ ∗∗∗ Google to kill Symantec certs in Chrome 66, due in early 2018 ∗∗∗ --------------------------------------------- This is how trust ends, not with a bang but with a whimper Google has detailed its plan to deprecate Symantec-issued certificates in Chrome.… --------------------------------------------- www.theregister.co.uk/2017/09/12/chrome_66_to_reject_symantec_certs/ ∗∗∗ D-Link DIR-850L: Router können gekapert werden, Patches nicht verfügbar ∗∗∗ --------------------------------------------- In D-Links Heimrouter 850L klaffen schwerwiegende Sicherheitslücken, über die Angreifer die Geräte in ihre Kontrolle bringen können. Updates, welche die Lücken schließen, sind vorerst nicht zu erwarten. --------------------------------------------- https://heise.de/-3828382 ∗∗∗ SAP Security Patch Day – September 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly .. --------------------------------------------- https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/ ===================== = Advisories = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe RoboHelp (APSB17-25), Adobe Flash Player (APSB17-28) and ColdFusion (APSB17-30). Adobe recommends users update their product .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1491 ∗∗∗ DSA-3968 icedove - security update ∗∗∗ --------------------------------------------- Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. --------------------------------------------- https://www.debian.org/security/2017/dsa-3968 ∗∗∗ Email verification bypass in SAP E-Recruiting ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/email-verification-bypass-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2017
by Daily end-of-shift report 11 Sep '17

11 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-09-2017 18:00 − Montag 11-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Energieversorgung: E-Mail-Konten sind besser gesichert als Windparks ∗∗∗ --------------------------------------------- Windparks machen einen professionellen Eindruck, doch bei der IT-Sicherheit hapert es leider. Recherchen von Internetwache.org und Golem.de zeigen eine Menge Schwachstellen und ein Chaos bei der Zuständigkeit. --------------------------------------------- https://www.golem.de/news/energieversorgung-e-mail-konten-sind-besser-gesic… ∗∗∗ Secure microkernel in a KVM switch offers spy-grade app virtualization ∗∗∗ --------------------------------------------- Need a few air-gapped apps on one screen? Australian researchers show how Researchers at Australian think tank Data61 and the nations Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch.… --------------------------------------------- www.theregister.co.uk/2017/09/07/cross_domain_desktop_compositor_vdi_for_th… ∗∗∗ Apache Foundation rebuffs allegation it allowed Equifax attack ∗∗∗ --------------------------------------------- Timeline explains that either Equifax didnt patch old bugs, or was zero-dayed The Apache Software Foundation has defended its development practices in the face of a report alleging its code was responsible for the Equifax data leak.… --------------------------------------------- www.theregister.co.uk/2017/09/11/apache_rebuts_equifax_allegation/ ∗∗∗ Bug im Windows-Kernel könnte durch Schadcode missbraucht werden ∗∗∗ --------------------------------------------- Im Windows-Kernel schlummert seit Jahren eine Lücke, die in einigen Fällen dafür sorgen könnte, dass Malware vom Radar von Sicherheitssoftware verschwindet. Laut ihrem Entdecker zeigt sich Microsoft bislang aber eher desinteressiert. --------------------------------------------- https://heise.de/-3825130 ∗∗∗ Equifax Breach Response Turns Dumpster Fire ∗∗∗ --------------------------------------------- I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans. --------------------------------------------- https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-… ∗∗∗ Hack: 143 Millionen US-Amerikanern droht Identitätsdiebstahl ∗∗∗ --------------------------------------------- Datendiebstahl bei US-Finanzinstitut Equifax gilt als einer der schlimmsten Einbrüche in der IT-Geschichte --------------------------------------------- http://derstandard.at/2000063850369 ∗∗∗ Another Apache Struts Vulnerability Under Active Exploitation ∗∗∗ --------------------------------------------- This post authored by Nick Biasini with contributions from Alex Chiu.Earlier this week, a critical vulnerability in Apache Struts was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache --------------------------------------------- http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html ===================== = Advisories = ===================== ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ HPESBNS03755 rev.2 - HPE NonStop Server using Samba, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily