- Daily - CERT.at

Tageszusammenfassung - Dienstag 13-06-2017
by Daily end-of-shift report 13 Jun '17

13 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 12-06-2017 18:00 − Dienstag 13-06-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Security Bulletins posted *** --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-17), Adobe Shockwave Player (APSB17-18), Adobe Captivate (APSB17-19) and Adobe Digital Editions (APSB17-20). Adobe recommends users update their product installations to the latest versions... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1469 *** SAP Security Patch Day - June2017 *** --------------------------------------------- On 13th of June 2017, SAP Security Patch Day saw the release of 18 security notes. Additionally, there were 3 updates to previously released security notes. --------------------------------------------- https://blogs.sap.com/2017/06/13/sap-security-patch-day-june2017/ *** Analyzing Xavier: An Information-Stealing Ad Library on Android *** --------------------------------------------- We have recently discovered a Trojan Android ad library called Xavier that steals and leaks a user's information silently. Xavier's impact has been widespread, with more than 800 applications embedding the ad library's SDK having been downloaded millions of times from Google Play. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Vlm6uUCaCKU/ *** [2017-06-13] Access Restriction Bypass in Atlassian Confluence *** --------------------------------------------- An attacker can manually subscribe to pages of Atlassian Confluence which he is not able to view and he then receive any further comments made on the restricted page. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** FIN7 Hitting Restaurants with Fileless Malware *** --------------------------------------------- A campaign attributed to the FIN7 attackers targets restaurants with phishing emails and infected RTF Word documents that carry out fileless malware attacks. --------------------------------------------- http://threatpost.com/fin7-hitting-restaurants-with-fileless-malware/126213/ *** More Bypassing of Malware Anti-Analysis Techniques *** --------------------------------------------- For last few articles, we have seen how malware employs some anti-analysis techniques and how we can bypass those techniques. Now, let's raise the bar a bit more and look out for more advanced anti-analysis techniques. In this article, we will look at how we can reach the Original Entry Point of a packed Exe ... --------------------------------------------- http://resources.infosecinstitute.com/bypassing-malware-anti-analysis-techn… *** Learning Pentesting with Metasploitable3 - Part 2 *** --------------------------------------------- Introduction: This is the second part in this series of articles on Learning Pentesting with Metasploitable3. We have prepared our lab setup in our previous article. This article shows the Information Gathering techniques that are typically used during Penetration Testing by using Metasploitable3 VM. This phase is crucial during a penetration test as we will ... --------------------------------------------- http://resources.infosecinstitute.com/learning-pentesting-metasploitable3-p… *** Multiple (0day) vulnerabilities in Schneider Electric U.motion Builder *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-383/ http://www.zerodayinitiative.com/advisories/ZDI-17-384/ http://www.zerodayinitiative.com/advisories/ZDI-17-385/ http://www.zerodayinitiative.com/advisories/ZDI-17-386/ http://www.zerodayinitiative.com/advisories/ZDI-17-387/ http://www.zerodayinitiative.com/advisories/ZDI-17-388/ http://www.zerodayinitiative.com/advisories/ZDI-17-389/ http://www.zerodayinitiative.com/advisories/ZDI-17-390/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM API Connect is affected by an information disclosure vulnerability (CVE-2017-1379). *** http://www.ibm.com/support/docview.wss?uid=swg22004714 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-2619) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010155 --------------------------------------------- *** IBM Security Bulletin: Weak default password lockout policy in IBM BigFix Compliance Analytics (CVE-2017-1197) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004170 --------------------------------------------- *** IBM Security Bulletin: IBM Spectrum Scale Object Protocols functionality is affected by security vulnerabilities in OpenStack (CVE-2015-1852 and CVE-2015-7546) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010157 --------------------------------------------- *** IBM Security Bulletin: A Cross-site scripting vulnerability in IBM Websphere Application Server, affects IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-8934) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996989 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Cloud Orchestrator (CVE-2016-5986) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000200 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 12-06-2017
by Daily end-of-shift report 12 Jun '17

12 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 09-06-2017 18:00 − Montag 12-06-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Banking trojan executes when targets hover over link in PowerPoint doc *** --------------------------------------------- Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file. The method - which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit - is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload. --------------------------------------------- https://arstechnica.com/security/2017/06/malicious-powerpoint-files-can-inf… *** RSA Identity Management and Governance Input Validation Flaws Let Remote and Remote Authenticated Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1038648 *** FIRST announces availability of new Common Vulnerability Scoring System (CVSS) release *** --------------------------------------------- Third version aims to make the system more applicable to modern concerns --------------------------------------------- https://www.first.org/newsroom/releases/20150610 *** [remote] Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution *** --------------------------------------------- https://www.exploit-db.com/exploits/42158/?rss *** DFN-CERT-2017-0993/">libgcrypt: Eine Schwachstelle ermöglicht das Ausspähen von Informationen *** --------------------------------------------- Ein entfernter, nicht authentisierter Angreifer, der den EdDSA-Sitzungsschlüssel während eines Signaturprozesses in einer Seitenkanalattacke abgreifen kann, kann daraus den 'Long Term Secret Key' rekonstruieren und nachfolgend die Sicherheitsvorkehrung der Sitzungsverschlüsselung umgehen, um Informationen aus Sitzungen auszuspähen. Der Hersteller stellt libgcrypt 1.7.7 als Sicherheitsupdate bereit. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0993/ *** Bugtraq: [security bulletin] HPESBUX03759 rev.1 - HP-UX CIFS Sever using Samba, Multiple Remote Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE HP-UX CIFS server using Samba. The vulnerabilities can be exploited remotely to allow authentication bypass, code execution, and unauthorized access. References: CVE-2017-7494 --------------------------------------------- http://www.securityfocus.com/archive/1/540701 *** Bugtraq: [SECURITY] [DSA 3877-1] tor security update *** --------------------------------------------- Package : tor CVE ID : CVE-2017-0376 Debian Bug : 864424 It has been discovered that Tor, a connection-based low-latency anonymous communication system, contain a flaw in the hidden service code when receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. A remote attacker can take advantage of this flaw to cause a hidden service to crash with an assertion failure (TROVE-2017-005). --------------------------------------------- http://www.securityfocus.com/archive/1/540705 *** Bugtraq: [security bulletin] HPESBHF03730 rev.2 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE Aruba ClearPass Policy Manager. The vulnerabilities could be remotely exploited to allow access restriction bypass, arbitrary command execution, cross site scripting (XSS), escalation of privilege and disclosure of information. References: CVE-2017-5824, CVE-2017-5825, CVE-2017-5826, CVE-2017-582, CVE-2017-5828, CVE-2017-5829, CVE-2017-5647 --------------------------------------------- http://www.securityfocus.com/archive/1/540704 *** Security Advisory - Memory Double Free Vulnerability in Touch Panel Driver of Some Huawei Smart Phones *** --------------------------------------------- The Touch Panel (TP) driver of some Huawei smart phones has a memory double free vulnerability. An attacker with the root privilege of the Android system tricks a user into installing a malicious application, and the application can start multiple threads and try to free specific memory, which could triggers double free and causes a system crash or arbitrary code execution. (Vulnerability ID: HWPSIRT-2017-04111) CVE-2017-8141. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-… *** Security Advisory - Multiple Vulnerabilities in UMA Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-… *** Linux Muldrop.14: Cryptomining-Malware befällt ungeschützte Raspberry Pi *** --------------------------------------------- Eine neue Malware befällt ausschließlich Raspberry Pi und nutzt die Geräte, um Cryptowährungen zu minen. Nutzer können sich relativ leicht dagegen schützen. (Security, Malware) --------------------------------------------- https://www.golem.de/news/linux-muldrop-14-cryptomining-malware-befaellt-un… *** Vuln: VMware Horizon View Client CVE-2017-4918 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98984 *** DFN-CERT-2017-1012/">Sophos UTM: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe *** --------------------------------------------- Mehrere Schwachstellen in den Komponenten BIND, Kernel, NTP, OpenSSL und OpenVPN ermöglichen einem entfernten, in vielen Fällen nicht authentisierten Angreifer verschiedene Denial-of-Service (DoS)-Angriffe auf Sophos UTM. Sophos veröffentlicht die Sophos UTM Software in Version 9.501 als Maintenance Release zur Behebung der genannten Schwachstellen. Darüber hinaus werden verschiedene weitere Programmfehler aus den Bereichen AWS, Basesystem, Confd, Email, Network, Reporting, RESTD, Sandboxd, WAF, Web, WebAdmin und WiFi behoben. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1012/ *** Pwn2Own: Safari sandbox part 1 - Mount yourself a root shell *** --------------------------------------------- Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year's Pwn2Own competition. --------------------------------------------- https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc *** Industroyer: Fortgeschrittene Malware soll Energieversorgung der Ukraine gekappt haben *** --------------------------------------------- Sicherheitsforscher haben nach eigenen Angaben eine Art zweites Stuxnet entdeckt: Einen Trojaner, der auf die Steuerung von Umspannwerken zugeschnitten ist. Er soll für Angriffe auf den ukrainischen Stromversorger Ukrenergo verantwortlich sein. --------------------------------------------- https://heise.de/-3740606 *** CSIRT maturity evaluation process - How is CSIRT maturity assessed? *** --------------------------------------------- ENISA has published a new practical guide for CSIRTs so that they are better prepared to protect their constituencies and improve teams maturity. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/csirt-maturity-evaluation-proce… *** Vuln: D-Link DIR-615 Wireless N 300 Router CVE-2017-9542 Authentication Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98992 *** Healthcare Industry Cybersecurity Report *** --------------------------------------------- New US government report: "Report on Improving Cybersecurity in the Health Care Industry." Its pretty scathing, but nothing in it will surprise regular readers of this blog.Its worth reading the executive summary, and then skimming the recommendations. Recommendations are in six areas.The Task Force identified six high-level imperatives by which to organize its recommendations and action items. The imperatives are:Define and streamline leadership, governance, and expectations for --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/healthcare_indu.html *** Behind the CARBANAK Backdoor *** --------------------------------------------- In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK (aka Anunak). Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution. With these details, we will then draw some conclusions about the operators of CARBANAK. For some additional background on the CARBANAK backdoor, see the papers by Kaspersky and Group-IB and Fox-It. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-bac… *** Erste SambaCry-Angriffe: Trojaner schürft Kryptowährung auf Linux-Servern *** --------------------------------------------- Sicherheitsforscher haben einen Trojaner entdeckt, der durch die vor kurzem entdeckte Samba-Lücke in Linux-Server einbricht und dann mit deren Hardware Kryptogeld erzeugt. --------------------------------------------- https://heise.de/-3740976 *** OSX/MacRansom; analyzing the latest ransomware to target macs *** --------------------------------------------- Looks like somebody on the dark web is offering Ransomware as a Service...that's designed to infect Macs! --------------------------------------------- https://objective-see.com/blog/blog_0x1E.html *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology *** http://www.ibm.com/support/docview.wss?uid=swg22004534 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Insight *** http://www-01.ibm.com/support/docview.wss?uid=swg22003367 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Reporting for Development Intelligence *** http://www-01.ibm.com/support/docview.wss?uid=swg22003366 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Management Module (IMM) for System x & BladeCenter *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module (IMM) for System x & BladeCenter *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Quality Manager *** http://www.ibm.com/support/docview.wss?uid=swg22004428 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow a remote authenticated attacker to execute arbitrary commands on the system as administrator (CVE-2016-9984) *** http://www.ibm.com/support/docview.wss?uid=swg21998608 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-5597 CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg21998779 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-9736, CVE-2016-8934, CVE-2016-8919) *** http://www.ibm.com/support/docview.wss?uid=swg21999544 --------------------------------------------- *** IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0636) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010085 --------------------------------------------- *** IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0603) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010086 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 9-06-2017
by Daily end-of-shift report 09 Jun '17

09 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 08-06-2017 18:00 − Freitag 09-06-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Is WannaCry Really Ransomware? *** --------------------------------------------- This post summarizes the significant efforts of a McAfee threat research team that has been relentless in its efforts to gain a deeper understanding of the WannaCry ransomware. We would like to specifically acknowledge Christiaan Beek, Lynda .. --------------------------------------------- https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-really-… *** Phishing Leveraging the Sucuri Brand *** --------------------------------------------- We are always on guard for phishing emails and websites that might try to compromise our customers or employees, so that we can be on top of the issue and warn as many people as possible. Targeted .. --------------------------------------------- https://blog.sucuri.net/2017/06/phishing-leveraging-sucuri-brand.html *** Windows 10 Creators Update provides next-gen ransomware protection *** --------------------------------------------- Multiple high-profile incidents have demonstrated that ransomware can have catastrophic effects on all of us. From personally losing access to your own digital property, to being .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-upd… *** Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan *** --------------------------------------------- We found another unique method being used to deliver malware—abusing the action that happens when simply hovering the mouse’s pointer over a hyperlinked picture or text in a PowerPoint .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard… *** Hacker stehlen "Cyberpunk 2077"-Daten und erpressen Hersteller CD Projekt *** --------------------------------------------- "The Wicher 3"-Entwickler gab Diebstahl in einer Stellungnahme bekannt --------------------------------------------- http://derstandard.at/2000059016376 *** In eigener Sache: Umstellung auf wöchentliches Wartungsfenster *** --------------------------------------------- Um die Administration zu erleichtern, werden wir ab 22. 6. 2017 auf ein wöchentliches Wartungsfenster umstellen: dieses wird jeweils am Donnerstag von 19-22h sein. Falls also .. --------------------------------------------- http://www.cert.at/services/blog/20170609114214-2029.html *** Android-Trojaner Dvmap kompromittiert Systeme wie kein anderer *** --------------------------------------------- Sicherheitsforscher warnen vor einem Schädling in Google Play, der Android-Geräte mit bisher unbekannten Methoden komplett in seine Gewalt bringen kann. --------------------------------------------- https://heise.de/-3739451 *** Steirische WK richtet Hotline für Firmen gegen Cyberangriffe ein *** --------------------------------------------- Pilotversuch startet in der Steiermark – Mehr als jedes fünfte Unternehmen bereits Opfer von Angriffen aus dem Netz --------------------------------------------- http://derstandard.at/2000059028695 *** SSA-023589 (Last Update 2017-06-09): SMBv1 Vulnerabilities in Advanced Therapy Products from Siemens Healthineers *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-023589… *** Microsoft: OpenBSD kommt für die Azure-Cloud *** --------------------------------------------- Das Unix-Betriebssystem OpenBSD gilt als besonders sicher und stabil. Microsoft erkennt dessen Potential und macht es für Azure verfügbar. Dazu kooperiert das Unternehmen mit .. --------------------------------------------- https://www.golem.de/news/microsoft-openbsd-kommt-fuer-die-azure-cloud-1706… *** DomainTools 101: DNS Shadow Hack-Attacked *** --------------------------------------------- In this article we will dive into the attack vector known as domain shadowing, and how it can land an .. --------------------------------------------- https://blog.domaintools.com/2017/06/domaintools-101-dns-shadow-hack-attack…

1 0

Tageszusammenfassung - Donnerstag 8-06-2017
by Daily end-of-shift report 08 Jun '17

08 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 07-06-2017 18:00 − Donnerstag 08-06-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz *** Deceptive Advertisements: What they do and where they come from *** --------------------------------------------- About a week ago, a reader asked for help with a nasty typo squatting incident: The site, yotube.com, at the time redirected to fake tech support sites. These sites typically pop up a message alerting the user of a made-up problem and offer a phone number for tech support. Investigating the site, I found ads, all of which can be characterized as deceptive. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22494 *** SSTIC 2017 Wrap-Up Day #1 *** --------------------------------------------- I’m in Rennes, France to attend my very first edition of the SSTIC conference. SSTIC is an event organised in France, by and for French people. The acronym means “Symposium sur la sécurité des technologies de l’information et des communications“. The event has a good reputation about its content but is also known to have a very strong policy to sell tickets. --------------------------------------------- https://blog.rootshell.be/2017/06/08/sstic-2017-wrap-day-1/ *** Summer STEM for Kids *** --------------------------------------------- Its summertime and your little hackers need something to keep them busy! Let look at some of the options for kids to try out. Ive tried out each of these programs and have had good luck with them. Please post in comments any site you have been successful with your kids in teaching them STEM or IT Security. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22496 *** Sicherheitsupdates: VMware vSphere Data Protection angreifbar *** --------------------------------------------- In einer Komponente von vSphere klaffen zwei als kritisch eingestufte Lücken, über die Angreifer beliebige Befehle ausführen und Log-in-Daten abziehen können. --------------------------------------------- https://heise.de/-3737673 *** Foscam: IoT-Hersteller ignoriert Sicherheitslücken monatelang *** --------------------------------------------- Die IoT-Apokalypse hört nicht auf: Erneut wurden zahlreiche Schwachstellen in einer IP-Kamera dokumentiert. Der Hersteller reagiert mehrere Monate lang nicht auf die Warnungen. --------------------------------------------- https://www.golem.de/news/foscam-iot-hersteller-ignoriert-sicherheitsluecke… *** A new Linux Malware targets Raspberry Pi devices to mine Cryptocurrency *** --------------------------------------------- Security researchers at Dr. Web discovered two new Linux Malware, one of them mines for cryptocurrency using Raspberry Pi Devices. Malware researchers at the Russian antivirus maker Dr.Web have discovered a new Linux trojan, tracked as Kinux.MulDrop.14, that is infecting Raspberry Pi devices with the purpose of mining cryptocurrency. --------------------------------------------- http://securityaffairs.co/wordpress/59842/malware/linux-malware-raspberry-p… *** The Reigning King of IP Camera Botnets and its Challengers *** --------------------------------------------- Early this month we discussed a new Internet of Things (IoT) botnet called Persirai (detected by Trend Micro as ELF_PERSIRAI.A), which targets over 1000 Internet Protocol (IP) camera models. Currently, through Shodan and our own research, we see that 64% of tracked IP cameras with custom http servers are infected with Persirai. But, because these cameras are such common targets, there is some competition between malware. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XMVX_tvNlNw/ *** Versehentlich aktiviertes Debugging-Tool gefährdet Cisco Data Center Network Manager *** --------------------------------------------- Sicherheitsupdates schließen zum Teil als kritisch eingestufte Lücken in Cisco AnyConnect, DCNM und TelePresence. --------------------------------------------- https://heise.de/-3737633 *** Cisco Prime Data Center Network Manager Debug Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to access sensitive information or execute arbitrary code with root privileges on an affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Cisco Context Service SDK Arbitrary Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the update process for the dynamic JAR file of the Cisco Context Service software development kit (SDK) could allow an unauthenticated, remote attacker to execute arbitrary code on the affected device with the privileges of the web server.The vulnerability is due to insufficient validation of the update JAR files signature. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…

1 0

Tageszusammenfassung - Mittwoch 7-06-2017
by Daily end-of-shift report 07 Jun '17

07 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 06-06-2017 18:00 − Mittwoch 07-06-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz *** Rockwell Automation PanelView Plus 6 700-1500 *** --------------------------------------------- This advisory contains mitigation details for a missing authorization vulnerability in Rockwell Automation's PanelView Plus 6 700-1500. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-157-01 *** Digital Canal Structural Wind Analysis *** --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Digital Canal Structural's Wind Analysis. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-157-02 *** Curiosity Kills Security When it Comes to Phishing *** --------------------------------------------- The results of an academic experiment reveal that recipients of Facebook messages are much more likely to click on suspicious links. --------------------------------------------- http://threatpost.com/curiosity-kills-security-when-it-comes-to-phishing/12… *** Privileges and Credentials: Phished at the Request of Counsel *** --------------------------------------------- Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-… *** Russische Hacker erteilen Befehle über Britney Spears Instagram *** --------------------------------------------- Adresse von Kontrollserver wurde in Nutzerkommentar zu Foto des Popstars versteckt. --------------------------------------------- http://derstandard.at/2000058853606 *** VMware-Admins aufgepasst: Es gibt wichtige Updates für ESXi *** --------------------------------------------- Wer Version 6.0 des ESXi-Hypervisors von VMware einsetzt, sollte Zeit zum Patchen einplanen. Einige Bugs und Sicherheitslücken wollen ausgebügelt werden. --------------------------------------------- https://heise.de/-3736872 *** [2017-06-07] Various WiMAX CPEs Authentication Bypass *** --------------------------------------------- Various WiMAX routers by GreenPacket, Huawei, MADA, MitraStar, ZTE and ZyXEL are affected by an authentication bypass vulnerability that allows an attacker to take over the web interface. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Ghosts from the past: Authentication bypass and OEM backdoors in WiMAX routers *** --------------------------------------------- SEC Consult has found a vulnerability in several WiMAX routers, distributed by WiMAX ISPs to subscribers. The vulnerability allows an attacker to change the password of the admin user. --------------------------------------------- http://blog.sec-consult.com/2017/06/ghosts-from-past-authentication-bypass.… *** PLATINUM continues to evolve, find ways to maintain invisibility *** --------------------------------------------- Back in April 2016, we released the paper PLATINUM: Targeted attacks in South and Southeast Asia, where we detailed the tactics, techniques, and procedures of the PLATINUM activity group. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-e… *** VMSA-2017-0010 *** --------------------------------------------- vSphere Data Protection (VDP) updates address multiple security issues. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0010.html

1 0

Tageszusammenfassung - Dienstag 6-06-2017
by Daily end-of-shift report 06 Jun '17

06 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 02-06-2017 18:00 − Dienstag 06-06-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Hack Brief: Dangerous ‘Fireball’ Adware Infects a Quarter Billion PCs *** --------------------------------------------- A widespread adware infection hides the ability to inflict far worse than spammy browser tweaks. --------------------------------------------- https://www.wired.com/2017/06/hack-brief-dangerous-fireball-adware-infects-… *** FakeGlobe and Cerber Ransomware: Sneaking under the radar while WeCry *** --------------------------------------------- Recently, we observed a constant influx of spam that distributes two ransomware families, perhaps trying to sneak in while everyone is focused with the recent WannaCry malware. Based on data .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/FakeGlobe-and-Cerber-Ransomw… *** Wie Hacker mit ihren Smartphones beim Glücksspiel betrügen *** --------------------------------------------- Russische Mafia konnte Automaten durch Reverse Engineering durchschauen und per Vibrationsalarm richtigen Moment zum Drücken festlegen --------------------------------------------- http://derstandard.at/2000052237768 *** DSA-3873 perl - security update *** --------------------------------------------- The cPanel Security Team reported a time of check to time of use(TOCTTOU) race condition flaw in File::Path, a core module from Perl to create or remove directory trees. An attacker can take .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3873 *** 53 Percent of Enterprise Flash Installs are Outdated *** --------------------------------------------- More than half of enterprises are exposing themselves to unnecessary risk by running out-of-date versions of Flash. --------------------------------------------- http://threatpost.com/53-percent-of-enterprise-flash-installs-are-outdated/… *** 40,000 Subdomains Tied to RIG Exploit Kit Shut Down *** --------------------------------------------- GoDaddy, along with researchers from RSA Security and other companies, shut down tens of thousands of illegal established subdomains tied to the RIG Exploit Kit. --------------------------------------------- http://threatpost.com/40000-subdomains-tied-to-rig-exploit-kit-shut-down/12… *** Passwortmanager: Kundendaten von Onelogin gehackt *** --------------------------------------------- Ein Passwortmanager soll Nutzern helfen, sichere Passwörter zu generieren und sicher zu speichern. Bei dem Betreiber Onelogin wurden jedoch zahlreiche Informationen von Nutzern durch .. --------------------------------------------- https://www.golem.de/news/passwortmanger-kundendaten-von-onelogin-gehackt-1… *** Security Advisory 2017-03: Security Update for all OTRS Versions *** --------------------------------------------- https://www.otrs.com/security-advisory-2017-03-security-update-otrs-version… *** Security Advisory 2017-02: Security Update for all OTRS Versions *** --------------------------------------------- https://www.otrs.com/security-advisory-2017-02-security-update-otrs-version… *** Erpressungstrojaner WannaCry: Mängel im Code steigern Chancen für Opfer *** --------------------------------------------- Sicherheitsforscher haben sich den Code der Ransomware angeschaut und diverse Schnitzer gefunden. Mit etwas Glück können Opfer wieder Zugriff auf ihre Dateien bekommen. --------------------------------------------- https://heise.de/-3734698 *** Patchday: Fehlerbereinigte Android-Versionen für Nexus, Pixel & Co. veröffentlicht *** --------------------------------------------- Google hat mehrere Sicherheitslücken in Android gestopft – darunter auch kritische. Wer ein Google-Gerät besitzt, sollte es zügig aktualisieren. Auch Besitzer von Geräten anderer Hersteller sollten prüfen, ob es eine Aktualisierung gibt. --------------------------------------------- https://heise.de/-3735188

1 0

Tageszusammenfassung - Freitag 2-06-2017
by Daily end-of-shift report 02 Jun '17

02 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 01-06-2017 18:00 − Freitag 02-06-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Phoenix Broadband Technologies LLC PowerAgent SC3 Site Controller *** --------------------------------------------- This advisory contains mitigation details for a use of hard-coded password vulnerability in the Phoenix Broadband Technologies LLC PowerAgent SC3 Site Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-152-01 *** Passwords at the Border *** --------------------------------------------- The password-manager 1Password has just implemented a travel mode that tries to protect users while crossing borders. It doesnt make much sense. To enable it, you have to create a list of passwords you feel safe traveling with, and then you can turn on the mode .. --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/passwords_at_th.html *** Financial malware more than twice as prevalent as ransomware *** --------------------------------------------- Three Trojans dominated the financial threat landscape in 2016 and attackers increased their focus on corporate .. --------------------------------------------- https://www.symantec.com/connect/blogs/financial-malware-more-twice-prevale… *** CIA Malware Can Switch Clean Files With Malware When You Download Them via SMB *** --------------------------------------------- After taking last week off, WikiLeaks came back today and released documentation on another .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cia-malware-can-switch-clean… *** DSA-3872 nss - security update *** --------------------------------------------- Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service or information disclosure. --------------------------------------------- https://www.debian.org/security/2017/dsa-3872 *** DSA-3871 zookeeper - security update *** --------------------------------------------- It was discovered that Zookeeper, a service for maintaining configuration information, didn't restrict access to the computationally expensive wchp/wchc commands which could result in denial of service by elevated CPU consumption. --------------------------------------------- https://www.debian.org/security/2017/dsa-3871 *** Riverbed SteelHead VCX 9.6.0a Arbitrary File Read *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2017060017 *** Weak DevOps cryptographic policies increase financial services cyber risk *** --------------------------------------------- Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications. This is a particular issue for financial services organizations, which have .. --------------------------------------------- https://www.helpnetsecurity.com/2017/06/02/weak-devops-cryptographic-polici… *** Phishing Campaigns Follow Trends *** --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22482 *** WannaCry and Vulnerabilities *** --------------------------------------------- There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which .. --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/wannacry_and_vu.html *** Hadoop Servers Expose Over 5 Petabytes of Data *** --------------------------------------------- Improperly configured HDFS-based servers, mostly Hadoop installs, are exposing over five petabytes of information, according to John Matherly, founder of Shodan, a .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hadoop-servers-expose-over-5… *** IBM Security Bulletin: Vulnerability in Samba affects IBM Netezza Host Management *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003112 *** Check-Point-Bericht: Gefährliche Backdoor in jedem zehnten deutschen Unternehmensnetz *** --------------------------------------------- Die Fireball getaufte Adware ist mit über 250 Millionen Installationen nicht nur sehr verbreitet, sondern auch sehr gefährlich: Laut Check Point kann sie beliebigen Code auf dem System ausführen und so auch Malware nachladen. --------------------------------------------- https://heise.de/-3732893

1 0

Tageszusammenfassung - Donnerstag 1-06-2017
by Daily end-of-shift report 01 Jun '17

01 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 31-05-2017 18:00 − Donnerstag 01-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Aufgepasst: Googles AMP wird zur Tarnung von Phishing-Angriffen missbraucht *** --------------------------------------------- Russische Hacker benutzen Googles AMP-Dienst, um böse URLs als Google-Dienste zu tarnen. Es ist nur eine Frage der Zeit, bis das Schule macht. --------------------------------------------- https://heise.de/-3731578 *** Cisco, Netgear Readying Patches for Samba Vulnerability *** --------------------------------------------- Cisco is prepping fixes for two of its products affected by last weeks Samba vulnerability. Netgear has also pushed out a fix for NAS devices that were affected. --------------------------------------------- http://threatpost.com/cisco-netgear-readying-patches-for-samba-vulnerabilit… *** Sharing Private Data with Webcast Invitations, (Thu, Jun 1st) *** --------------------------------------------- Last week, at a customer, we received a forwarded emailin a shared mailbox. It was somebody from another department that shared an invitation for a webcast that could be interesting for you, guys!. This time, no phishing attempt, no malware, just a regular email sent from a well-known security vendor. A colleague was interested in the webcast and clicked on the registration link. He was redirected to a page and was surprised to see all the fields already prefilled with the personal details of [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22478&rss *** Motorcycle Gang Busted For Hacking and Stealing Over 150 Jeep Wranglers *** --------------------------------------------- An anonymous reader writes: "The FBI has arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California, which they later crossed the border into Mexico to have stripped down for parts," reports Bleeping Computer. What stands apart is how the gang operated. This involved gang members getting the Jeep Wrangler VIN (Vehicle Identification Number), accessing a proprietary Jeep database, and getting two codes needed to create a [...] --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/xYKBhycly0Q/motorcycle-gang… *** An Elegant Way to Ruin Your Company's Day - Introduction to Public AWS EBS Snapshots *** --------------------------------------------- TL;DR Creating public (unencrypted) EBS Snapshots might not be a great idea. Even if you are going to share them "just for a second". A lot can be fished out of these snapshots: ssh keys, tls/ssl certificates, aws credentials, private source code and internal (extremely) valuable HR/Accounting/IT documents. --------------------------------------------- https://www.nvteh.com/news/problems-with-public-ebs-snapshots *** Credit Card Breach at Kmart Stores. Again. *** --------------------------------------------- For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in comment: They were all used at Kmart locations. Ask to respond to rumors about a card breach, [...] --------------------------------------------- https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-agai… *** NCSC releases factsheet Indicators of Compromise *** --------------------------------------------- In order to observe malicious digital activities within an organisation, Indicators of Compromise (IoCs) are a valuable asset. With IoCs, organisations can gain quick insights at central points in the network into malicious digital activities. When your organisation observes these activities, it is important to know what you can do to trace back which system is infected. Obtain as much contextual information with an IoC as possible, so that you get a clear picture of what is happening and how --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/ncsc-releases-factsheet-ind… *** WannaCry Development Errors Enable File Recovery *** --------------------------------------------- Researchers at Kaspersky Lab have found a number of programming errors in the WannaCry ransomware code that put file recovery within reach of sysadmins. --------------------------------------------- http://threatpost.com/wannacry-development-errors-enable-file-recovery/1260… *** OneLogin suffers data breach, again *** --------------------------------------------- OneLogin, a popular single sign-on service that allows users to access thousands of popular cloud-based apps with just one password, has suffered what seems to be a serious data breach. According to a short blog post by the company's Chief Information Security Officer Alvaro Hoyos, they discovered the breach when, on Wednesday, they detected unauthorized access to OneLogin data in their US data region. --------------------------------------------- https://www.helpnetsecurity.com/2017/06/01/onelogin-data-breach/ *** [webapps] OV3 Online Administration 3.0 - Remote Code Execution *** --------------------------------------------- OV3 Online Administration 3.0 - Remote Code Execution --------------------------------------------- https://www.exploit-db.com/exploits/42096/?rss *** Indicators Associated With WannaCry Ransomware (Update H) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01G Indicators Associated With WannaCry Ransomware that was published May 30, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01H *** Security Advisory - Multiple Security Vulnerabilities in HedEx product *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… *** DFN-CERT-2017-0945: Red Hat CloudForms Management Engine: Zwei Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0945/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier (CVE-2016-9977) *** http://www.ibm.com/support/docview.wss?uid=swg22003981 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in expat, nss, bind , policycoreutils, sudo shipped with SmartCloud Entry Appliance *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025119 --------------------------------------------- *** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2016-6816, CVE-2016-6817, CVE-2016-8735 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009962 --------------------------------------------- *** IBM Security Bulletin: IBM Spectrum Protect (formerly Tivoli Storage Manager) Windows Client password exposure (CVE-2016-8939) *** http://www.ibm.com/support/docview.wss?uid=swg22003738 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22003673 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004078 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Storage FlashCopy Manager VMware (CVE-2016-6303, CVE-2016-2182, CVE-2016-2177, CVE-2016-2183, CVE-2016-6309, CVE-2016-7052, CVE-2016-2178, CVE-2016-6306) *** http://www.ibm.com/support/docview.wss?uid=swg22000589 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit library affects IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004075 --------------------------------------------- *** IBM Security Bulletin: Multiple Security vulnerabilities in WebSphere Application Server Community Edition *** http://www-01.ibm.com/support/docview.wss?uid=swg22002267 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010243 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004074 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004077 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows *** http://www-01.ibm.com/support/docview.wss?uid=swg22002135 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM RackSwitch Products *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset Analyzer *** http://www-01.ibm.com/support/docview.wss?uid=swg22003418 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2017-3731, CVE-2016-7055) *** http://www.ibm.com/support/docview.wss?uid=swg22003793 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libX11 affect IBM BladeCenter Advanced Management Module (AMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BladeCenter Advanced Management Module (AMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL/libcurl affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects MegaRAID Storage Manager (CVE-2016-8610) *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in dosfstools affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: IBM Development Package for Apache Spark update of IBM SDK Java Technology Edition *** http://www-01.ibm.com/support/docview.wss?uid=swg22003200 --------------------------------------------- *** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2017Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. *** http://www.ibm.com/support/docview.wss?uid=swg22004036 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 31-05-2017
by Daily end-of-shift report 31 May '17

31 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 30-05-2017 18:00 − Mittwoch 31-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Personal Security Guide - WiFi Network *** --------------------------------------------- This is the third part in our series on personal security that offers methods to strengthen your overall security posture. By taking a holistic approach to security, you are protecting your website against attack vectors due to poor security practices in various aspects of your digital life. This post shares some insight on how to secure your network. When we talk about a network, we mean the way you connect to the internet. --------------------------------------------- https://blog.sucuri.net/2017/05/personal-security-guide-network-connection.… *** Kritische Infrastruktur: Meldepflicht für IT-Vorfälle deutlich erweitert *** --------------------------------------------- Die Meldepflicht für IT-Sicherheitsvorfälle ist auf weitere Branchen ausgedehnt worden. Damit steigt die Gesamtzahl auf mehr als 1.600 Einrichtungen in ganz Deutschland. --------------------------------------------- https://www.golem.de/news/kritische-infrastruktur-meldepflicht-fuer-it-vorf… *** HospitalGown: Appthority Discovers Backend Exposure of 43TB of Enterprise Data *** --------------------------------------------- [...] It's understandable that in mobile security we focus on the device, the apps it runs, and the networks it connects to. But what happens to the data from there? Cloud computing and storage are ubiquitous, advertising networks are the default revenue model for many apps, and analytics frameworks are driving design and implementation decisions. We can't ignore where the data goes. Like any other component of the larger system, these backend servers can introduce additional risk, [...] --------------------------------------------- https://www.appthority.com/mobile-threat-center/blog/hospitalgown-appthorit… http://info.appthority.com/hubfs/website-LEARN-content/Appthority%20Q2-17%2… *** XData Ransomware Master Decryption Keys Released. Kaspersky Releases Decryptor. *** --------------------------------------------- In what has become a welcome trend, today another ransomware master decryption key was released on BleepingComputer.com. This time the key that was released is for the XData Ransomware that was targeting the Ukraine around May 19th 2017. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/xdata-ransomware-master-decr… *** Indicators Associated With WannaCry Ransomware (Update G) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01F Indicators Associated With WannaCry Ransomware that was published May 25, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01G *** WannaCry: Two Weeks and 16 Million Averted Ransoms Later *** --------------------------------------------- [...] What WannaCry does has been extensively documented by others, as seen in reports by BAE Systems, MalwareBytes, Endgame, and Talos. Rather than focusing on the technical functionality of the malware, this article will open a window into our recent experience with managing, mitigating, and tracking the propagation and evolution of the WannaCry outbreak, and the true extent of its reach. --------------------------------------------- https://blog.kryptoslogic.com/malware/2017/05/29/two-weeks-later.html *** Analysis of Competing Hypotheses, WCry and Lazarus (ACH part 2), (Wed, May 31st) *** --------------------------------------------- Introduction In my previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22470&rss *** [webapps] Trend Micro Deep Security version 6.5 - XML External Entity Injection / Local Privilege Escalation / Remote Code Execution *** --------------------------------------------- https://www.exploit-db.com/exploits/42089/?rss *** Vulnerability in Samba Affecting Cisco Products: May 2017 *** --------------------------------------------- On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated attacker to execute arbitrary code remotely on a targeted system.This vulnerability has been assigned CVE ID CVE-2017-7494This advisory is available at the following link:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/… On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - Command Injection Vulnerability in the GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Command Injection Vulnerability in the NetEco *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Buffer Overflow Vulnerability in The GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Four Command Injection Vulnerabilities in The FusionSphere OpenStack *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Authentication Bypass Vulnerability in the Backup Function of GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Two Buffer Overflow Vulnerabilities in the GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Two Privilege Escalation Vulnerabilities in the GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in tcpdump affect AIX *** http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager appliances *** http://www.ibm.com/support/docview.wss?uid=swg22003237 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct FTP+ *** http://www-01.ibm.com/support/docview.wss?uid=swg22003752 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java affect IBM OS Images for Red Hat Linux Systems, AIX-based, and Windows-based deployments. *** http://www.ibm.com/support/docview.wss?uid=swg22004048 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affects IBM BigFix Compliance Analytics. *** http://www-01.ibm.com/support/docview.wss?uid=swg22002991 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web *** http://www.ibm.com/support/docview.wss?uid=swg22003236 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect Tivoli Storage Manager (IBM Spectrum Protect) for Virtual Environments: Data Protection for VMware and FlashCopy Manager (IBM Spectrum Protect Snapshot) for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22000212 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances may be affected by a kernel vulnerability known as the Dirty COW bug (CVE-2016-5195) *** http://www.ibm.com/support/docview.wss?uid=swg21997991 --------------------------------------------- *** IBM Security Bulletin: MQ Explorer directory created with owner '555' on Linux x86-64 vulnerability affects IBM MQ (CVE-2016-6089) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003509 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22003620 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22003480 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 30-05-2017
by Daily end-of-shift report 30 May '17

30 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 29-05-2017 18:00 − Dienstag 30-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Chrome Bug Allows Sites to Record Audio and Video Without a Visual Indicator *** --------------------------------------------- Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/chrome-bug-allows-sites-to-r… *** 5 incident response practices that keep enterprises from adapting to new threats *** --------------------------------------------- Security analysts within enterprises are living a nightmare that never ends. 24 hours a day, their organizations are being attacked by outside (and sometimes inside) perpetrators - hackers, hacktivists, competitors, disgruntled employees, etc. Attacks range in scope and sophistication, but are always there, haunting the security teams tasked with guarding against them. To cope with this never-ending, ever-changing slew of threats, most organizations rely on established best practices to [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/30/incident-response-practices/ *** Darauf sollen Unternehmer bei der IT-Sicherheit achten *** --------------------------------------------- Nahezu jeden Tag werden Cyberangriffe auf Unternehmen publik. Der Schaden ist oft erheblich. Wer ein paar einfache Tipps beachtet, kann das Risiko deutlich reduzieren. --------------------------------------------- https://futurezone.at/b2b/darauf-sollen-unternehmer-bei-der-it-sicherheit-a… *** Erpressungstrojaner Jaff: Vorsicht vor Mails mit PDF-Anhang *** --------------------------------------------- Derzeit landen vermehrt E-Mails mit einem manipulierten PDF-Dokument in Posteingängen. Wer das Dokument unter Windows öffnet, kann sich die Ransomware Jaff einfangen. Diese verschlüsselt Daten und versieht sie mit der Dateiendung .wlc. --------------------------------------------- https://heise.de/-3728073 *** FreeRADIUS: Anmelde-Server dank Sicherheitslücke viel zu gutgläubig *** --------------------------------------------- Bei der Wiederaufnahme von TLS-Verbindungen überprüft der Anmelde-Server FreeRADIUS unter Umständen nicht, ob der Nutzer sich jemals richtig angemeldet hat. Für eine Software, die Anmeldungen prüfen soll, ist das fatal. --------------------------------------------- https://heise.de/-3728535 *** SANS Securing the Human Security Awareness Report 2017 *** --------------------------------------------- [...] The report highlights what successful programs do right to change behavior and what lagging programs can do to improve and move beyond compliance. --------------------------------------------- https://securingthehuman.sans.org/resources/security-awareness-report-2017 https://securingthehuman.sans.org/media/resources/STH-SecurityAwarenessRepo… *** The Most Common Social Engineering Attacks *** --------------------------------------------- Many years ago, one of the world's most popular hacker Kevin Mitnick explained in his book "The Art of Deception" the power of social engineering techniques, today we are aware that social engineering can be combined with hacking to power insidious attacks. Let's consider for example social media and mobile platforms; they are considered powerful attack [...] --------------------------------------------- http://resources.infosecinstitute.com/common-social-engineering-attacks/ *** Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution *** --------------------------------------------- The version of Serviio installed on the remote Windows/Linux host is affected by an unauthenticated password modification vulnerability due to improper access control enforcement of the Configuration REST API. A remote attacker can exploit this, via a specially crafted request, to change the login password for the mediabrowser protected page. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php *** IBM Security Bulletin: Security vulnerabilities in IBM Java Runtime affect IBM RLKS Administration and Reporting Tool Admin *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001029 *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Standards Processing Engine and IBM Transformation Extender Advanced (CVE-2016-5597) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003602

1 0

Tageszusammenfassung - Montag 29-05-2017
by Daily end-of-shift report 29 May '17

29 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 26-05-2017 18:00 − Montag 29-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw *** --------------------------------------------- Microsoft quietly patched a critical vulnerability found by Googles Project Zero team in the Malware Protection Engine. --------------------------------------------- http://threatpost.com/microsoft-quietly-patches-another-critical-malware-pr… *** Crysis ransomware master keys posted to Pastebin *** --------------------------------------------- Why would someone release the keys to victims? Who knows, but as the poster who uploaded them says, Enjoy! --------------------------------------------- https://nakedsecurity.sophos.com/2017/05/26/crysis-ransomware-master-keys-p… *** File2pcap - A new tool for your toolkit!, (Fri, May 26th) *** --------------------------------------------- One of our readers, Gebhard, submitted a pointer to a tool today, released byTalos, that I wasnt familiar with. However, when I realized it could generate packets, I had to try it out. Its called File2pcap. The concept of the tool is that instead of having to download a file and capture the traffic in order to write detection content, the tool would simulate the download and generate the traffic that you would see. You get a nice pcap in the end. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22456&rss *** CyberChef a Must Have Tool in your Tool bag!, (Sun, May 28th) *** --------------------------------------------- This multipurpose and feature rich tool has been available for a while now and is updated regularly. What I find the most interesting is the number of features that are available this tool. CyberChef is fully portable and can be downloaded locally as an simple HTML self-contained page that can run in any browsers or if you prefer, you can download the package from Github and compile it yourself[2] but why bother. Since the code is updated regularly, I find the first option more practical. It [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22458&rss *** Analysis of Competing Hypotheses (ACH part 1), (Sun, May 28th) *** --------------------------------------------- In threat intelligence, by definition, an analyst will most of the times have to perform assessments in an environment of incomplete information, and/or with information that is being produced with the purpose of misleading the analyst. One of the well-known methodologies is the Analysis of Competing Hypotheses (ACH) [1], developed by Richards J. Heuer, Jr., a former CIA veteran. ACH is an analytic process that identifies a set of alternative hypotheses, and assesses whether data available are [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22460&rss *** Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience *** --------------------------------------------- [Primary authors: Dan Simon and Nir Ben Zvi] The Windows operating system includes many system services that provide important functionality. Different services have different default startup policies: some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run. These defaults were... --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2017/05/29/guidance-on-disabli… *** Network Time Protocol updated to spook-harden user comms *** --------------------------------------------- Network time lords decide we dont need IP address swaps The Internet Engineering Task Force has taken another small step in protecting everybodys privacy - this time, in making the Network Time Protocol a bit less spaffy. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/29/network_tim… *** CFP Time *** --------------------------------------------- We decided to create a website for a clearer view of what conferences are happening all around the world. The project is still in beta and after seeing how the community takes it, we might take it one step further. --------------------------------------------- https://cfptime.org/cfps/about *** Dirty COW and why lying is bad even if you are the Linux kernel *** --------------------------------------------- [...] There have been plenty of articles and blog posts about the exploit, but none of them give a satisfactory explanation on exactly how Dirty COW works under the hood from the kernel's perspective. The following analysis is based on this attack POC, although the idea applies to all other similar attacks. --------------------------------------------- https://chao-tic.github.io/blog/2017/05/24/dirty-cow *** DFN-CERT-2017-0928: Microsoft Malware Protection Engine: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0928/ *** DFN-CERT-2017-0913: WebKitGTK+: Mehrere Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und einen Cross-Site-Scripting-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0913/ https://webkitgtk.org/security/WSA-2017-0004.html *** DFN-CERT-2017-0925: FortiOS: Mehrere Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0925/ *** Security Advisory - Multiple Vulnerabilities in MTK Platform *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170527-… *** Bugtraq: Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Key and Token *** --------------------------------------------- http://www.securityfocus.com/archive/1/540636 *** Bugtraq: [security bulletin] HPESBHF03730 rev.1 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/540635 *** Bugtraq: [security bulletin] HPESBHF03754 rev.1 - HPE ML10 Gen 9 Server using Intel Xeon E3-1200 v5 Processor, Remote Access Restriction Bypass *** --------------------------------------------- http://www.securityfocus.com/archive/1/540634 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is affected by vulnerability in OpenStack Nova (CVE-2017-7214) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1022011 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in Red Hat Enterprise Linux (RHEL) Server shipped with PurePower Integrated Manager (PPIM) (CVE-2017-6462 CVE-2017-6463 CVE-2017-6464) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025209 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDKs affect IBM Virtualization Engine TS7700 - January 2017 *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010245 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM Virtual Fabric 10Gb Switch Module *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 26-05-2017
by Daily end-of-shift report 26 May '17

26 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 24-05-2017 18:00 − Freitag 26-05-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Reflections on reflection (attacks) *** --------------------------------------------- Recently Akamai published an article about CLDAP reflection attacks. This got us thinking. We saw attacks from Conectionless LDAP servers back in November 2016 but totally ignored them because our systems were automatically dropping the attack .. --------------------------------------------- https://blog.cloudflare.com/reflections-on-reflections/ *** Cloak & Dagger *** --------------------------------------------- Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks .. --------------------------------------------- http://cloak-and-dagger.org/ *** Trump’s Dumps: ‘Making Dumps Great Again’ *** --------------------------------------------- Its not uncommon for crooks who peddle stolen credit cards to seize on iconic American figures of wealth and power in the digital advertisements for these shops that run continuously on various .. --------------------------------------------- https://krebsonsecurity.com/2017/05/trumps-dumps-making-dumps-great-again/ *** Österreichs Unternehmen sind bei IT-Sicherheit Nachzügler *** --------------------------------------------- Investitionen in die Sicherheit als Chance verstehen --------------------------------------------- http://derstandard.at/2000058280565 *** 83% of Security Pros Waste Time Fixing Co-Workers Non-Security Problems *** --------------------------------------------- Security personnel in many organizations waste time every week helping co-workers with general IT problems, rather than doing their own work, which in the long run, .. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/83-percent-of-security-pro… *** Schwere Sicherheitslücke in Samba gefunden *** --------------------------------------------- Exploits bereits im Netz – Updates sollten rasch eingespielt werden --------------------------------------------- http://derstandard.at/2000058287863 *** DSA-3863 imagemagick - security update *** --------------------------------------------- This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3863 *** DSA-3862 puppet - security update *** --------------------------------------------- It was discovered that unrestricted YAML deserialisation of data sent from agents to the server in the Puppet configuration management .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3862 *** Manipulierte Webseiten legen Windows lahm *** --------------------------------------------- Problem mit Dateinamen verlangsamt System bis zum Stillstand – Windows 7, 8 und Vista betroffen --------------------------------------------- http://derstandard.at/2000058292526 *** Tanze (aktualisierten) Samba mit mir *** --------------------------------------------- Die Erinnerung an CVE-2017-0144, und die Auswirkungen von WannaCry, ist bei uns allen noch frisch im Gedächtnis verankert, und damit keine Langeweile aufkommt, hat Samba nun ein Advisory bezüglich einer kritischen Schwachstelle veröffentlicht: All versions of Samba .. --------------------------------------------- http://www.cert.at/services/blog/20170526134531-2020.html *** FileZilla FTP Client Adds Support for Master Password That Encrypts Your Logins *** --------------------------------------------- Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password .. --------------------------------------------- https://www.bleepingcomputer.com/news/software/filezilla-ftp-client-adds-su…

1 0

Tageszusammenfassung - Mittwoch 24-05-2017
by Daily end-of-shift report 24 May '17

24 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 23-05-2017 18:00 − Mittwoch 24-05-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** FIRST releases version 1.1 of the CSIRT Services Framework *** --------------------------------------------- The leading association of incident response and security teams released a new version of its CSIRT Services Framework. This is a formal list of services a Computer Security Incident Response Team (CSIRT) may consider implementing to address the needs of their constituency. --------------------------------------------- https://www.first.org/newsroom/releases/20170524 *** B. Braun Medical SpaceCom Open Redirect Vulnerability *** --------------------------------------------- This advisory was originally posted to the NCCIC Portal on March 23, 2017, and is being released to the ICS-CERT web site. This advisory contains mitigation details for an open redirect vulnerability in B. Braun Medical's SpaceCom module, which is integrated into the SpaceStation docking station. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-082-02 *** Trend Micro ServerProtect for Linux Multiple Bugs Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks and Let Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1038548 *** OpenVPN Access Server Input Validation Flaw Lets Remote Users Conduct Session Fixation Attacks to Hijack a Target Users Session *** --------------------------------------------- A remote user can create a specially crafted URL containing the '%0A' character that, when loaded by the target user prior to authentication, will inject headers and set the session cookie to a specified value. After the target user authenticates to the target OpenVPN Access Server, the remote user can hijack the target user's session. --------------------------------------------- http://www.securitytracker.com/id/1038547 *** DFN-CERT-2017-0901/">Puppet, Puppet Enterprise: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes *** --------------------------------------------- Betroffene Software Puppet < 4.10.1 Puppet Enterprise < 2016.4.5 Puppet Enterprise < 2017.2.1 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0901/ *** [Announce] Samba 4.6.4, 4.5.10 and 4.4.14 Available for Download *** --------------------------------------------- CVE-2017-7494: All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. --------------------------------------------- https://lists.samba.org/archive/samba-announce/2017/000406.html *** Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones *** --------------------------------------------- There is Factory Reset Protection (FRP) bypass security vulnerability in some Huawei smart phones. When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can perform some operations to update the Google account. As a result, the FRP function is bypassed. (Vulnerability ID: HWPSIRT-2017-02036). This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-2710. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170524-… *** Jaff ransomware gets a makeover *** --------------------------------------------- With all the recent news about WannaCry ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now. --------------------------------------------- https://isc.sans.edu/diary/Jaff+ransomware+gets+a+makeover/22446 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Security Guardium Data Redaction. . *** http://www-01.ibm.com/support/docview.wss?uid=swg22003466 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management generates error messages that could reveal sensitive information that could be used in further attacks against the system (CVE-2017-1292) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003414 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to HTTP response splitting attacks (CVE-2017-1291) *** http://www.ibm.com/support/docview.wss?uid=swg22003413 --------------------------------------------- *** IBM Security Bulletin: Fix Available for IBM iNotes Cross-Site Scripting Vulnerability (CVE-2017-1325) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003497 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Notes *** http://www-01.ibm.com/support/docview.wss?uid=swg22000602 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Domino *** http://www-01.ibm.com/support/docview.wss?uid=swg22000516 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 23-05-2017
by Daily end-of-shift report 23 May '17

23 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 22-05-2017 18:00 − Dienstag 23-05-2017 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** EU security think tank ENISA looks for IoT security, cant find any *** --------------------------------------------- Proposes baseline security spec, plus stickers to prove thing-makers have complied European network and infosec agency ENISA has taken a look at Internet of Things security, and doesnt much like what it sees. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/23/enisa_propo… *** Biometrie: Iris-Scanner des Galaxy S8 kann einfach manipuliert werden *** --------------------------------------------- Schon wieder zeigt sich: Biometrische Merkmale sind praktisch zum Entsperren von Geräten - sicher sind sie hingegen nicht. Ein Hacker hat gezeigt, dass sich der Irisscanner des Galaxy S8 von Samsung mit einem einfachen Foto und einer Kontaktlinse austricksen lässt. --------------------------------------------- https://www.golem.de/news/biometrie-iris-scanner-des-galaxy-s8-kann-einfach… *** Preloading in Internet Explorer 11 sends complete browsing history to Microsoft *** --------------------------------------------- Your entire browsing history will periodically be sent to Microsoft. The data sent includes all addresses you visit and when you visited them (derived from that is also how long you spent on each page), and the address of the page that referred you to each page. --------------------------------------------- https://ctrl.blog/entry/ie11-flip-out-privacy *** Windows 10 UAC Bypass Uses "Apps & Features" Utility *** --------------------------------------------- Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-uac-bypass-uses-a… *** Hackers can use subtitles to take over millions of devices running VLC, Kodi, Popcorn Time and Stremio *** --------------------------------------------- Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/23/subtitle-hack/ *** [2017-05-23] Arbitrary File Upload & Stored XSS in InvoicePlane *** --------------------------------------------- Multiple high risk vulnerabilities, such as arbitrary file upload and stored cross site-scripting, within the InvoicePlane software allow an attacker to compromise the affected server. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** BIG-IP Azure cloud vulnerability CVE-2017-6131 *** --------------------------------------------- BIG-IP Azure cloud vulnerability CVE-2017-6131. Security Advisory. Security Advisory Description. In some circumstances ... --------------------------------------------- https://support.f5.com/csp/article/K61757346 *** Cisco Integrated Management Controller Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the web-based GUI of Cisco Integrated Management Controller (CIMC) could allow an unauthenticated, remote attacker to perform unauthorized remote command execution on the affected device.The vulnerability exists because the affected software does not sufficiently sanitize specific values that are received as part of a user-supplied HTTP request. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. Successful exploitation... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Cisco Integrated Management Controller Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in the web-based GUI of Cisco Integrated Management Controller (CIMC) could allow an authenticated, remote attacker to elevate the privileges of user accounts on the affected device.The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected device. Successful exploitation could allow an authenticated attacker to elevate the privileges of user accounts configured on the device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in xorg-x11-libX11 affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect MegaRAID Storage Manager *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in tcpdump affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Web Experience Factory *** http://www.ibm.com/support/docview.wss?uid=swg22003695 --------------------------------------------- *** IBM Security Bulletin: Directory Traversal vulnerabilities impact IBM Network Advisor. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009700 --------------------------------------------- *** IBM Security Bulletin: Rational DOORS Web Access is affected by Apache Tomcat vulnerability (CVE-2016-6816) *** http://www.ibm.com/support/docview.wss?uid=swg22003660 --------------------------------------------- *** IBM Security Bulletin: Open Source cURL Libcurl, used by BigFix Platform, has security vulnerabilities (CVE-2016-8617 CVE-2016-8624 CVE-2016-8621) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001818 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager (CVE-2016-5597, CVE-2016-5554) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002446 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web (CVE-2016-5597, CVE-2016-5554) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002445 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 22-05-2017
by Daily end-of-shift report 22 May '17

22 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-05-2017 18:00 − Montag 22-05-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Terror Exploit Kit Evolves Into Larger Threat *** --------------------------------------------- The Terror exploit kit has matured into a greater threat and carefully crafts attacks based on a users browser environment. --------------------------------------------- http://threatpost.com/terror-exploit-kit-evolves-into-larger-threat/125816/ *** DSA-3859 dropbear - security update *** --------------------------------------------- https://www.debian.org/security/2017/dsa-3859 *** DSA-3858 openjdk-7 - security update *** --------------------------------------------- Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in privilege escalation, denial of service, newline injection in SMTP or use of insecure cryptography. --------------------------------------------- https://www.debian.org/security/2017/dsa-3858 *** WannaCry: Fast nur Windows-7-PCs infiziert *** --------------------------------------------- Mehr als 98 Prozent aller mit WannaCry infizierten PCs laufen nach Zahlen von Kaspersky Lab unter Windows 7. --------------------------------------------- https://heise.de/-3719145 *** Nordkorea unterhält offenbar Spezialeinheit für Cyberangriffe auf Banken *** --------------------------------------------- Soll angeblich hauptsächlich Devisen beschaffen --------------------------------------------- http://derstandard.at/2000058034871 *** Netgear fixes router by adding phone-home features that record your IP and MAC address *** --------------------------------------------- Yeah, that'll be secure for sure Netgear NightHawk R7000 users who ran last weeks firmware upgrade need to check their settings, because the company added a remote data collection feature to the units. --------------------------------------------- www.theregister.co.uk/2017/05/21/netgear_updates_router_with_phone_home_fea… *** "Athena": Mächtiges CIA-Tool knackt alle Windows-Versionen seit XP *** --------------------------------------------- Wikileaks publiziert Dokumente - Umfassende Überwachungsmöglichkeiten, Malware kann auch Daten löschen --------------------------------------------- http://derstandard.at/2000058071298 *** IT threat evolution Q1 2017. Statistics *** --------------------------------------------- According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world. File antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects. --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/78475/it-threat-ev… *** Operation "Porto": 159 Dealer im Darknet ausgeforscht *** --------------------------------------------- Ermittlungsverfahren gegen 697 Personen - 35 kg Suchtgift sowie 4.500 Tabletten sichergestellt --------------------------------------------- http://derstandard.at/2000058084813 *** Achtung, Abzocke: Microsoft warnt erneut vor betrügerischen Anrufen *** --------------------------------------------- Mit angeblichen Support-Anrufen von Unternehmen wie Microsoft oder Dell versuchen Betrüger, PC-Besitzer abzuzocken. Trotz einiger Erfolge der Ermittler bleibt das Problem virulent. --------------------------------------------- https://heise.de/-3720168 *** The Problem with OCSP Stapling and Must Staple and why Certificate Revocation is still broken *** --------------------------------------------- Today the OCSP servers from Let's Encrypt were offline for a while. This has caused far more trouble than it should have, because in theory we have all the technologies available to handle such an incident. However due to failures in how they are implemented they don't really work. --------------------------------------------- https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must… *** Was die Datenschutzverordnung bringt: Sammelklagen, Beauftragte *** --------------------------------------------- Nutzer können ab Mai 2018 ihre Rechte leichter durchsetzen, sagt IT-Anwalt Lukas Feiler --------------------------------------------- http://derstandard.at/2000058102109 *** Yahoo schmeisst ImageMagick nach Sicherheitslücke aus eigenem Webmail-Code *** --------------------------------------------- Durch die Schwachstelle konnten Angreifer Speicherinhalte der Yahoo-Server auslesen und so die E-Mail-Anhänge anderer Nutzer ausspionieren. Yahoo schloss die Lücke innerhalb eines selbstverordneten 90-Tage-Ultimatums. --------------------------------------------- https://heise.de/-3720803

1 0

Tageszusammenfassung - Freitag 19-05-2017
by Daily end-of-shift report 19 May '17

19 May '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-05-2017 18:00 − Freitag 19-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** How did the WannaCry Ransomworm spread? *** --------------------------------------------- Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. How did it all happen? --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomwor… *** Who's responsible for fixing SS7 security issues? *** --------------------------------------------- The WannaCry ransomware onslaught has overshadowed some of the other notable happenings this month, including the spectacular Google-themed phishing/spamming attack, and the news that attackers have managed to exploit vulnerabilities in the SS7 protocol suite to bypass German banks' two-factor authentication and drain their customers' bank accounts. According to the reports, the attackers were able to pull this scheme off by gaining access to the network of a foreign mobile network [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/19/ss7-security-issues/ *** Number of HTTPS phishing sites triples *** --------------------------------------------- When, in January 2017, Mozilla and Google made Firefox and Chrome flag HTTP login pages as insecure, the intent was to make phishing pages easier to recognize, as well as push more website owners towards deploying HTTPS. But while the latter aim was achieved, and the number of phishing sites making use of HTTPS has increased noticeably, the move also had one unintended consequence: the number of phishing sites with HTTPS has increased, too. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/19/number-https-phishing-sites-trip… *** Hintergrund: Chrome blockt ab sofort Zertifikate mit Common Name *** --------------------------------------------- Wenn der seit Jahren etablierte, hauseigene Dienst plötzlich den HTTPS-Zugang verwehrt, liegt das vermutlich an einer Neuerung der aktuellen Chrome-Version: Google erzwingt den Einsatz der RFC-konformen "Subject Alt Names" und viele Admins müssen deshalb jetzt Hand anlegen. --------------------------------------------- https://heise.de/-3717594 *** Bypassing Application Whitelisting with BGInfo *** --------------------------------------------- TL;DR: BGinfo.exe older than version 4.22 can be used to bypass application whitelisting using vbscript inside a bgi file. This can run directly from a webdav server. --------------------------------------------- https://msitpros.com/?p=3831 *** "Four Keys to Effective ICS Incident Response" *** --------------------------------------------- While incident response in Information Technology (IT) and Operational Technology (OT) or Industrial Control Systems (ICS) may appear to be very similar, incident response in an ICS environment has different considerations and priorities. Many organizations leverage their existing IT incident response capabilities in an OT environment which may not be ideal for successful incident response [...] --------------------------------------------- http://ics.sans.org/blog/2017/05/19/four-keys-to-effective-ics-incident-res… *** ETERNALBLUE vs Internet Security Suites and nextgen protections *** --------------------------------------------- Due to the recent #wannacry ransomware events, we initiated a quick test in our lab. Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010). Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)! --------------------------------------------- https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nex… *** Forensik-Tool soll gelöschte Notizen aus iCloud auslesen können *** --------------------------------------------- Der Softwareanbieter Elcomsoft hat seine App "Phone Breaker" um eine Funktion erweitert, die den Umstand ausnutzt, dass Apple offenbar auch vom Nutzer eigentlich vernichtete Notizen länger aufbewahrt. --------------------------------------------- https://heise.de/-3718361 *** MS17-010 (Ransomware WannaCry) Impact to Cisco Products *** --------------------------------------------- The Cisco PSIRT Team is continuing to investigate the impact of this vulnerability on Cisco products that have not reached end of software maintenance support and that do not support automated or manual updates of the Microsoft patch for these vulnerabilities. Investigation is expected to be completed by Friday, May 19th. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco… *** HPESBGN03748 rev.1 - HPE Cloud Optimizer, Remote Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified in HPE Cloud Optimizer. The vulnerability could be remotely exploited resulting in disclosure of information. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn037… *** Bugtraq: Nextcloud/Owncloud - Reflected Cross Site Scripting in error pages *** --------------------------------------------- http://www.securityfocus.com/archive/1/540569 *** DSA-3855 jbig2dec - security update *** --------------------------------------------- Multiple security issues have been found in the JBIG2 decoder library,which may lead to denial of service, disclosure of sensitive informationfrom process memory or the execution of arbitrary code if a malformedimage file (usually embedded in a PDF document) is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-3855 *** Indicators Associated With WannaCry Ransomware (Update C) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01B Indicators Associated With WannaCry Ransomware that was published May 17, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01C *** McAfee Network Data Loss Prevention Multiple Bugs Let Remote Users Conduct Session Hijacking and Cross-Site Scripting Attacks and Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1038523 *** VMSA-2017-0009 *** --------------------------------------------- VMware Workstation update addresses multiple security issues --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0009.html *** DFN-CERT-2017-0885: Red Hat JBoss Enterprise Application Platform, RESTEasy: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0885/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2125, CVE-2016-2126) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010052 --------------------------------------------- *** IBM Security Bulletin: IBM Cisco Switches and Directors vulnerable to Sweet32 Birthday attacks (CVE-2016-2183 CVE-2016-6329). *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010239 --------------------------------------------- *** IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability *** http://www-01.ibm.com/support/docview.wss?uid=swg22002356 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Network Security Services (NSS) component affect SAN Volume Controller, Storwize family and FlashSystem V9000 products. *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010118 --------------------------------------------- *** IBM Security Bulletin: Open redirect vulnerability in IBM Business Process Manager (CVE-2017-1159) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000253 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affect IBM SONAS (CVE-2017-3731) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010136 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 18-05-2017
by Daily end-of-shift report 18 May '17

18 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-05-2017 18:00 − Donnerstag 18-05-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Bootstrap - Critical - Information Disclosure - SA-CONTRIB-2017-048 *** --------------------------------------------- This theme enables you to bridge the gap between the Bootstrap Framework and Drupal. The theme does not sufficiently exclude the submitted password value when an incorrect value .. --------------------------------------------- https://www.drupal.org/node/2879177 *** 4022345 - Identifying and correcting failure of Windows Update client to receive updates - Version: 1.3 *** --------------------------------------------- Microsoft is releasing this security advisory to provide information related to an uncommon deployment scenario in which the Windows Update Client may not properly scan for, or download, updates. This scenario may affect customers who installed .. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/4022345 *** iPrint Appliance 2.0 Patch 5 *** --------------------------------------------- iPrint Appliance 2.0 Patch 5 includes bug fixes, security fixes and a consolidation of previously released patches and hot patches for the iPrint Appliance 2.0. --------------------------------------------- https://download.novell.com/Download?buildid=nKiTte1j9yM~ *** iPrint Appliance 2.1 Patch 3 *** --------------------------------------------- iPrint Appliance 2.1 Patch 3 is a cumulative patch including fixes from all the previous 2.1 patches and hot fixes. --------------------------------------------- https://download.novell.com/Download?buildid=4QmSWkUlwrA~ *** Indicators Associated With WannaCry Ransomware (Update B) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01A Indicators Associated With WannaCry Ransomware that was published May 16, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01B *** My Little CVE Bot *** --------------------------------------------- The massive spread of the WannaCry ransomware last Friday was another good proof that many organisations still fail to patch their systems. Everybody admits that patching is a boring task. They are many constraints that make this process very difficult to implement .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22432 *** Handbrake-Trojaner: Quellcode des Mac-Entwicklerstudios Panic entwendet *** --------------------------------------------- Die auf Mac-Nutzer abzielene Malware “Proton” hat ein erstes prominentes Opfer gefordert: Unbekannte klauten den Quelltext zu mehreren Apps des Entwicklerstudios Panic. Kundendaten sind nicht betroffen, betont das Unternehmen. --------------------------------------------- https://heise.de/-3716479 *** Why the most successful Retefe spam campaign never paid off *** --------------------------------------------- Switzerland is one of the main targets of the Retefe banking trojan since its first appearance in November 2013. At .. --------------------------------------------- https://securityblog.switch.ch/2017/05/18/why-the-most-successful-retefe-sp… *** SSB-412479 (Last Update 2017-05-17): Customer Information on WannaCry Malware for Siemens Healthineers Imaging and Diagnostics Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-412479… *** [2017-05-18] Multiple critical vulnerabilities in Western Digital TV Media Player *** --------------------------------------------- Multiple critical vulnerabilities, such as unauthenticated arbitrary file upload or local file inclusion, within the WDTV Media Player devices allow an attacker to take over the device over the network. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Security Alert: BlueDoom Worm Caught Spreading through EternalBlue, Integrates Batch of Leaked NSA Exploits *** --------------------------------------------- Unfortunately for users who haven’t patched their systems yet after the WannaCry ransomware campaign, there has been an increase in attempts to abuse the EternalBlue exploit in the past few .. --------------------------------------------- https://heimdalsecurity.com/blog/bluedoom-worm-eternablue-nsa-exploits/ *** ATM Black Box attacks: 27 arrested all over Europe *** --------------------------------------------- The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM Black Box attacks across .. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/18/black-box-attacks/ *** 22 Cisco Security Advisories 2017-05-17 *** --------------------------------------------- 1 Critical, 3 High, 18 Medium --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x

1 0

Tageszusammenfassung - Mittwoch 17-05-2017
by Daily end-of-shift report 17 May '17

17 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 16-05-2017 18:00 − Mittwoch 17-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Jetzt patchen: Gerfährliche Sicherheitslücke in Joomla *** --------------------------------------------- Das Joomla-Team schließt mit Version 3.7.1 eine SQL-Injection-Lücke, die fatale Folgen haben kann. Joomla-Admins sollten zügig reagieren. --------------------------------------------- https://heise.de/-3716175 *** WordPress-Update 4.7.5 schließt sechs Sicherheitslücken *** --------------------------------------------- Zwar werden keine der Lücken als kritisch eingestuft, Admins sollten sich aber trotzdem um die XSS- und CSRF-Lücken kümmern. --------------------------------------------- https://heise.de/-3716055 *** Extending Microsoft Edge Bounty Program *** --------------------------------------------- Over the past 10 months, we've paid out more than $200,000 USD in bounties to researchers reporting vulnerabilities through the Microsoft Edge Bounty Program. Partnering with the research community has helped improve Microsoft Edge security, and to continue this collaboration, today we're extending the end date of the Edge on Windows Insider Preview (WIP) bounty... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/05/16/extending-microsoft-edg… *** BSI veröffentlicht Mindeststandard für Mobile Device Management *** --------------------------------------------- Der Mindeststandard definiert in 40 technischen und organisatorischen Regeln die Anforderungen an MDM-Systeme des Bundes sowie deren Betrieb. Er definiert, welche Richtlinien ein System umsetzen können muss, lässt aber Spielraum bei deren Ausgestaltung. --------------------------------------------- https://heise.de/-3715500 *** Basic Best Practices for Securing LDAP and Active Directory with Red Hat *** --------------------------------------------- In the enterprise, its very popular to manage Windows client PCs through Red Hat servers. This sort of configuration is especially common in healthcare and the financial services industries. Red Hat Enterprise Linux (RHEL) has good software for working with Windows Active Directory. Red Hat Enterprise Linux can also manage clients with multiple platforms, such as Windows, OS X, Android, and other Linux distributions with OpenLDAP, an opensource implementation of the Lightweight Directory Access [...] --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/basic-best-practices-f… *** Gefälschtes easybank-Schreiben: Konto gesperrt *** --------------------------------------------- Kriminelle versenden eine gefälschte easybank-Nachricht. Darin heißt es, dass Unbekannte auf das Konto zugegriffen haben. Deshalb sollen Kund/innen eine Website aufrufen, persönliche Bankdaten bekannt geben und ihr Konto bestätigen. Wer die verlangten Informationen Preis gibt, übermittelt sie an Verbrecher/innen. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschtes-easybank-schreiben-… *** Why Phishing Attacks Succeed *** --------------------------------------------- The first time I received a "secure" email message from my bank, I was a bit suspicious of what I was actually seeing. It looked too much like a phishing attempt for my comfort. The message in my inbox was from my banker's email address, not from Chase 1 directly. It also included an attached HTML page and instructions to "open the attached page in an browser for instructions on how to proceed." --------------------------------------------- https://ttmm.io/tech/why-phishing-attacks-succeed/ *** How Big Fuzzing helps find holes in open source projects *** --------------------------------------------- Googles beta project, OSS-Fuzz, has found 264 vulnerabilities in 47 open-source projects - so is it an idea whose time has come? --------------------------------------------- https://nakedsecurity.sophos.com/2017/05/17/how-big-fuzzing-helps-find-hole… *** Security Advisory - DoS Vulnerability in Some Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170517-… *** SSB-412479 (Last Update 2017-05-16): Customer Information on WannaCry Malware for Siemens Healthineers Imaging and Diagnostics Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-421479… *** Indicators Associated With WannaCry Ransomware (Update A) *** --------------------------------------------- This updated alert is a follow-up to the original alert titled ICS-ALERT-17-135-01 Indicators Associated With WannaCry Ransomware that was published May 15, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01A *** FortiOS stored XSS vulnerability in the policy global-label parameter *** --------------------------------------------- FortiOS is subject to a Cross-Site Scripting vulnerability, due to an improperly sanitized parameter in a hidden CLI configuration setting named global-label . This can however only be exploited by an administrator with write privileges. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-057 *** NTP vulnerability CVE-2017-6463 *** --------------------------------------------- NTP vulnerability CVE-2017-6463. Security Advisory. Security Advisory Description. NTP before 4.2.8p10 and 4.3.x before ... --------------------------------------------- https://support.f5.com/csp/article/K02951273 *** Linux kernel vulnerability CVE-2017-8106 *** --------------------------------------------- Linux kernel vulnerability CVE-2017-8106. Security Advisory. Security Advisory Description. The handle_invept function ... --------------------------------------------- https://support.f5.com/csp/article/K34886212 *** Schneider Electric VAMPSET *** --------------------------------------------- This advisory contains mitigation details for a memory corruption vulnerability in Schneider Electric's VAMPSET. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-04 *** Detcon SiteWatch Gateway *** --------------------------------------------- This advisory contains mitigation details for authentication bypass and plaintext storage of a password vulnerabilities in Detcon's SiteWatch Gateway. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-01 *** Hanwha Techwin SRN-4000 *** --------------------------------------------- This advisory contains mitigation details for an unauthenticated access vulnerability in Hanwha Techwin's SRN-4000. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-03 *** Schneider Electric SoMachine HVAC *** --------------------------------------------- This advisory contains mitigation details for buffer overflow and DLL hijack vulnerabilities in Schneider Electric's SoMachine HVAC. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-02 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg21999513 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affects IBM Algo One Algo Risk Application and Core (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22000818 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility *** http://www-01.ibm.com/support/docview.wss?uid=swg22003157 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring *** http://www.ibm.com/support/docview.wss?uid=swg22002865 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer and WebSphere Integration Developer *** http://www-01.ibm.com/support/docview.wss?uid=swg22002555 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One Core (CVE-2016-8745) *** http://www.ibm.com/support/docview.wss?uid=swg22001932 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSH affects IBM Security Network Protection (CVE-2015-8325) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999248 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime IBM affect IBM Decision Optimization Center and IBM ILOG ODM Enterprise *** http://www-01.ibm.com/support/docview.wss?uid=swg22003304 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio *** http://www-01.ibm.com/support/docview.wss?uid=swg22003305 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GNU C library (glibc) affect IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg22001907 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network Protection (CVE-2016-8610, and CVE-2017-3731) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999162 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in NTP affect IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg21999246 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 16-05-2017
by Daily end-of-shift report 16 May '17

16 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 15-05-2017 18:00 − Dienstag 16-05-2017 18:00 Handler: Petr Sikuta Co-Handler: Stephan Richter *** WannaCry? Do your own data analysis., (Tue, May 16th) *** --------------------------------------------- In God we trust. All others must bring data ~Bob Rudis With endless amounts of data, technical detail, and insights on WannaCrypt/WannaCry, and even more FUD, speculation, and even downright trolling, herein is a proposal for you to do your own data-driven security analysis. My favorite book to help you scratch that itch? Data Driven Security: Analysis, Visualization and Dashboards, by Jay Jacobs Bob Rudis. A few quick samples, using WannaCry data and R, the open source programming language and [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22424&rss *** Digital signature service DocuSign hacked and email addresses stolen *** --------------------------------------------- Digital signature service DocuSign said Monday that an unnamed third-party had got access to email addresses of its users after hacking into its systems.The hackers gained temporary access to a peripheral sub-system for communicating service-related announcements to users through email, the company said. It confirmed after what it described as a complete forensic analysis that only email addresses were accessed, and not other details such as names, physical addresses, passwords, social security [...] --------------------------------------------- http://www.cio.com/article/3196854/security/digital-signature-service-docus… *** Apple-Updates schließen unangenehme Sicherheitslücken in iCloud, iTunes und iOS *** --------------------------------------------- Patchday bei Apple: Das BSI warnt vor mehreren Sicherheitslücken in iTunes und iCloud auf Windows, sowie dem Mobilbetriebssystem iOS, die es Angreifern ermöglichen, Code auszuführen. Anwender sollten sicherstellen, dass die Updates installiert wurden --------------------------------------------- https://heise.de/-3715077 *** Chrome Browser Hack Opens Door to Credential Theft *** --------------------------------------------- Researchers at DefenseCode claim a vulnerability in Google's Chrome browser allows hackers to steal credentials and launch SMB relay attacks. --------------------------------------------- http://threatpost.com/chrome-browser-hack-opens-door-to-credential-theft/12… *** Cisco Snort++ Protocol Decoder Denial of Service Vulnerabilities *** --------------------------------------------- Two vulnerabilities in the protocol decoders of Snort++ (Snort 3) could allow an unauthenticated, remote attacker to create a Denial of Service (DoS) condition.The vulnerabilities are due to lack of validation in the protocol decoders. An attacker could exploit these vulnerabilities by crafting a malicious packet and sending it through the targeted device. A successful exploit could allow the attacker to cause a DoS condition if the Snort process restarts and traffic inspection is bypassed or [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Indicators Associated With WannaCry Ransomware *** --------------------------------------------- This alert is a follow-up to US-CERT alert TA17-132A Indicators Associated With WannaCry Ransomware, which was originally posted to the US-CERT web site on May 12, 2017. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01 *** Novell Messenger 3.0.3 P3 *** --------------------------------------------- Abstract: Novell Messenger 3.0.3 P3 has been released. This release only includes fixes for the Linux platform. Please view the Change Log for modifications made to the program. There have also been changes to update security issues with the product. Please see the Security Fix section for details. NOTE: This version is not designed to work with eDir 9. If you require eDir 9 support, contact Micro Focus Technical Support. Document ID: 5296730Security Alert: YesDistribution Type: --------------------------------------------- https://download.novell.com/Download?buildid=U3MFbmzMet0~ *** IDM 4.6 RACF Driver 4.0.3.1 *** --------------------------------------------- Abstract: IDM 4.6 Bi-Directional RACF Driver Version 4.0.3.1. This patch is for the Identity Manager 4.6 RACF Driver. Field patch for IDMLOAD.XMT, SAMPLIB.XMT, RACFEXEC.XMTDocument ID: 5297291Security Alert: YesDistribution Type: Field Test FileEntitlement Required: YesFiles:idm46racf-patch1.tar.gz (2.66 MB)Products:Identity Manager 4.5Identity Manager 4.6Superceded Patches:IDM 4.0.2 RACF Driver Version 4.0.0.11 Patch 3 --------------------------------------------- https://download.novell.com/Download?buildid=LSTFMkrcRo0~ *** Apple Security Updates *** --------------------------------------------- *** macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite *** https://support.apple.com/kb/HT207797 --------------------------------------------- *** iOS 10.3.2 *** https://support.apple.com/kb/HT207798 --------------------------------------------- *** watchOS 3.2.2 *** https://support.apple.com/kb/HT207800 --------------------------------------------- *** tvOS 10.2.1 *** https://support.apple.com/kb/HT207801 --------------------------------------------- *** iCloud for Windows 6.2.1 *** https://support.apple.com/kb/HT207803 --------------------------------------------- *** Safari 10.1.1 *** https://support.apple.com/kb/HT207804 --------------------------------------------- *** iTunes 12.6.1 for Windows *** https://support.apple.com/kb/HT207805 --------------------------------------------- *** IBM Security Bulletin *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM SPSS Statistics (CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22002966 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU Jan 2017 Includes Oracle Jan 2017 CPU affect Content Collector for SAP Applications *** https://www-01.ibm.com/support/docview.wss?uid=swg22001462 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010199 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the zlib component affect IBM SPSS Statistics (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) *** http://www.ibm.com/support/docview.wss?uid=swg22003212 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025160 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Informix Dynamic Server and Informix Open Admin Tool *** http://www.ibm.com/support/docview.wss?uid=swg22002897 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in Expat affects HTTP Server shipped with Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-4472, CVE-2016-0718) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000234 --------------------------------------------- *** IBM Security Bulletin: Apache Commons FileUpload Vulnerabilities IBM WebSphere MQ (CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg22001563 --------------------------------------------- *** IBM Security Bulletin: Vulnerability CVE-2017-2619 in Samba affects IBM i *** http://www.ibm.com/support/docview.wss?uid=nas8N1022009 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by a missing secure attribute in the encrypted session (SSL) cookie (CVE-2017-1319) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002871 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by a cross-site scripting vulnerability (CVE-2017-1320) *** http://www.ibm.com/support/docview.wss?uid=swg22002877 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GnuTLS and OpenSSL affect IBM Flex System Manager (FSM) (CVE-2016-8610) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024887 --------------------------------------------- *** IBM Security Bulletin: A Vulnerability in IBM Java SDK affects IBM Streams (CVE-2016-5546, CVE-2017-3253, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-5552, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002804 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 15-05-2017
by Daily end-of-shift report 15 May '17

15 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 12-05-2017 18:00 − Montag 15-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Ransomware: Experten warnen vor Zahlung der Wanna-Crypt-Erpressersumme *** --------------------------------------------- Experten raten davon ab, im Falle einer Infektion mit Wanna Crypt die geforderten Bitcoins zu zahlen, denn offenbar sind die Angreifer vom Erfolg ihrer Operation überrascht. Ein kostenloses Werkzeug zum Wiederherstellen der Daten ist bislang auch nicht verfügbar. --------------------------------------------- https://www.golem.de/news/ransomware-experten-warnen-vor-zahlung-der-wanna-… *** WannaCry & Co.: So schützen Sie sich *** --------------------------------------------- Nach WannaCry ist vor dem nächsten Erpressungstrojaner. Was Gefährdete jetzt tun sollten, wie Sie sich vor Nachahmern schützen können und welche Optionen bleiben, wenn der Verschlüsselungstrojaner schon zugeschlagen hat. --------------------------------------------- https://heise.de/-3714596 *** Customer Guidance for WannaCrypt attacks *** --------------------------------------------- Microsoft solution available to protect additional products Today many of our customers around the world and the critical systems they depend on were victims of malicious "WannaCrypt" software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-w… *** Security Alert: Uiwix Ransomware Is Here and It Can Be Worse Than Wannacry *** --------------------------------------------- WannaCry distribution may have dropped, but the ransomware pandemic is not over. As we feared in yesterday's alert, another ransomware variant, known as Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have huge potential of infection, [...] --------------------------------------------- https://heimdalsecurity.com/blog/security-alert-uiwix-ransomware/ *** Microsoft posts PowerShell script that spawns pseudo security bulletins *** --------------------------------------------- A Microsoft manager this week offered IT administrators a way to replicate -- in a fashion -- the security bulletins the company discarded last month."If you want a report summarizing todays #MSRC security bulletins, heres a script that uses the MSRC Portal API," John Lambert, general manager of the Microsoft Threat Intelligence Center, said in a Tuesday message on Twitter.Lamberts tweet linked to code depository GitHub, where he posted a PowerShell script that polled data using a new [...] --------------------------------------------- http://www.cio.com/article/3196254/windows/microsoft-posts-powershell-scrip… *** WannaCry/WannaCrypt Ransomware Summary, (Mon, May 15th) *** --------------------------------------------- The ransomware was first noticed on Fridayand spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 ETERNALBLUE exploit to spread. ETERNALBLUE became public about a month ago in April when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow]. A month prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March Patch Tuesday release. The patch was released [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22420&rss *** Ein paar Gedanken zu WannaCry *** --------------------------------------------- Wir haben heute unsere offizielle Warnung bezüglich der WannaCry Ransomware veröffentlicht. Ich will in diesem Blogbeitrag ein bisschen Kontext liefern, und etwas strategischer denken. --------------------------------------------- http://www.cert.at/services/blog/20170514232126-2007.html *** DSA-3852 squirrelmail - security update *** --------------------------------------------- Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, awebmail application, incorrectly handled a user-supplied value. Thiswould allow a logged-in user to run arbitrary commands on the server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3852 *** EMC Isilon OneFS NFS Export Upgrade *** --------------------------------------------- Topic: EMC Isilon OneFS NFS Export Upgrade Risk: Medium Text:ESA-2017-027: EMC Isilon OneFS NFS Export Upgrade Vulnerability EMC Identifier: ESA-2017-027 CVE Identifier: CVE-2017-49... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017050087 *** Security Advisory - WannaCry ransomware Vulnerabilities in Microsoft Windows Systems *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170513-… *** Security Notice - Statement on "WannaCry ransomware" attacks *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170513-01-… *** DRD Agent - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-047 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-047Project: DRD agent (third-party module)Version: 6.x, 7.x, 8.xDate: 2017-May-10Security risk: 19/25 ( Critical) AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Cross Site Request Forgery, Open RedirectDescriptionThe Drupal Remote Dashboard (DRD) module enables you to manage and monitor any remote Drupal site and, this module, the DRD Agent is the remote module which responds to requests from authorised DRD sites.The module doesnt [...] --------------------------------------------- https://www.drupal.org/node/2877392 *** DSA-3854 bind9 - security update *** --------------------------------------------- Several vulnerabilities were discovered in BIND, a DNS serverimplementation. The Common Vulnerabilities and Exposures projectidentifies the following problems: --------------------------------------------- https://www.debian.org/security/2017/dsa-3854 *** FortiPortal Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities impacting FortiPortal were disclosed to Fortinet with details as follows:CVE-2017-7337: Improper Access Control allows a user to potentially view firewall policies and objects from a VDOM s/he is not authorized to, enumerate other customer ADOMs and view other customers dataCVE-2017-7338: Application returns password hashes, and passwords for associated FortiAnalyzer devices via the UICVE-2017-7339: Persistent XSS via the Name and Description fields in the pop-up to add [...] --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-114 *** DFN-CERT-2017-0842: Moodle: Mehrere Schwachstellen ermöglichen u.a. einen Cross-Site-Request-Forgery-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0842/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issue on IBM SONAS (CVE-2016-2125, CVE-2016-2126 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010051 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009957 --------------------------------------------- *** IBM Security Bulletin: Tomcat apache vulnerability affects IBM Storwize V7000 Unified *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009993 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Storwize V7000 Unified (CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009995 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM SONAS (CVE-2016-5597 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009963 --------------------------------------------- *** IBM Security Bulletin: Open Source Apache Struts Vulnerabilities affect IBM Enterprise Records *** https://www-01.ibm.com/support/docview.wss?uid=swg22000471 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Struts v2 affect IBM Enterprise Records *** https://www-01.ibm.com/support/docview.wss?uid=swg22000469 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by an XML External Entity vulnerability (CVE-2016-2908) *** http://www.ibm.com/support/docview.wss?uid=swg22001175 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 12-05-2017
by Daily end-of-shift report 12 May '17

12 May '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 11-05-2017 18:00 − Freitag 12-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter *** Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak *** --------------------------------------------- A ransomware outbreak is wreaking havoc all over the world, but especially in Spain, where Telefonica - one of the countrys biggest telecommunications companies - has fallen victim, and its IT staff is desperately telling employees to shut down computers and VPN connections in order to limit the ransomwares reach. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-t… *** NHS hit by ransomware attack, hospitals across country shutting down *** --------------------------------------------- GP told of National hack of the computer health care system Updated Multiple NHS hospitals have shut down systems and are telling patients not to come in due to what is being described as a massive nationwide cyber attack. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/12/nhs_hospita… *** Jaff argh snakes: 5m emails/hour ransomware floods inboxes *** --------------------------------------------- Locky-style nasty will squeeze you for two whole bitcoins The Necurs botnet has been harnessed to fling a new strain of ransomware dubbed "Jaff". --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/12/jaff_ransom… *** When Bad Guys are Pwning Bad Guys..., (Fri, May 12th) *** --------------------------------------------- A few months ago, I wrote a diary about webshells[1] and the numerous interesting features they offer. Theyre plenty of web shells available, there are easy to find and install. They are usually delivered as one big obfuscated (read: Base64, ROT13 encoded and gzip'd) PHP file that can be simply dropped on a compromised computer. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22410 *** Sicherheitslücke: Fehlerhaft konfiguriertes Git-Verzeichnis bei Redcoon *** --------------------------------------------- Was haben der Online-Händler Redcoon und die Volksverschlüsselung gemeinsam? Ein unsicher konfiguriertes Git-Repository. Immer wieder machen Webseitenbetreiber denselben Fehler. (Security, API) --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-fehlerhaft-konfiguriertes-git-v… *** HP Releases Driver Update to Remove Accidental Keylogger *** --------------------------------------------- HP has issued an update to remove a keylogging mechanism found in the audio drivers included with some of its high-end laptops. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/hardware/hp-releases-driver-update-to… *** Phoenix Contact GmbH mGuard *** --------------------------------------------- This advisory contains mitigation details for resource exhaustion and improper authentication vulnerabilities in Phoenix Contact GmbH's mGuard network device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-131-01 *** Satel Iberia SenNet Data Logger and Electricity Meters *** --------------------------------------------- This advisory contains mitigation details for a command injection vulnerability in Satel Iberia's SenNet Data Logger and Electricity Meters. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02 *** HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution *** --------------------------------------------- HPESBHF03743 rev.1 - A potential security vulnerability has been identified in HPE Intelligent Management Center (iMC) PLAT. The vulnerability could be exploited remotely to allow execution of code. --------------------------------------------- http://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf0374… *** DSA-3849 kde4libs - security update *** --------------------------------------------- Several vulnerabilities were discovered in kde4libs, the core librariesfor all KDE 4 applications. The Common Vulnerabilities and Exposuresproject identifies the following problems: --------------------------------------------- https://www.debian.org/security/2017/dsa-3849 *** PostgreSQL 2017-05-11 Security Update Release *** --------------------------------------------- Three security vulnerabilities have been closed by this release: CVE-2017-7484: selectivity estimators bypass SELECT privilege checks, CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable, CVE-2017-7486: pg_user_mappings view discloses foreign server passwords --------------------------------------------- https://www.postgresql.org/about/news/1746/ *** IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services potential Cross Site Scripting vulnerabilities (CVE-2017-1160) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001575 *** IBM Security Bulletin: Vulnerability in the OpenSSL library affects IBM Tealeaf Customer Experience PCA (CVE-2017-3730). *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22000513 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Financial Transaction Manager for Corporate Payment Services *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001540 *** IBM Security Bulletin: Information disclosure vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-9735) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003064 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003204

1 0

Tageszusammenfassung - Donnerstag 11-05-2017
by Daily end-of-shift report 11 May '17

11 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 10-05-2017 18:00 − Donnerstag 11-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Alexander Riepl *** Cisco WebEx Meetings Server Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in Cisco WebEx Meetings Server could allow unauthenticated, remote attackers to gain information that could allow them to access scheduled customer meetings. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Google Wont Patch A Critical Android Flaw Before 'Android O' Release *** --------------------------------------------- Millions of Android smartphones are at serious risk of "screen hijack" vulnerability that allows hackers to steal your passwords, bank details, as well as helps ransomware apps extort money from victims. The worse thing is that Google says it wont be patched until the release of Android O version .. --------------------------------------------- http://thehackernews.com/2017/05/android-permissions-vulnerability.html *** Microsoft Bans SHA-1 Certificates in Edge and Internet Explorer *** --------------------------------------------- Starting yesterday, via updates delivered in the May 2017 Patch Tuesday, Microsoft browsers such as Edge and Internet Explorer, have begun flagging websites as insecure if they use SSL/TLS certificates signed with the SHA-1 algorithm. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-bans-sha-1-certifi… *** Most companies falsely believe their Active Directory is secure *** --------------------------------------------- A majority of companies falsely believe their Active Directory (AD) is secure, according to a new survey conducted jointly by Skyport Systems and Redmond Magazine. The response from more than 300 IT professionals located in North America revealed that AD security is in fact underperforming at those companies participating in the survey, leaving organizations open to attack from outside hackers and insider threats. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/11/active-directory-insecurity/ *** Bugtraq: ESA-2017-017: RSA Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/540552 *** HP-Notebooks: Audio-Treiber belauscht Tastatur *** --------------------------------------------- Bei der Sicherheits-Analyse von HP-Business-Notebooks stießen Sicherheitsforscher auf ein merkwürdiges Keylogging. Dabei schreibt der Audio-Treiber alle Tastatureingaben einschließlich der Passwörter des Anwenders in eine öffentlich lesbare Datei. --------------------------------------------- https://heise.de/-3710250 *** Chainsaw of Custody: Manipulating forensic evidence the easy way *** --------------------------------------------- When it comes to computer forensics, or for that matter forensics in general, one of the main challenges is to ensure that evidence that is collected is not tampered with. To achieve this, computer forensic experts adhere to a strict protocol and use many specialized .. --------------------------------------------- http://blog.sec-consult.com/2017/05/chainsaw-of-custody-manipulating.html *** DFN-CERT-2017-0825/">NVIDIA GPU-Treiber: Mehrere Schwachstellen ermöglichen u.a. das Eskalieren von Privilegien *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0825/ *** Edge Security Flaw Allows Theft of Facebook and Twitter Credentials *** --------------------------------------------- Argentinian security researcher Manuel Caballero has discovered another vulnerability in Microsofts Edge browser that can be exploited to bypass a security protection feature and steal data such as passwords from other sites, or cookie files that contain sensitive information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/edge-security-flaw-allows-th… *** Analyzing the doublepulsar kernel dll injection technique *** --------------------------------------------- Like many in the security industry, we have been busy the last few days investigating the implications of the Shadow Brokers leak with regard to attack detection. Whilst there is a lot of interesting content, one particular component that attracted our attention initially was the DOUBLEPULSAR payload. This is because it .. --------------------------------------------- https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-… *** Asus-Router können beim Vorbeisurfen im Netz gekapert werden *** --------------------------------------------- Eine ganze Reihe Router der RT-Serie von Asus beinhalten eine CSRF-Lücke und weitere Schwachstellen, die es unter Umständen möglich machen, die Einstellungen des Gerätes aus dem Web zu ändern. Updates stehen bereit. --------------------------------------------- https://heise.de/-3712001 *** OpenVPN 2.4.1: Quarkslab and Cryptography Engineering LCC audit overview *** --------------------------------------------- OpenVPN 2.4.1 was simultaneously reviewed by Quarkslab (funded by OSTIF) and Cryptography Engineering LCC (funded by Private Internet Access). The reports have been published on OSTIFs and PIAs web pages [..] This page lists the findings in their respective reports and shows how the issues were resolved. --------------------------------------------- https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineer…

1 0

Tageszusammenfassung - Mittwoch 10-05-2017
by Daily end-of-shift report 10 May '17

10 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 09-05-2017 18:00 − Mittwoch 10-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Alexander Riepl *** EPS Processing Zero-Days Exploited by Multiple Threat Actors *** --------------------------------------------- In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-day… *** Persirai: Mehr als 100.000 IP-Kameras für neues IoT-Botnetz verwundbar *** --------------------------------------------- Derzeit entsteht ein neues IoT-Botnetz, das bislang aber noch keine Angriffe durchgeführt hat. Die Malware zur Infektion nutzt eine im März veröffentlichte Sicherheitslücke aus. --------------------------------------------- https://www.golem.de/news/persirai-mehr-als-100-000-ip-kameras-fuer-neues-i… *** Git Shell Bypass By Abusing Less (CVE-2017-8386) *** --------------------------------------------- The git-shell is a restricted shell maintained by the git developers and is meant to be used as the upstream peer in a git remote session over a ssh tunnel. The basic idea behind this shell is to restrict the allowed commands in a ssh session to the ones required by git which are as follows .. --------------------------------------------- https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-83… *** [2017-05-10] Insecure Handling Of URI Schemes in Microsoft OneDrive iOS App *** --------------------------------------------- Due to the lack of URI scheme validation, any external URI scheme can be invoked by the Microsoft OneDrive iOS application with out any user interaction. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Patchday: Internet Explorer, Office und Windows im Visier von Hackern *** --------------------------------------------- Nach dem Notfall-Patch für Windows stellt Microsoft zum gewohnten Termin weitere als kritisch eingestufte Sicherheitsupdates bereit. Angreifer nutzen derzeit diverse Lücken aktiv aus. --------------------------------------------- https://heise.de/-3709022 *** Cisco: Kritische Sicherheitslücke in mehreren Switches behoben *** --------------------------------------------- Dank CIA-Tools auf Wikileaks ein Leichtes: Über einen Fehler in IOS-Switches konnte Schadcode selbst von Amateuren direkt auf dem Gerät ausgeführt werden. Damit ist jetzt Schluss, denn Cisco hat diesen Fehler offenbar behoben. --------------------------------------------- https://www.golem.de/news/cisco-kritische-sicherheitsluecke-in-mehreren-swi… *** Feature, not bug: DNSAdmin to DC compromise in one line *** --------------------------------------------- In addition to implementing their own DNS server, Microsoft has also implemented their own management protocol for that server, to allow for easy management and integration with Active Directory domains [...] We will shallowly delve into the protocol's implementation and detail a cute feature (certainly not a bug!) which allows us, under some circumstances, to run code as SYSTEM on domain controllers, without being a domain admin. --------------------------------------------- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-… *** Identifying Sources of Leaks with the Gmail "+" Feature *** --------------------------------------------- For years, Google is offering two nice features with his gmail.com platform to gain more power of your email address. You can play with the "+" (plus) sign or "." (dot) to create more email addresses linked to your primary one. Let's take an example with John who's the owner .. --------------------------------------------- https://blog.rootshell.be/2017/05/10/identifying-sources-leaks-gmail-featur… *** IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities (CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021999 --------------------------------------------- *** IBM Security Bulletin: Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009964 --------------------------------------------- *** IBM Security Bulletin: Multiple Apache Tomcat vulnerabilities affect IBM SONAS. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009960 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerabilities *** http://www-01.ibm.com/support/docview.wss?uid=swg22002522 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 9-05-2017
by Daily end-of-shift report 09 May '17

09 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 08-05-2017 18:00 − Dienstag 09-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** SAP Security Patch Day - May 2017 *** --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...] --------------------------------------------- https://blogs.sap.com/2017/05/09/sap-security-patch-day-may-2017/ *** Project Zero: Microsofts Antivirensoftware gefährdet Windows-Nutzer *** --------------------------------------------- Googles Project Zero hat eine schwerwiegende Sicherheitslücke in der Anti-Viren-Engine von Microsoft entdeckt. Schuld daran ist die simulierte Ausführung von Javascript-Code ohne Sandbox. --------------------------------------------- https://www.golem.de/news/project-zero-microsofts-antivirensoftware-gefaehr… *** Defeating Magento security mechanisms: Attacks used in the real world *** --------------------------------------------- DefenseCode recently discovered and reported multiple stored cross-site scripting and cross-site request forgery vulnerabilities in Magento 1 and 2 which will be addressed in one of the future patches. In light of these findings, this article describes examples of several attacks used in the real world that combine common vulnerabilities with faulty security mechanisms in Magento, leading to an unfavourable outcome. Examples will be aimed at Magento 2, but most of them can be applied [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/09/defeating-magento-security/ *** Zeit für eine AMTshandlung? *** --------------------------------------------- Letzte Woche veröffentlichte Intel ein Advisory über eine Schwachstelle in "Intel Active Management Technology", kurz AMT. Besagte Schwachstelle erlaubt einem Angreifer, auf einem Rechner mit aktiviertem AMT, die Zugriffskontrollen für eben jenes auszuhebeln, und so administrativen Zugriff zu erlangen - [...] --------------------------------------------- http://www.cert.at/services/blog/20170508175554-1982.html *** [2017-05-09] Multiple vulnerabilities in I, Librarian PDF manager *** --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Bugtraq: ESA-2017-035: EMC Mainframe Enablers ResourcePak Base privilege management vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/540531 *** Security Update for Microsoft Malware Protection Engine *** --------------------------------------------- The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/4022344 *** Security Bulletin posted for Adobe Flash Player and Adobe Experience Manager Forms *** --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-15) and Adobe Experience Manager Forms (APSB17-16). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1465 *** Vuln: Trend Micro Threat Discovery Appliance CVE-2016-8591 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98343 *** Vuln: Trend Micro Threat Discovery Appliance CVE-2016-8592 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98345 *** Cisco IOS and IOS XE Software Simple Network Management Protocol Subsystem Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition.The vulnerability is due to a race condition that could occur when the affected software processes an SNMP read request that contains certain criteria for a specific object ID (OID) and an active crypto session is disconnected on an affected device. An attacker who can authenticate [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** F5 Security Advisories *** --------------------------------------------- *** NTP vulnerability CVE-2017-6451 *** https://support.f5.com/csp/article/K32262483 --------------------------------------------- *** NTP vulnerability CVE-2017-6462 *** https://support.f5.com/csp/article/K07082049 --------------------------------------------- *** NTP vulnerability CVE-2017-6458 *** https://support.f5.com/csp/article/K99254031 --------------------------------------------- *** NTP vulnerability CVE-2017-6460 *** https://support.f5.com/csp/article/K31310492 --------------------------------------------- *** NTP vulnerability CVE-2017-6464 *** https://support.f5.com/csp/article/K96670746 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition *** https://www.ibm.com/support/docview.wss?uid=swg22002169 --------------------------------------------- *** IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2017-1095) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001006 --------------------------------------------- *** IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2017-1094) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001002 --------------------------------------------- *** IBM Security Bulletin: There are multiple vulnerabilities in IBM Java Runtime and Apache Tomcat that affect IBM Cognos Business Viewpoint *** http://www.ibm.com/support/docview.wss?uid=swg22003122 --------------------------------------------- *** IBM Security Bulletin: Secure properties can be shown in plain text in IBM UrbanCode Deploy (CVE-2016-9007) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000236 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Business Developer *** http://www.ibm.com/support/docview.wss?uid=swg22002667 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software *** http://www-01.ibm.com/support/docview.wss?uid=swg22003145 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the SQLite component of the Response Time agent affects IBM Performance Management products (CVE-2016-6153) *** http://www.ibm.com/support/docview.wss?uid=swg22000836 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 8-05-2017
by Daily end-of-shift report 08 May '17

08 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 05-05-2017 18:00 − Montag 08-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Intels ME-Sicherheitslücke: Tipps und Links *** --------------------------------------------- Praxistipps zu der am 1. Mai von Intel gemeldeten Sicherheitslücke in der Firmware der Management Engine vieler Desktop-PCs, Server und Notebooks. --------------------------------------------- https://heise.de/-3704563 *** Researchers Disclose Intel AMT Flaw Research *** --------------------------------------------- Security firm Embedi releases further details on the Intel AMT flaw, revealing how it can be exploited and how potentially dangerous it can be. --------------------------------------------- http://threatpost.com/researchers-disclose-intel-amt-flaw-research/125503/ *** Dell patches AMT-vulnerable systems *** --------------------------------------------- BIOS fixes for most boxen landed Friday Dell, which last week was scrambling to work out which of its systems are affected by the Intel AMT vulnerability, has caught up with peers HP Inc, Lenovo and Fujitsu. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/07/dell_patche… *** Hacker-Wettbewerb: Cyber Security Challenge startet *** --------------------------------------------- Zahlreiche Teilnehmer der vergangenen Jahre haben über den Hacker-Wettbewerb Jobs in der Security-Branche gefunden. Heuer wird erstmals auch eine Starter Challenge angeboten. --------------------------------------------- https://futurezone.at/digital-life/hacker-wettbewerb-cyber-security-challen… *** Emsisoft Releases a Decryptor for the Amnesia Ransomware *** --------------------------------------------- On Satruday, Emsisofts CTO and malware researcher Fabian Wosar released a decryptor for the Amnesia Ransomware. This ransomware was first spotted in early May and has had one other variant released. It was named Amnesia based on the extension appended to encrypted files by the first variant. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decrypto… *** Exploring a P2P Transient Botnet - From Discovery to Enumeration, (Mon, May 8th) *** --------------------------------------------- [This is a guest diary by Renato Marinho of Morphus Labs. If you are interested in writing a guest diary: please send suggestions to us via our contact page] 1. Introduction We recently deployed a high interaction honeypotsexpecting it to be compromised by a specific malware. But in the first few days, instead of getting infected by the expected malware, it received a variety of attacks ranging from SSH port forwarding to Viagra and Cialis SPAM to XORDDoS failed deployment attempts. By the [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22392&rss *** Phishingversuch bei willhaben-Kunden *** --------------------------------------------- Nutzer/innen von willhaben erhalten eine WhatsApp-Nachricht, die angeblich von der Kleinanzeigenplattform stammt. --------------------------------------------- https://www.watchlist-internet.at/phishing/phishingversuch-bei-willhaben-ku… *** In eigener Sache: CERT.at sucht Verstärkung *** --------------------------------------------- Für unser "Daily Business" suchen wir derzeit 1 Berufsein- oder -umsteiger/in mit ausgeprägtem Interesse an IT-Security, welche/r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich [...] --------------------------------------------- http://www.cert.at/services/blog/20170508172334-1993.html *** DFN-CERT-2017-0796: Nextcloud: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0796/ *** Vuln: Panda Mobile Security for iOS CVE-2017-8060 TLS Certificate Validation Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98327 *** HPESBGN03740 rev.1 - HPE Network Automation, Multiple Remote Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE Network Automation. The vulnerabilities could be remotely exploited to allow SQL injection, code execution, information disclosure, authentication bypass, elevated privilege execution, and invalid session management. --------------------------------------------- http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn0374… *** BlackBerry powered by Android Security Bulletin - May 2017 *** --------------------------------------------- BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes; see BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory is in response to the Android Security Bulletin (May 2017) and addresses issues in that bulletin that affect [...] --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… *** Bugtraq: CA20170504-01: Security Notice for CA Client Automation OS Installation Management *** --------------------------------------------- http://www.securityfocus.com/archive/1/540524 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Explorer for z/OS V3.0.1 (CVE-2016-5548 and CVE-2016-5549) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002413 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-5597, CVE-2016-5542) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21994526 *** Siemens Security Advisories *** --------------------------------------------- *** SSA-701708 (Last Update 2017-05-08): Local Privilege Escalation in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701708… --------------------------------------------- *** SSA-156872 (Last Update 2017-05-08): Vulnerability in SIMATIC WinCC and SIMATIC WinCC Runtime Professional *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-156872… --------------------------------------------- *** SSA-275839 (Last Update 2017-05-08): Denial-of-Service Vulnerability in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… --------------------------------------------- *** SSA-293562 (Last Update 2017-05-08): Vulnerabilities in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-293562… --------------------------------------------- *** SSA-731239 (Last Update 2017-05-08): Vulnerabilities in SIMATIC S7-300 and S7-400 CPUs *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-731239… --------------------------------------------- *** F5 Security Advisories *** --------------------------------------------- *** BIG-IP APM redirect vulnerability CVE-2017-0302 *** https://support.f5.com/csp/article/K87141725 --------------------------------------------- *** Insufficient validation of ICMP error messages CVE-2004-0790 (11.x - 13.x) *** https://support.f5.com/csp/article/K23440942 --------------------------------------------- *** BIG-IP management vulnerability CVE-2017-9250 *** https://support.f5.com/csp/article/K55792317 --------------------------------------------- *** iControl REST vulnerability CVE-2016-9251 *** https://support.f5.com/csp/article/K41107914 --------------------------------------------- *** Linux kernel vulnerability CVE-2017-2647 *** https://support.f5.com/csp/article/K32115847 --------------------------------------------- *** Websocket profile vulnerability CVE-2016-9253 *** https://support.f5.com/csp/article/K51351360 --------------------------------------------- *** TMM vulnerability CVE-2017-6137 *** https://support.f5.com/csp/article/K82851041 --------------------------------------------- *** BIG-IP APM XSS vulnerability CVE-2016-9257 *** https://support.f5.com/csp/article/K43523962 --------------------------------------------- *** Multiple Oracle MySQL vulnerabilities *** https://support.f5.com/csp/article/K77508618 ---------------------------------------------

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily