=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 28-06-2017 18:00 − Donnerstag 29-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Petya/NotPetya: Kein Erpressungstrojaner sondern ein "Wiper" ***
---------------------------------------------
Nach eingehenden Analysen des Schädlings NotPetya sind sich die meisten Experten einig: Der Schädling hatte es nicht auf Geld abgesehen sondern auf Randale, sprich: auf möglichst großen Datenverlust bei den Opfern.
---------------------------------------------
https://heise.de/-3759293
*** Update on Petya malware attacks ***
---------------------------------------------
As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release...
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware…
*** Websites Grabbing User-Form Data Before Its Submitted ***
---------------------------------------------
Websites are sending information prematurely:...we discovered NaviStones code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.This is important because it goes [...]
---------------------------------------------
https://www.schneier.com/blog/archives/2017/06/websites_grabbi.html
*** Microsoft Announces "Controlled Folder Access" to Fend Off Crypto-Ransomware ***
---------------------------------------------
This fall, Microsoft plans to release a new Windows Defender feature called Controlled Folder Access, which blocks and blacklists unauthorized apps from making changes to files located inside specially-designated folders. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-control…
*** DFN-CERT-2017-1124: Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1124/
*** Symantec Management Console XSS/XXE Issues ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Kaspersky Anti-Virus for Linux File Server Multiple Flaws Let Remote Users Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks, Remote Authenticated Users View Files on the Target System, and Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1038798
*** Bugtraq: ESA-2017-062: VASA Provider Virtual Appliance Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540783
*** 2017-06-16 (updated 2017-06-27): Cyber Security Notification - CrashOverride/Industroyer Malware ***
---------------------------------------------
http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&Lang…
*** SMTP - Moderatley Critical - Information Disclosure - SA-CONTRIB-2017-055 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2017-055Project: SMTP Authentication Support (third-party module)Version: 7.x, 8.xDate: 2017-June-28Security risk: 10/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescriptionThis SMTP module enables you to send mail using a third party (non-system) mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged [...]
---------------------------------------------
https://www.drupal.org/node/2890357
*** Services - Critical - SQL Injection - SA-CONTRIB-2017-054 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2017-054Project: Services (third-party module)Version: 7.xDate: 2017-June-28Security risk: 19/25 ( Critical) AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescriptionThis module provides a standardized solution for building APIs so that external clients can communicate with Drupal.The module doesnt sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it.This vulnerability is [...]
---------------------------------------------
https://www.drupal.org/node/2890353
*** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2 and v5.0.2. (CVE-2017-3539, CVE-2016-9840, CVE-2016-9841,CVE-2016-9842, CVE-2016-9843) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005365
*** IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2017-1217) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004348
*** IBM Security Bulletin: Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX (CVE-2017-3514, CVE-2017-3512, CVE-2017-3511, CVE-2017-3509, CVE-2017-3544, CVE-2017-3533, CVE-2017-3539, CVE-2017-1289, CVE-2016-9840, CVE-2016-9841, ***
---------------------------------------------
http://aix.software.ibm.com/aix/efixes/security/java_apr2017_advisory.asc
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 27-06-2017 18:00 − Mittwoch 28-06-2017 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Newport XPS-Cx, XPS-Qx ***
---------------------------------------------
This advisory contains mitigation details for an improper authentication vulnerability in the Newport XPS-Cx and XPS-Qx controllers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-178-01
*** Schroedinger’s Pet(ya) ***
---------------------------------------------
Earlier today (June 27th), we received reports about a new wave of ransomware attacks spreading around the world, primarily targeting businesses in Ukraine, Russia and Western Europe. Our investigation is ongoing and our findings are far from final at this time. Despite rampant public speculation, the following is what we can confirm from our independent analysis.
---------------------------------------------
http://securelist.com/schroedingers-petya/78870/
*** Microsoft bringing EMET back as a built-in part of Windows 10 ***
---------------------------------------------
The built-in exploit mitigations are getting stronger and easier to configure.
---------------------------------------------
https://arstechnica.com/?p=1124813
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security issues have been identified within Citrix XenServer. These issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues ..
---------------------------------------------
https://support.citrix.com/article/CTX224740
*** New ransomware, old techniques: Petya adds worm capabilities ***
---------------------------------------------
On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-tech…
*** DFN-CERT-2017-1114/">systemd: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff und die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1114/
*** DFN-CERT-2017-1112/">Microsoft Azure Active Directory (AD) Connect: Eine Schwachstelle ermöglicht eine Privilegieneskalation ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1112/
*** DSA-3900 openvpn - security update ***
---------------------------------------------
Several issues were discovered in openvpn, a virtual private network application.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3900
*** Security Advisory - DoS Vulnerability of isub Service in Some Huawei Smartphones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170628-…
*** HPESBGN03763 rev.1 - HPE SiteScope, Disclosure of Sensitive Information, Bypass Security Restriction, Remote Arbitrary Code Execution ***
---------------------------------------------
Potential security vulnerabilities have been identified in HPE SiteScope. The vulnerabilities could be exploited to allow disclosure of sensitive information, bypass security restriction, and remote arbitrary code execution.
---------------------------------------------
http://h20566.www2.hpe.com/hpsc/doc/public/display?docId=hpesbgn03763en_us
*** Linux-Kernel-Security: Torvalds bezeichnet Grsecurity als "Müll" ***
---------------------------------------------
Mit seinem wie üblich wenig diplomatischen Feingefühl machte Kernel-Chefhacker Linus Torvalds auf der Kernel-Mailingliste deutlich, was er von dem auf Sicherheit fokussierten ..
---------------------------------------------
https://www.golem.de/news/linux-kernel-security-torvalds-bezeichnet-grsecur…
*** Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS ***
---------------------------------------------
Last month we shared statistics on some popular reflection attacks. Back then the average SSDP attack size was ~12 Gbps and largest SSDP reflection we recorded was:30 Mpps (millions of packets per second)80 ..
---------------------------------------------
https://blog.cloudflare.com/ssdp-100gbps/
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 26-06-2017 18:00 − Dienstag 27-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Petya Ransomware Outbreak ***
---------------------------------------------
Heute hat es in mehreren Firmen in Europa IT-Ausfälle durch Ransomware gegeben. Dabei dürfte die Ransomware auch ein "lateral movement" innerhalb einer Organisation durchführen, und so eine breitflächige Infektion und damit Verschlüsselung erreichen. Die Faktenlage zu den genauen Vektoren, sowohl für die initiale Infektion, als auch für die Weiterverbreitung innerhalb des lokalen Netzes, ist noch sehr dünn und [...]
---------------------------------------------
http://www.cert.at/services/blog/20170627170903-2046.html
*** Second Global Ransomware Outbreak Under Way ***
---------------------------------------------
A massive ransomware outbreak is spreading globally and being compared to WannaCry.
---------------------------------------------
http://threatpost.com/second-global-ransomware-outbreak-under-way/126549/
*** E-Mails über angebliche Verkehrsstrafen ***
---------------------------------------------
E-Mails über angebliche Verkehrsstrafen – ACHTUNG: dahinter verbirgt sich Schadsoftware
---------------------------------------------
http://www.bmi.gv.at/cms/BK/betrug/files/2762017_E_Mails_ber_angebliche_Ver…
*** How Spora ransomware tries to fool antivirus ***
---------------------------------------------
Spora ransomware is back and its trying to confuse antivirus products and email filters.
---------------------------------------------
http://feedproxy.google.com/~r/nakedsecurity/~3/fpIDs0aHpNY/
*** $1 Million Ransomware Payment Has Spurred New DDoS-for-Bitcoin Attacks ***
---------------------------------------------
The $1 million ransom payment paid last week by South Korean web hosting company Nayana has sparked new extortion attempts on South Korean companies. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/-1-million-ransomware-paymen…
*** How Not to Encrypt a File - Courtesy of Microsoft ***
---------------------------------------------
A client recently sent me a crypto spec which involved some, how do I say, suboptimal use of crypto primitives. They're .Net users so I decided to search for a nice msdn crypto reference to set them straight. Instead I found the likely culprit behind their confusion.
---------------------------------------------
https://medium.com/@bob_parks1/how-not-to-encrypt-a-file-courtesy-of-micros…
*** New Shifr RaaS Lets Any Dummy Enter the Ransomware Business ***
---------------------------------------------
Several security researchers have spotted a new Ransomware-as-a-Service (RaaS) portal over the weekend that lets anyone generate their own ransomware executable just by filling in three form fields and pressing a button. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-shifr-raas-lets-any-dumm…
*** What's new in Windows Defender ATP Fall Creators Update ***
---------------------------------------------
When we introduced Windows Defender Advanced Threat Protection (Windows Defender ATP), our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer a set of new prevention capabilities designed to stop...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-de…
*** Micro Focus GroupWise Mobility Service 2014 R2 Support Pack 2 Hot Patch 2 ***
---------------------------------------------
Abstract: Micro Focus GroupWise Mobility Service 2014 R2 Support Pack 2 HP2 has been released. Please see the details section below for installation instructions and the change log section for bug fixes since the last release. NOTE: Please do not continue using older versions of GMS SSLCheck. It has been superceded by GroupWise Mobility Service SSLCheck 1.1 found here: http://download.novell.com/Download?buildid=9naDJkniVtg~Document ID: 5311890Security Alert: YesDistribution Type: [...]
---------------------------------------------
https://download.novell.com/Download?buildid=SIbPzOKmofQ~
*** SSA-874235 (Last Update 2017-06-26): Intel Vulnerability in Siemens Industrial Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM PureApplication System ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005209
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK Java Technology Edition Version 6, 7, 8 and IBM Runtime Environment Java Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation ***
http://www.ibm.com/support/docview.wss?uid=swg22003154
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM PureApplication System (CVE-2017-3731) ***
http://www.ibm.com/support/docview.wss?uid=swg22005135
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilites in IBM Java Runtime Affect Optim Data Growth, Test Data Management and Application Retirement ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003285
---------------------------------------------
*** IBM Security Bulletin: Security vulnerability in SWF files shipped with IBM Cúram Social Program Management (CVE-2017-1106) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004580
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 23-06-2017 18:00 − Montag 26-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Erneut kritische Lücke in Windows Defender & Co ***
---------------------------------------------
Alle AV-Produkte aus dem Hause Microsoft wiesen einen kritischen Fehler auf, der es erlaubte, Windows-Systeme zu kapern. Dazu genügte es, wenn die AV-Software etwa eine Datei in einer E-Mail oder auf der Festplatte auf Schadcode untersucht.
---------------------------------------------
https://heise.de/-3756013
*** Brutal Kangaroo: CIA-Werkzeug infiziert Rechner per USB-Stick ***
---------------------------------------------
WikiLeaks hat geheime CIA-Dokumente veröffentlicht, in denen eine Werkzeug-Suite beschrieben ist, mit der sich via USB-Stick Informationen von Rechnern abgreifen lassen, die nicht mit dem Internet verbunden sind.
---------------------------------------------
https://heise.de/-3754923
*** Aktuelle Intel-Prozessoren von "Albtraum"-Bug geplagt ***
---------------------------------------------
Debian-Projekt spürt Fehler auf, der zu Datenverlust unter allen Betriebssystemen führen kann
---------------------------------------------
http://derstandard.at/2000059819966
*** Cyber-Angriffe auf private E-Mail-Postfächer von Funktionsträgern ***
---------------------------------------------
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) beobachtet derzeit professionelle Cyber-Angriffe auf private E-Mail-Postfächer von Funktionsträgern aus Wirtschaft und Verwaltung. Bei dieser Angriffskampagne werden täuschend echt erscheinende Spearphishing-Mails an ausgewähltes Spitzenpersonal gesandt. Die Angreifer geben beispielsweise vor, Auffälligkeiten bei der Nutzung des Postfachs [...]
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Spearphishi…
*** Traveling with a Laptop / Surviving a Laptop Ban: How to Let Go of "Precious", (Mon, May 29th) ***
---------------------------------------------
For a few months now, passengers on flights from certain countries are no longer allowed to carry laptops and other larger electronic devices into the cabin. Many news media reported over the last weeks that this policy may be expanded to flight from Europe, or to all flights entering the US. But even if you get to keep your laptop with you during your flight, it is difficult to keep it at your site when you travel. So regardless if this ban materializes or not (right now it looks like it will [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/22462
*** Malware: Der unvollständige Ransomware-Schutz von Windows 10 S ***
---------------------------------------------
Windows 10 S soll vor Ransomware schützen - sagt Microsoft. Einem Sicherheitsforscher gelang es trotzdem, innerhalb weniger Stunden Zugriff auf Systemprozesse zu bekommen.
---------------------------------------------
https://www.golem.de/news/malware-der-unvollstaendige-ransomware-schutz-von…
*** Look, But Dont Touch: One Key to Better ICS Security ***
---------------------------------------------
Better visibility is essential to improving the cybersecurity of industrial control systems and critical infrastructure, but the OT-IT cultural divide must be united.
---------------------------------------------
https://www.darkreading.com/vulnerabilities---threats/look-but-dont-touch-o…
*** Blocks and Chains now available ***
---------------------------------------------
Our book has just been published: Blocks and Chains: Introduction to Bitcoin, Cryptocurrencies, and Their Consensus Mechanisms. Aljosha Judmayer, Nicholas Stifter, Katharina Krombholz, and Egar Weippl
---------------------------------------------
https://www.sba-research.org/2017/06/24/blocks-and-chains-now-available/
*** DFN-CERT-2017-1100: Microsoft Malware Protection Engine: Eine Schwachstelle ermöglicht die komplette Systemübernahme ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1100/
*** Security Advisories Relating to Symantec Products - Symantec Messaging Gateway Multiple Vulnerabilities ***
---------------------------------------------
Symantec has released an update to address three issues that were discovered in the Symantec Messaging Gateway (SMG).
---------------------------------------------
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s…
*** Vuln: Multiple Pivotal Products CVE-2017-4974 SQL Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/99254
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: API security restrictions can be bypassed in IBM API Connect (CVE-2017-1328) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003867
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Cross Site Scripting. (CVE-2017-1234) ***
http://www.ibm.com/support/docview.wss?uid=swg22004948
---------------------------------------------
*** IBM Security Bulletin: Docker and Python as used in IBM QRadar SIEM is vulnerable to various CVEs. ***
http://www.ibm.com/support/docview.wss?uid=swg22004947
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Global Mailbox in IBM Sterling B2B Integrator (CVE-2015-5262, CVE-2014-3577) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005149
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM has weak password requirements. (CVE-2016-9738) ***
http://www.ibm.com/support/docview.wss?uid=swg22004926
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is missing HSTS header. (CVE-2016-9972) ***
http://www.ibm.com/support/docview.wss?uid=swg22004925
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions (Multiple CVEs) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003998
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ***
http://www.ibm.com/support/docview.wss?uid=swg22004713
---------------------------------------------
*** IBM Security Bulletin: Vulnerability affects WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000300
---------------------------------------------
*** IBM Security Bulletin: October 2015 Java Platform Standard Edition Vulnerabilities in Multiple N Series Products ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009992
---------------------------------------------
*** IBM Security Bulletin: July 2014 Java Runtime Environment (JRE) Vulnerabilities in Multiple N series Products ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009972
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 22-06-2017 18:00 − Freitag 23-06-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Getting ready for the European Cyber Security Month 2017 ***
---------------------------------------------
100 days left for the launch of the European Cyber Security Month, the EU annual advocacy campaign which takes place in October supported by ENISA and EC DG CONNECT with the participation of many partners from all over Europe.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/getting-ready-for-the-european-…
*** Microsoft Says Fireball Threat ‘Overblown’ ***
---------------------------------------------
Check Point has toned down its initial estimates on the number of Fireball malware infections from 250 million machines and 20 percent of corporate networks to 40 million computers.
---------------------------------------------
http://threatpost.com/microsoft-says-fireball-threat-overblown/126472/
*** DSA-3894 graphite2 - security update ***
---------------------------------------------
Multiple vulnerabilities have been found in the Graphite font rendering engine which might result in denial of service or the execution of arbitrary code if a malformed font file is processed.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3894
*** ZDI-17-441: Apple Safari Node Use-After-Free Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-17-441/
*** DSA-3896 apache2 - security update ***
---------------------------------------------
Several vulnerabilities have been found in the Apache HTTPD server.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3896
*** Smart burglars will ride the surf of inter-connected hackability ***
---------------------------------------------
Let’s invent a dustbin that throws itself away Something for the Weekend, Sir? What the world needs now is an intelligent dustbin. It would be the pinnacle of achievement for the Internet of Things sector.
---------------------------------------------
www.theregister.co.uk/2017/06/23/smart_burglars_will_ride_the_surf_of_inter…
*** Mutmaßlich russische Hacker stahlen Daten britischer Politiker ***
---------------------------------------------
http://derstandard.at/2000059699661
*** Deutsches Sicherheitsamt warnt vor Cyber-Attacken auf Verwaltung ***
---------------------------------------------
Ähnlich wie auf US-Demokraten und französische Partei von Präsident Macron
---------------------------------------------
http://derstandard.at/2000059699049
*** Node.js: Hälfte der NPM-Pakete durch schwache Passwörter verwundbar ***
---------------------------------------------
Der NPM-Dienst hat vor zwei Wochen Passwörter von Entwicklern zurückgezogen. Jetzt ist klar warum: Ein Hacker konnte schwache Passwörter sammeln und hätte damit wohl die Hälfte des ..
---------------------------------------------
https://www.golem.de/news/node-js-haelfte-der-npm-pakete-durch-schwache-pas…
*** Microsoft weist Vorwürfe von Antivirenhersteller zurück ***
---------------------------------------------
Microsoft betont in einem Blogpost die Bedeutung der Zusammenarbeit mit Antivirenherstellern im Rahmen der Microsoft Virus Initiative. Die Veröffentlichung kann als direkte Reaktion auf die Beschwerde von Kaspersky bei Kartellwächtern verstanden werden.
---------------------------------------------
https://heise.de/-3754148
*** Video: So kaperten Hacker ein Stromkraftwerk ***
---------------------------------------------
2015 haben Hacker den Strom für über 200.000 Personen in der Ukraine ausfallen lassen. Ein Video zeigt, wie sie die Steuer-PCs übernommen haben.
---------------------------------------------
https://futurezone.at/digital-life/video-so-kaperten-hacker-ein-stromkraftw…
*** FBI: Extortion, CEO Fraud Among Top Online Fraud Complaints in 2016 ***
---------------------------------------------
Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year, according to new figures from the FBIs Internet Crime Complaint Center (IC3). The IC3 report released ..
---------------------------------------------
https://krebsonsecurity.com/2017/06/fbi-extortion-ceo-fraud-among-top-onlin…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 21-06-2017 18:00 − Donnerstag 22-06-2017 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Cisco WebEx Network Recording Player Multiple Buffer Overflow Vulnerabilities ***
---------------------------------------------
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious ARF file via email or URL and convincing the user to launch the file. Exploitation of these vulnerabilities could cause an ..
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Multiple vulnerabilities in Cisco Prime Infrastructure ***
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Multiple vulnerabilities in Cisco Identity Services ***
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Multiple vulnerabilities in Cisco IOS XR ***
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Cisco Firepower Management Center Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack ..
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Kritischer Bug in Kompressions-Bibliothek RAR gefährdet AV-Software ***
---------------------------------------------
Fehler beim Auspacken von Archiven sind kritisch, weil sie sich besonders einfach ausnutzen lassen – etwa wenn die Antiviren-Software nach Schadcode sucht. Umso bitterer ist es, wenn die sich fünf Jahre nach ihrer Entdeckung noch ausnutzen lassen.
---------------------------------------------
https://heise.de/-3751528
*** Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003 ***
---------------------------------------------
https://www.drupal.org/SA-CORE-2017-003
*** TeslaWare Plays Russian Roulette with your Files ***
---------------------------------------------
I was told about a new ransomware called TeslaWare that is being promoted on a black hat criminal site. After a quick search, I was able to find a sample that was compiled yesterday ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/teslaware-plays-russian-roul…
*** Locky Ransomware Returns, but Targets Only Windows XP & Vista ***
---------------------------------------------
The Locky ransomware is back, spreading via a massive wave of spam emails distributed by the Necurs botnet, but the campaign appears to be a half-baked effort because the ransomware is not able to encrypt files on modern Windows OS versions, locking ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but…
*** NSA-Backed OpenC2.org Aims to Defend Systems at Machine Speed ***
---------------------------------------------
Security experts, vendors, business and the NSA are developing a standardized language that rather than autonomously understands threats, acts on them.
---------------------------------------------
http://threatpost.com/nsa-backed-openc2-org-aims-to-defend-systems-at-machi…
*** Web Application Pentest Guide Part-I ***
---------------------------------------------
In this article, we are going to pentest a web application which was developed by HP for scanner evaluation purpose. We will be demonstrating the complete process ..
---------------------------------------------
http://resources.infosecinstitute.com/web-application-pentest-guide-part/
*** Windows-Trojaner nutzt NSA-Hintertür um verdeckt Kryptowährungen zu schürfen ***
---------------------------------------------
Die DOUBLEPULSAR-Hintertür der NSA wird momentan missbraucht, um ungeschützte Windows-Rechner mit einem Trojaner zu infizieren, der heimlich die Kryptowährung Monero (XMR) schürft.
---------------------------------------------
https://heise.de/-3751247
*** [2017-06-22] Multiple vulnerabilities in Cisco Prime Infrastructure ***
---------------------------------------------
Multiple security vulnerabilities in Cisco Prime Infrastructure < 3.1.6 could allow local low-privileged user to read arbitrary files such as wireless access point configurations, read the hashed passwords of all the users including the administrator from database and infect other users with JavaScript trojan.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** Understanding the true size of “Fireball” ***
---------------------------------------------
... when recent reports of the “Fireball” cybersecurity threat operation were presented as a new discovery, our teams knew ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/22/understanding-the-true-…
*** IBM Security Bulletin: Multiple vulnerabilities in EBICS client in IBM Sterling B2B Integrator (CVE-2017-1132, CVE-2017-1347, CVE-2017-1348) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004199
*** IBM Security Bulletin: HTTP verb tampering vulnerability affects IBM Sterling B2B Integrator (CVE-2017-1131) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004270
*** Why So Many Top Hackers Hail from Russia ***
---------------------------------------------
Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information ..
---------------------------------------------
https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russi…
*** DSA-3892 tomcat7 - security update ***
---------------------------------------------
Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet andJSP engine, static error pages used the original requests HTTP methodto serve content, instead of systematically using ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3892
*** DSA-3891 tomcat8 - security update ***
---------------------------------------------
Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet andJSP engine, static error pages used the original requests HTTP methodto serve content, instead of systematically ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3891
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 20-06-2017 18:00 − Mittwoch 21-06-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Partnering with the AV ecosystem to protect our Windows 10 customers ***
---------------------------------------------
On Friday May 12th, and for several days afterwards, more than a quarter-million computers around the world fell victim to the ransomware known ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/20/partnering-with-the-av-…
*** Unwanted “Shorte St” Ads in Unpatched Newspaper Theme ***
---------------------------------------------
Unwanted ads are one of the most common problems that site owners ask us to solve. Recently, we’ve noticed quite a few requests to remove intrusive “shorte st” ads that they never installed on their sites themselves. My colleague Denis Sinegubko of UnmaskParasites ..
---------------------------------------------
https://blog.sucuri.net/2017/06/unwanted-shorte-st-ads-in-unpatched-newspap…
*** Hacker exposed bank loophole to buy luxury cars and a face tattoo ***
---------------------------------------------
♪ Im gonna wait... til the midnight hour, when theres no one else around A UK hacker who stole £100,000 from his bank after spotting a loophole in its systems has been jailed for 16 months.
---------------------------------------------
www.theregister.co.uk/2017/06/20/face_tattoo_bank_hacker/
*** More Android apps from dangerous Ztorg family sneak into Google Play ***
---------------------------------------------
Almost 100 such apps, with >1 million downloads, found so far (but not by Google).
---------------------------------------------
https://arstechnica.com/security/2017/06/more-android-apps-from-dangerous-z…
*** Minimalist Alina PoS Variant Starts Using SSL ***
---------------------------------------------
More than four years ago, we published a series of blogs discussing in-depth analysis of Alina Point of Sale (PoS) malware. And for the past four years, it is interesting to see ..
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/Minimalist-Alina-PoS-Variant…
*** Nach Leak: Studio zahlte "Orange Is the New Black"-Erpresser ***
---------------------------------------------
Hacker hatten etwa 50.000 US-Dollar gefordert
---------------------------------------------
http://derstandard.at/2000059577414
*** Wannacry: Honda stoppt Autobau wegen Ransomware ***
---------------------------------------------
Autowerk im japanischen Sayana setzt vorübergehend Produktion aus
---------------------------------------------
http://derstandard.at/2000059583968
*** Decline in Rig Exploit Kit ***
---------------------------------------------
Unit 42 investigates recent developments in the EITest & psuedo-Darkleech campaigns contributing to the decline of Rig exploit kits.
---------------------------------------------
https://researchcenter.paloaltonetworks.com/2017/06/unit42-decline-rig-expl…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 19-06-2017 18:00 − Dienstag 20-06-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Apache HTTPD Bugs Let Remote Users Deny Service and Bypass Authentication in Certain Cases ***
---------------------------------------------
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 2.2.0 - 2.2.32, 2.4.0 - 2.4.25
Description: Several vulnerabilities were reported in Apache HTTPD. A remote user can cause the target service to crash. A remote user can bypass authentication.
---------------------------------------------
http://www.securitytracker.com/id/1038711
*** Bugtraq: [security bulletin] HPESBGN03758 rev.2 - HPE UCMDB, Remote Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540745
*** McAfee Labs Threats Report Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit ***
---------------------------------------------
We got a little carried away in the McAfee Labs Threats Report: June 2017, published today. This quarter's report has expanded to a rather hefty 83 pages! It contains three highly educational topics, in addition to the usual set of threats statistics: We broadly examine evasion techniques and how malware authors use them to accomplish...
---------------------------------------------
https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-threats-report-…
*** Glibc Stack/Heap Memory Allocation Error Lets Local Users Gain Elevated Privileges ***
---------------------------------------------
A local user can supply specially crafted LD_LIBRARY_PATH values to trigger a stack memory allocation flaw in certain cases and execute arbitrary code on the target system with elevated privileges.
The stack guard-page memory gap can be "jumped" in cases where heap memory and stack memory are adjacent.
---------------------------------------------
http://www.securitytracker.com/id/1038712
*** [2017-06-20] Multiple Reflected Cross Site Scripting (XSS) issues in Ubiquiti Networks products ***
---------------------------------------------
Multiple Ubiquiti Networks products with firmware XM v6.0, SW v1.3.3 and AF24 v3.2 are affected by a POST-request based cross site scripting vulnerability. Malicious JavaScript code can be executed in the browser of the user and cookies can be stolen.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** DFN-CERT-2017-1052/">Exim: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ***
---------------------------------------------
Betroffene Software: Exim <= 4.89
In Exim existiert eine Schwachstelle, weil durch die Mehrfachverwendung von '-p' als Befehlszeilenargument Speicher reserviert werden kann, der nicht wieder freigegeben wird. Ein lokaler, nicht authentisierter Angreifer kann dies nur in Verbindung mit einer anderen Schwachstelle ausnutzen, um beliebigen Programmcode zur Ausführung zu bringen und möglicherweise auch eine Rechteerweiterung auf Root-Privilegien durchzuführen.
Debian stellt für die stabile Distribution Stretch und die alte stabile Distribution Jessie jeweils Backport-Sicherheitsupdates bereit.
CVE-2017-1000369
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1052/
*** Oracle Security Alert for CVE-2017-3629 ***
---------------------------------------------
This Security Alert addresses CVE-2017-3629 and two other vulnerabilities affecting Oracle Solaris. These are local privilege escalation vulnerabilities that may only be exploited over a network with a valid username and password. Together, these vulnerabilities may allow privilege escalation to root.
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-375…
*** Vuln: SAP Business Objects DS Open Redirection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/99143
*** Xen Security Advisories ***
---------------------------------------------
XSA-216: blkif responses leak backend stack data
XSA-217: page transfer may allow PV guest to elevate privilege
XSA-218: Races in the grant table unmap code
XSA-219: x86: insufficient reference counts during shadow emulation
XSA-220: x86: PKRU and BND* leakage between vCPU-s
XSA-221: NULL pointer deref in event channel poll
XSA-222: stale P2M mappings due to insufficient error checking
XSA-223: ARM guest disabling interrupt may crash Xen
XSA-224: grant table operations mishandle reference
---------------------------------------------
https://lists.xen.org/archives/html/xen-announce/2017-06/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i. ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1022142
---------------------------------------------
*** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2017-1304) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010230
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere MQ Internet Pass-Thru ***
http://www.ibm.com/support/docview.wss?uid=swg22001701
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Security Directory Suite (CVE-2016-0378, CVE-2016-5983 and CVE-2016-5986) ***
http://www.ibm.com/support/docview.wss?uid=swg22002049
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 16-06-2017 18:00 − Montag 19-06-2017 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Bugtraq: ESA-2017-041: EMC VNX1 and VNX2 Family Multiple Vulnerabilities in VNX Control Station ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540738
*** VU#768399: HPE SiteScope contains multiple vulnerabilities ***
---------------------------------------------
HPEs SiteScope is vulnerable to several cryptographic issues, insufficiently protected credentials, and missing authentication. Description HPEs SiteScope is vulnerable to several vulnerabilities.
---------------------------------------------
http://www.kb.cert.org/vuls/id/768399
*** Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security ***
---------------------------------------------
On April 14, a group calling themselves the Shadow Brokers caught the attention of the security community by releasing a set of weaponized exploits. Shortly thereafter, one of these exploits ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-…
*** DSA-3884 gnutls28 - security update ***
---------------------------------------------
Hubert Kario discovered that GnuTLS, a library implementing the TLS and SSL protocols, does not properly decode a status response TLS extension,allowing a remote attacker to cause an application using the GnuTLS library to crash (denial of service).
---------------------------------------------
https://www.debian.org/security/2017/dsa-3884
*** In eigener Sache: Umstellung der Tageszusammenfassungen ***
---------------------------------------------
In eigener Sache: Umstellung der Tageszusammenfassungen19. Juni 2017In der Woche vom 3.-7. 7. 2017 werden wir das Format unserer Tageszusammenfassungen anpassen. Inhaltlich bleibt alles wie gewohnt, wir werden aber der besseren Übersichtlichkeit halber den Inhalt in mehrere Sektionen unterteilen. Damit sollte es ..
---------------------------------------------
http://www.cert.at/services/blog/20170619121641-2037.html
*** D-Link DSL-2640U - Unauthenticated DNS Change ***
---------------------------------------------
The vulnerability exist in the web interface, which is accessible without authentication. Once modified, systems use foreign DNS servers, which are usually set up by cybercriminals. Users with ..
---------------------------------------------
https://www.exploit-db.com/exploits/42195/
*** -Link DSL-2640B - Unauthenticated Remote DNS Change ***
---------------------------------------------
The vulnerability exist in the web interface, which is accessible without authentication. Once modified, systems use foreign DNS servers, which are usually set up by cybercriminals. Users with ..
---------------------------------------------
https://www.exploit-db.com/exploits/42197/
*** IBM Security Bulletin: IBM MQ Trace enablement could cause denial of service (CVE-2017-1117) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22001468
*** IoT Malware Activity Already More Than Doubled 2016 Numbers ***
---------------------------------------------
The number of new malware samples in the wild this year targeting connected internet-of-things (IoT) devices has already more than doubled last year’s total.
---------------------------------------------
http://threatpost.com/iot-malware-activity-already-more-than-doubled-2016-n…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 14-06-2017 18:00 − Freitag 16-06-2017 18:00
Handler: Olaf Schwarz
Co-Handler: n/a
*** Former Major Player Neutrino Exploit Kit Has Gone Dark ***
---------------------------------------------
The Neutrino exploit kit, a former leader of the exploit kit market, appears to have shut down, with the last activity recorded at the start of April, well over two months ago.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/former-major-player-neutrino…
*** SAP Security Patch Day - June 2017 ***
---------------------------------------------
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products.
---------------------------------------------
https://blogs.sap.com/2017/06/13/sap-security-patch-day-june2017/
*** Entschlüsselungstool für Erpressungstrojaner Jaff veröffentlicht ***
---------------------------------------------
Ein Sicherheitsforscher von Kaspersky hat eine Schwachstelle im Code der Ransomware Jaff entdeckt. Nun können Betroffene ihre Daten mit einem kostenlosen Tool entschlüsseln.
---------------------------------------------
https://heise.de/-3744042
*** New cyber security information service launched today by ENISA ***
---------------------------------------------
ENISA launched today its new cyber security information service "Cyber Security Info Notes" with the aim to provide timely key information and recommendations on cyber security topics and incidents.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/new-cyber-security-information-…
*** Wikileaks Unveils Cherry Blossom - Wireless Hacking System Used by CIA ***
---------------------------------------------
WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a framework - which is being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
---------------------------------------------
https://thehackernews.com/2017/06/cia-wireless-router-hacking-tool.html
*** Samsung-Domain abgelaufen: Millionen Smartphones waren laut Experten für Hacker offen ***
---------------------------------------------
Laut Sicherheitsforscher hätten Hacker Malware einschleusen können - Samsung dementiert
---------------------------------------------
http://derstandard.at/2000059348103
*** Developer Creates Rootkit That Hides in PHP Server Modules ***
---------------------------------------------
A Dutch web developer has created a rootkit that hides inside a PHP module and can be used to take over web servers via a rarely used attack vector: Apache modules.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/developer-creates-rootkit-th…
*** Kein Patch für Denial-of-Service-Lücke in Windows Server ***
---------------------------------------------
Im Windows Internet Name Service (WINS) von Windows Server klafft eine Denial-of-Service-Lücke, die Microsoft nicht patchen wird - der Aufwand sei zu groß. Wer den Dienst noch nutzt, soll stattdessen auf DNS ausweichen.
---------------------------------------------
https://heise.de/-3744148
*** Cyber Security Notification - MicroSCADA Pro SYS600 and CRASHOVERRIDE ***
---------------------------------------------
http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A0857&Lang…
*** Bugtraq: ESA-2017-043: EMC ESRS Virtual Edition Authentication Bypass Vulnerability ***
---------------------------------------------
ESA-2017-043: EMC ESRS Virtual Edition Authentication Bypass Vulnerability
---------------------------------------------
http://www.securityfocus.com/archive/1/540721
*** DFN-CERT-2017-1030 ISC BIND: Zwei Schwachstellen ermöglichen u.a. das Eskalieren von Privilegien ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1030/
*** Siemens ***
---------------------------------------------
*** Siemens devices using the PROFINET Discovery and Configuration Protocol (Update A) ***
https://ics-cert.us-cert.gov/advisories/ICSA-17-129-01A
---------------------------------------------
*** Siemens devices using the PROFINET Discovery and Configuration Protocol (Update A) ***
https://ics-cert.us-cert.gov/advisories/ICSA-17-129-02A
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010301
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in ntp affect IBM Flex System Manager (FSM) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025390
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in curl affect IBM Flex System Manager (FSM) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025395
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect IBM Flex System Manager (FSM) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025389
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024890
---------------------------------------------
*** IBM Security Bulletin: Vulnerability CVE-2017-7494 in Samba affects IBM i ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1022134
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-7494) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010317
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology ***
http://www.ibm.com/support/docview.wss?uid=swg22004599
---------------------------------------------
*** IBM Security Bulletin: IBM MQ and IBM MQ Appliance Open Source zlib is vulnerable to a denial of service (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001520
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 13-06-2017 18:00 − Mittwoch 14-06-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Internet hygiene still stinks despite botnet and ransomware flood ***
---------------------------------------------
Millions of must-be-firewalled services sitting wide open Network security has improved little over the last 12 months - millions of vulnerable devices are still exposed on the open internet, leaving them defenceless to the next big malware attack.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/06/14/rapid7_devi…
*** June 2017 security update release ***
---------------------------------------------
Microsoft releases additional updates for older platforms to protect against potential nation-state activity Today, as part of our regular Update Tuesday schedule, we have taken action to provide additional critical security updates to address vulnerabilities that are at heighted risk of exploitation due to past nation-state activity and disclosures. Some of the releases today are...
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2017/06/13/june-2017-security-upda…
*** When Your Plugins Turn Against You ***
---------------------------------------------
Every day we face countless cases of sites getting compromised and infected by an attacker. From there, the sites can be used for various operations like spam campaigns, malware spreading or simply to damage your SEO ranking among other events. The threat may not always come from outside though. There are occasions where we are indirectly the ones responsible for the infection and may never find out until we get blacklisted by a search engine, or alerted of malicious code from our users.
---------------------------------------------
https://blog.sucuri.net/2017/06/when-your-plugins-turn-against-you.html
*** MSRT June 2017: Removing sneaky Xiazai ***
---------------------------------------------
In the June release of the Microsoft Software Removal Tool (MSRT), we're adding Xiazai, a widespread family of browser modifiers that we have blocked and removed from millions of computers since 2015. Xiazai is a software bundler that can sneak in additional changes. Xiazai does not install itself or make autostart registry entries, but the...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/13/msrt-june-2017-removing…
*** ZDI-17-396: Trend Micro Maximum Security tmusa Time-Of-Check/Time-Of-Use Privilege Escalation Vulnerability ***
---------------------------------------------
This vulnerability allows local attackers to escalate privilege on vulnerable installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/FQzTY0SrpbU/
*** ZDI-17-395: Trend Micro Maximum Security tmusa Kernel Driver Untrusted Pointer Dereference Denial of Service Vulnerability ***
---------------------------------------------
This vulnerability allows local attackers to deny service on vulnerable installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/hoecBsyhda4/
*** Nmap 7.50 released: New NSE scripts, 300+ fingerprints, new Npcap ***
---------------------------------------------
Nmap 7.50 is the first big release since last December and has hundreds of improvements. One of the things the developers have worked on recently is the Npcap packet capturing driver and library for Windows. It is a replacement for WinPcap, which is no longer maintained. Npcap uses newer APIs for better performance and compatibility, including Windows 10 support. Developers also added loopback packet capture and injection, raw wireless sniffing, and extra security features ...
---------------------------------------------
https://www.helpnetsecurity.com/2017/06/14/nmap-7-50-released/
*** Patchday: Microsoft sichert XP und Vista ab, warnt vor neuem WannaCry ***
---------------------------------------------
In einem bisher nicht dagewesenen Schritt hat Microsoft am Patchday Updates für Windows-Versionen ausgeliefert, die nicht mehr unterstützt werden. Die Firma entschloss sich dazu, da sie weitere WannaCry-ähnliche Attacken befürchtet.
---------------------------------------------
https://heise.de/-3743004
*** Gefälschte Netflix-Nachricht: Problem with your Membership ***
---------------------------------------------
In einer gefälschten Netflix-Nachricht behaupten Kriminelle, dass es Probleme mit den Kreditkartendaten von Kund/innen gäbe. Aus diesem Grund sollen sie auf einer Website ihre Zahlungsmethode erneuern. Kund/inenn, die der Aufforderung nachkommen, übermitteln ihre Bankdaten an Kriminelle und werden Opfer eines Datendiebstahls.
---------------------------------------------
https://www.watchlist-internet.at/phishing/gefaelschte-netflix-nachricht-pr…
*** Mozilla Firefox Multiple Bugs Let Remote Users Spoof URLs, Obtain Potentially Sensitive Information, and Execute Arbitrary Code and Let Local Users Gain Elevated Privileges ***
---------------------------------------------
A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain elevated privileges on the target system.
A local user can modify files on the target system.
A remote user can obtain files on the target system.
A remote user can spoof the address bar.
Solution: The vendor has issued a fix (ESR 52.2; 54.0).
---------------------------------------------
http://www.securitytracker.com/id/1038689
*** Wegen Sicherheitsproblemen: Kein SMB1 in Windows-Neuinstallationen ***
---------------------------------------------
Microsoft plant den nächsten Schritt zur Abschaffung des SMB1-Protokolls. Nach den Updates im Herbst soll das über 30 Jahre alte Protokoll in Neuinstallationen von Windows standardmäßig deaktiviert sein.
---------------------------------------------
https://heise.de/-3743127
*** Security Advisory - Permission Control Vulnerability in Smart Phones ***
---------------------------------------------
Some Huawei Smart phones have a permission control vulnerability. Due to improper authorization on specific processes, an attacker with the root privilege of a mobile Android system can exploit this vulnerability to obtain some information of the user. CVE-2017-8216
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170614-…
*** DDoS-Drohungen ***
---------------------------------------------
Seit gestern werden weltweit E-Mails mit einem Erpressungsversuch und einer angedrohten Denial of Service-Attacke verschickt. Diese E-Mails stammen von einer Gruppe, die sich HACKER TEAM - Meridian Collective nennt ... Es kann davon ausgegangen werden, dass - wie in der Vergangenheit - diesen Drohungen keinerlei tatsächliche Angriffe folgen werden. Den Forderungen sollte daher nicht nachgekommen werden.
---------------------------------------------
https://www.dfn-cert.de/aktuell/ddos-drohungen.html
*** FIRST Releases Framework for Product Security Incident Response Teams ***
---------------------------------------------
The leading association of incident response and security teams released a draft of the Product Security Incident Response Teams (PSIRT) Services Framework for public input. This is a formal list of services a PSIRT may consider implementing to address the needs of their constituency. Public input is welcomed until August 31, 2017 via psirt-comments(a)first.org.
---------------------------------------------
https://www.first.org/newsroom/releases/20170614
*** HIDDEN COBRA - North Korea's DDoS Botnet Infrastructure ***
---------------------------------------------
... DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea's distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders ...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA17-164A
*** EMC ***
---------------------------------------------
*** Vuln: EMC RSA BSAFE Cert-C CVE-2017-4981 Denial of Service Vulnerability ***
http://www.securityfocus.com/bid/99044
---------------------------------------------
*** Vuln: EMC Secure Remote Services Virtual Edition CVE-2017-4986 Authentication Bypass Vulnerability ***
http://www.securityfocus.com/bid/99036
---------------------------------------------
*** Vuln: EMC VNX1/VNX2 OE for File CVE-2017-4984 Remote Code Execution Vulnerability ***
http://www.securityfocus.com/bid/99039
---------------------------------------------
*** Vuln: EMC VNX1/VNX2 OE for File CVE-2017-4985 Local Privilege Escalation Vulnerability ***
http://www.securityfocus.com/bid/99037
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Algo One Counterparty Credit Risk (CVE-2016-8745) ***
http://www.ibm.com/support/docview.wss?uid=swg22000795
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director. ***
http://www.ibm.com/support/docview.wss?uid=isg3T1025202
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Express. ***
http://www.ibm.com/support/docview.wss?uid=swg22002268
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 12-06-2017 18:00 − Dienstag 13-06-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Security Bulletins posted ***
---------------------------------------------
Adobe has published security bulletins for Adobe Flash Player (APSB17-17), Adobe Shockwave Player (APSB17-18), Adobe Captivate (APSB17-19) and Adobe Digital Editions (APSB17-20). Adobe recommends users update their product installations to the latest versions...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1469
*** SAP Security Patch Day - June2017 ***
---------------------------------------------
On 13th of June 2017, SAP Security Patch Day saw the release of 18 security notes. Additionally, there were 3 updates to previously released security notes.
---------------------------------------------
https://blogs.sap.com/2017/06/13/sap-security-patch-day-june2017/
*** Analyzing Xavier: An Information-Stealing Ad Library on Android ***
---------------------------------------------
We have recently discovered a Trojan Android ad library called Xavier that steals and leaks a user's information silently. Xavier's impact has been widespread, with more than 800 applications embedding the ad library's SDK having been downloaded millions of times from Google Play.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Vlm6uUCaCKU/
*** [2017-06-13] Access Restriction Bypass in Atlassian Confluence ***
---------------------------------------------
An attacker can manually subscribe to pages of Atlassian Confluence which he is not able to view and he then receive any further comments made on the restricted page.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** FIN7 Hitting Restaurants with Fileless Malware ***
---------------------------------------------
A campaign attributed to the FIN7 attackers targets restaurants with phishing emails and infected RTF Word documents that carry out fileless malware attacks.
---------------------------------------------
http://threatpost.com/fin7-hitting-restaurants-with-fileless-malware/126213/
*** More Bypassing of Malware Anti-Analysis Techniques ***
---------------------------------------------
For last few articles, we have seen how malware employs some anti-analysis techniques and how we can bypass those techniques. Now, let's raise the bar a bit more and look out for more advanced anti-analysis techniques. In this article, we will look at how we can reach the Original Entry Point of a packed Exe ...
---------------------------------------------
http://resources.infosecinstitute.com/bypassing-malware-anti-analysis-techn…
*** Learning Pentesting with Metasploitable3 - Part 2 ***
---------------------------------------------
Introduction: This is the second part in this series of articles on Learning Pentesting with Metasploitable3. We have prepared our lab setup in our previous article. This article shows the Information Gathering techniques that are typically used during Penetration Testing by using Metasploitable3 VM. This phase is crucial during a penetration test as we will ...
---------------------------------------------
http://resources.infosecinstitute.com/learning-pentesting-metasploitable3-p…
*** Multiple (0day) vulnerabilities in Schneider Electric U.motion Builder ***
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-17-383/http://www.zerodayinitiative.com/advisories/ZDI-17-384/http://www.zerodayinitiative.com/advisories/ZDI-17-385/http://www.zerodayinitiative.com/advisories/ZDI-17-386/http://www.zerodayinitiative.com/advisories/ZDI-17-387/http://www.zerodayinitiative.com/advisories/ZDI-17-388/http://www.zerodayinitiative.com/advisories/ZDI-17-389/http://www.zerodayinitiative.com/advisories/ZDI-17-390/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM API Connect is affected by an information disclosure vulnerability (CVE-2017-1379). ***
http://www.ibm.com/support/docview.wss?uid=swg22004714
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-2619) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010155
---------------------------------------------
*** IBM Security Bulletin: Weak default password lockout policy in IBM BigFix Compliance Analytics (CVE-2017-1197) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004170
---------------------------------------------
*** IBM Security Bulletin: IBM Spectrum Scale Object Protocols functionality is affected by security vulnerabilities in OpenStack (CVE-2015-1852 and CVE-2015-7546) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010157
---------------------------------------------
*** IBM Security Bulletin: A Cross-site scripting vulnerability in IBM Websphere Application Server, affects IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-8934) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21996989
---------------------------------------------
*** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Cloud Orchestrator (CVE-2016-5986) ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000200
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 09-06-2017 18:00 − Montag 12-06-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Banking trojan executes when targets hover over link in PowerPoint doc ***
---------------------------------------------
Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file.
The method - which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit - is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload.
---------------------------------------------
https://arstechnica.com/security/2017/06/malicious-powerpoint-files-can-inf…
*** RSA Identity Management and Governance Input Validation Flaws Let Remote and Remote Authenticated Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1038648
*** FIRST announces availability of new Common Vulnerability Scoring System (CVSS) release ***
---------------------------------------------
Third version aims to make the system more applicable to modern concerns
---------------------------------------------
https://www.first.org/newsroom/releases/20150610
*** [remote] Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution ***
---------------------------------------------
https://www.exploit-db.com/exploits/42158/?rss
*** DFN-CERT-2017-0993/">libgcrypt: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ***
---------------------------------------------
Ein entfernter, nicht authentisierter Angreifer, der den EdDSA-Sitzungsschlüssel während eines Signaturprozesses in einer Seitenkanalattacke abgreifen kann, kann daraus den 'Long Term Secret Key' rekonstruieren und nachfolgend die Sicherheitsvorkehrung der Sitzungsverschlüsselung umgehen, um Informationen aus Sitzungen auszuspähen.
Der Hersteller stellt libgcrypt 1.7.7 als Sicherheitsupdate bereit.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0993/
*** Bugtraq: [security bulletin] HPESBUX03759 rev.1 - HP-UX CIFS Sever using Samba, Multiple Remote Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified in HPE HP-UX CIFS
server using Samba. The vulnerabilities can be exploited remotely to allow
authentication bypass, code execution, and unauthorized access.
References: CVE-2017-7494
---------------------------------------------
http://www.securityfocus.com/archive/1/540701
*** Bugtraq: [SECURITY] [DSA 3877-1] tor security update ***
---------------------------------------------
Package : tor
CVE ID : CVE-2017-0376
Debian Bug : 864424
It has been discovered that Tor, a connection-based low-latency
anonymous communication system, contain a flaw in the hidden service
code when receiving a BEGIN_DIR cell on a hidden service rendezvous
circuit. A remote attacker can take advantage of this flaw to cause a
hidden service to crash with an assertion failure (TROVE-2017-005).
---------------------------------------------
http://www.securityfocus.com/archive/1/540705
*** Bugtraq: [security bulletin] HPESBHF03730 rev.2 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified in HPE Aruba
ClearPass Policy Manager. The vulnerabilities could be remotely exploited to allow access restriction bypass, arbitrary command execution, cross site
scripting (XSS), escalation of privilege and disclosure of information.
References: CVE-2017-5824, CVE-2017-5825, CVE-2017-5826, CVE-2017-582, CVE-2017-5828, CVE-2017-5829, CVE-2017-5647
---------------------------------------------
http://www.securityfocus.com/archive/1/540704
*** Security Advisory - Memory Double Free Vulnerability in Touch Panel Driver of Some Huawei Smart Phones ***
---------------------------------------------
The Touch Panel (TP) driver of some Huawei smart phones has a memory double free vulnerability. An attacker with the root privilege of the Android system tricks a user into installing a malicious application, and the application can start multiple threads and try to free specific memory, which could triggers double free and causes a system crash or arbitrary code execution. (Vulnerability ID: HWPSIRT-2017-04111)
CVE-2017-8141.
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-…
*** Security Advisory - Multiple Vulnerabilities in UMA Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-…
*** Linux Muldrop.14: Cryptomining-Malware befällt ungeschützte Raspberry Pi ***
---------------------------------------------
Eine neue Malware befällt ausschließlich Raspberry Pi und nutzt die Geräte, um Cryptowährungen zu minen. Nutzer können sich relativ leicht dagegen schützen. (Security, Malware)
---------------------------------------------
https://www.golem.de/news/linux-muldrop-14-cryptomining-malware-befaellt-un…
*** Vuln: VMware Horizon View Client CVE-2017-4918 Command Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/98984
*** DFN-CERT-2017-1012/">Sophos UTM: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ***
---------------------------------------------
Mehrere Schwachstellen in den Komponenten BIND, Kernel, NTP, OpenSSL und OpenVPN ermöglichen einem entfernten, in vielen Fällen nicht authentisierten Angreifer verschiedene Denial-of-Service (DoS)-Angriffe auf Sophos UTM.
Sophos veröffentlicht die Sophos UTM Software in Version 9.501 als Maintenance Release zur Behebung der genannten Schwachstellen. Darüber hinaus werden verschiedene weitere Programmfehler aus den Bereichen AWS, Basesystem, Confd, Email, Network, Reporting, RESTD, Sandboxd, WAF, Web, WebAdmin und WiFi behoben.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1012/
*** Pwn2Own: Safari sandbox part 1 - Mount yourself a root shell ***
---------------------------------------------
Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year's Pwn2Own competition.
---------------------------------------------
https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc
*** Industroyer: Fortgeschrittene Malware soll Energieversorgung der Ukraine gekappt haben ***
---------------------------------------------
Sicherheitsforscher haben nach eigenen Angaben eine Art zweites Stuxnet entdeckt: Einen Trojaner, der auf die Steuerung von Umspannwerken zugeschnitten ist. Er soll für Angriffe auf den ukrainischen Stromversorger Ukrenergo verantwortlich sein.
---------------------------------------------
https://heise.de/-3740606
*** CSIRT maturity evaluation process - How is CSIRT maturity assessed? ***
---------------------------------------------
ENISA has published a new practical guide for CSIRTs so that they are better prepared to protect their constituencies and improve teams maturity.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/csirt-maturity-evaluation-proce…
*** Vuln: D-Link DIR-615 Wireless N 300 Router CVE-2017-9542 Authentication Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/98992
*** Healthcare Industry Cybersecurity Report ***
---------------------------------------------
New US government report: "Report on Improving Cybersecurity in the Health Care Industry." Its pretty scathing, but nothing in it will surprise regular readers of this blog.Its worth reading the executive summary, and then skimming the recommendations. Recommendations are in six areas.The Task Force identified six high-level imperatives by which to organize its recommendations and action items. The imperatives are:Define and streamline leadership, governance, and expectations for
---------------------------------------------
https://www.schneier.com/blog/archives/2017/06/healthcare_indu.html
*** Behind the CARBANAK Backdoor ***
---------------------------------------------
In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK (aka Anunak). Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution. With these details, we will then draw some conclusions about the operators of CARBANAK. For some additional background on the CARBANAK backdoor, see the papers by Kaspersky and Group-IB and Fox-It.
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-bac…
*** Erste SambaCry-Angriffe: Trojaner schürft Kryptowährung auf Linux-Servern ***
---------------------------------------------
Sicherheitsforscher haben einen Trojaner entdeckt, der durch die vor kurzem entdeckte Samba-Lücke in Linux-Server einbricht und dann mit deren Hardware Kryptogeld erzeugt.
---------------------------------------------
https://heise.de/-3740976
*** OSX/MacRansom; analyzing the latest ransomware to target macs ***
---------------------------------------------
Looks like somebody on the dark web is offering Ransomware as a Service...that's designed to infect Macs!
---------------------------------------------
https://objective-see.com/blog/blog_0x1E.html
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology ***
http://www.ibm.com/support/docview.wss?uid=swg22004534
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Insight ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003367
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Reporting for Development Intelligence ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003366
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Management Module (IMM) for System x & BladeCenter ***
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module (IMM) for System x & BladeCenter ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
*** IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Quality Manager ***
http://www.ibm.com/support/docview.wss?uid=swg22004428
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management could allow a remote authenticated attacker to execute arbitrary commands on the system as administrator (CVE-2016-9984) ***
http://www.ibm.com/support/docview.wss?uid=swg21998608
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-5597 CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg21998779
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-9736, CVE-2016-8934, CVE-2016-8919) ***
http://www.ibm.com/support/docview.wss?uid=swg21999544
---------------------------------------------
*** IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0636) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010085
---------------------------------------------
*** IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0603) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010086
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 08-06-2017 18:00 − Freitag 09-06-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Is WannaCry Really Ransomware? ***
---------------------------------------------
This post summarizes the significant efforts of a McAfee threat research team that has been relentless in its efforts to gain a deeper understanding of the WannaCry ransomware. We would like to specifically acknowledge Christiaan Beek, Lynda ..
---------------------------------------------
https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-really-…
*** Phishing Leveraging the Sucuri Brand ***
---------------------------------------------
We are always on guard for phishing emails and websites that might try to compromise our customers or employees, so that we can be on top of the issue and warn as many people as possible. Targeted ..
---------------------------------------------
https://blog.sucuri.net/2017/06/phishing-leveraging-sucuri-brand.html
*** Windows 10 Creators Update provides next-gen ransomware protection ***
---------------------------------------------
Multiple high-profile incidents have demonstrated that ransomware can have catastrophic effects on all of us. From personally losing access to your own digital property, to being ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-upd…
*** Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan ***
---------------------------------------------
We found another unique method being used to deliver malware—abusing the action that happens when simply hovering the mouse’s pointer over a hyperlinked picture or text in a PowerPoint ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard…
*** Hacker stehlen "Cyberpunk 2077"-Daten und erpressen Hersteller CD Projekt ***
---------------------------------------------
"The Wicher 3"-Entwickler gab Diebstahl in einer Stellungnahme bekannt
---------------------------------------------
http://derstandard.at/2000059016376
*** In eigener Sache: Umstellung auf wöchentliches Wartungsfenster ***
---------------------------------------------
Um die Administration zu erleichtern, werden wir ab 22. 6. 2017 auf ein wöchentliches Wartungsfenster umstellen: dieses wird jeweils am Donnerstag von 19-22h sein. Falls also ..
---------------------------------------------
http://www.cert.at/services/blog/20170609114214-2029.html
*** Android-Trojaner Dvmap kompromittiert Systeme wie kein anderer ***
---------------------------------------------
Sicherheitsforscher warnen vor einem Schädling in Google Play, der Android-Geräte mit bisher unbekannten Methoden komplett in seine Gewalt bringen kann.
---------------------------------------------
https://heise.de/-3739451
*** Steirische WK richtet Hotline für Firmen gegen Cyberangriffe ein ***
---------------------------------------------
Pilotversuch startet in der Steiermark – Mehr als jedes fünfte Unternehmen bereits Opfer von Angriffen aus dem Netz
---------------------------------------------
http://derstandard.at/2000059028695
*** SSA-023589 (Last Update 2017-06-09): SMBv1 Vulnerabilities in Advanced Therapy Products from Siemens Healthineers ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-023589…
*** Microsoft: OpenBSD kommt für die Azure-Cloud ***
---------------------------------------------
Das Unix-Betriebssystem OpenBSD gilt als besonders sicher und stabil. Microsoft erkennt dessen Potential und macht es für Azure verfügbar. Dazu kooperiert das Unternehmen mit ..
---------------------------------------------
https://www.golem.de/news/microsoft-openbsd-kommt-fuer-die-azure-cloud-1706…
*** DomainTools 101: DNS Shadow Hack-Attacked ***
---------------------------------------------
In this article we will dive into the attack vector known as domain shadowing, and how it can land an ..
---------------------------------------------
https://blog.domaintools.com/2017/06/domaintools-101-dns-shadow-hack-attack…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 07-06-2017 18:00 − Donnerstag 08-06-2017 18:00
Handler: Alexander Riepl
Co-Handler: Olaf Schwarz
*** Deceptive Advertisements: What they do and where they come from ***
---------------------------------------------
About a week ago, a reader asked for help with a nasty typo squatting incident: The site, yotube.com, at the time redirected to fake tech support sites. These sites typically pop up a message alerting the user of a made-up problem and offer a phone number for tech support. Investigating the site, I found ads, all of which can be characterized as deceptive.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22494
*** SSTIC 2017 Wrap-Up Day #1 ***
---------------------------------------------
I’m in Rennes, France to attend my very first edition of the SSTIC conference. SSTIC is an event organised in France, by and for French people. The acronym means “Symposium sur la sécurité des technologies de l’information et des communications“. The event has a good reputation about its content but is also known to have a very strong policy to sell tickets.
---------------------------------------------
https://blog.rootshell.be/2017/06/08/sstic-2017-wrap-day-1/
*** Summer STEM for Kids ***
---------------------------------------------
Its summertime and your little hackers need something to keep them busy! Let look at some of the options for kids to try out. Ive tried out each of these programs and have had good luck with them. Please post in comments any site you have been successful with your kids in teaching them STEM or IT Security.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22496
*** Sicherheitsupdates: VMware vSphere Data Protection angreifbar ***
---------------------------------------------
In einer Komponente von vSphere klaffen zwei als kritisch eingestufte Lücken, über die Angreifer beliebige Befehle ausführen und Log-in-Daten abziehen können.
---------------------------------------------
https://heise.de/-3737673
*** Foscam: IoT-Hersteller ignoriert Sicherheitslücken monatelang ***
---------------------------------------------
Die IoT-Apokalypse hört nicht auf: Erneut wurden zahlreiche Schwachstellen in einer IP-Kamera dokumentiert. Der Hersteller reagiert mehrere Monate lang nicht auf die Warnungen.
---------------------------------------------
https://www.golem.de/news/foscam-iot-hersteller-ignoriert-sicherheitsluecke…
*** A new Linux Malware targets Raspberry Pi devices to mine Cryptocurrency ***
---------------------------------------------
Security researchers at Dr. Web discovered two new Linux Malware, one of them mines for cryptocurrency using Raspberry Pi Devices. Malware researchers at the Russian antivirus maker Dr.Web have discovered a new Linux trojan, tracked as Kinux.MulDrop.14, that is infecting Raspberry Pi devices with the purpose of mining cryptocurrency.
---------------------------------------------
http://securityaffairs.co/wordpress/59842/malware/linux-malware-raspberry-p…
*** The Reigning King of IP Camera Botnets and its Challengers ***
---------------------------------------------
Early this month we discussed a new Internet of Things (IoT) botnet called Persirai (detected by Trend Micro as ELF_PERSIRAI.A), which targets over 1000 Internet Protocol (IP) camera models. Currently, through Shodan and our own research, we see that 64% of tracked IP cameras with custom http servers are infected with Persirai. But, because these cameras are such common targets, there is some competition between malware.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XMVX_tvNlNw/
*** Versehentlich aktiviertes Debugging-Tool gefährdet Cisco Data Center Network Manager ***
---------------------------------------------
Sicherheitsupdates schließen zum Teil als kritisch eingestufte Lücken in Cisco AnyConnect, DCNM und TelePresence.
---------------------------------------------
https://heise.de/-3737633
*** Cisco Prime Data Center Network Manager Debug Remote Code Execution Vulnerability ***
---------------------------------------------
A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to access sensitive information or execute arbitrary code with root privileges on an affected system.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Cisco Context Service SDK Arbitrary Code Execution Vulnerability ***
---------------------------------------------
A vulnerability in the update process for the dynamic JAR file of the Cisco Context Service software development kit (SDK) could allow an unauthenticated, remote attacker to execute arbitrary code on the affected device with the privileges of the web server.The vulnerability is due to insufficient validation of the update JAR files signature.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 06-06-2017 18:00 − Mittwoch 07-06-2017 18:00
Handler: Alexander Riepl
Co-Handler: Olaf Schwarz
*** Rockwell Automation PanelView Plus 6 700-1500 ***
---------------------------------------------
This advisory contains mitigation details for a missing authorization vulnerability in Rockwell Automation's PanelView Plus 6 700-1500.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-157-01
*** Digital Canal Structural Wind Analysis ***
---------------------------------------------
This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Digital Canal Structural's Wind Analysis.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-157-02
*** Curiosity Kills Security When it Comes to Phishing ***
---------------------------------------------
The results of an academic experiment reveal that recipients of Facebook messages are much more likely to click on suspicious links.
---------------------------------------------
http://threatpost.com/curiosity-kills-security-when-it-comes-to-phishing/12…
*** Privileges and Credentials: Phished at the Request of Counsel ***
---------------------------------------------
Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government.
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-…
*** Russische Hacker erteilen Befehle über Britney Spears Instagram ***
---------------------------------------------
Adresse von Kontrollserver wurde in Nutzerkommentar zu Foto des Popstars versteckt.
---------------------------------------------
http://derstandard.at/2000058853606
*** VMware-Admins aufgepasst: Es gibt wichtige Updates für ESXi ***
---------------------------------------------
Wer Version 6.0 des ESXi-Hypervisors von VMware einsetzt, sollte Zeit zum Patchen einplanen. Einige Bugs und Sicherheitslücken wollen ausgebügelt werden.
---------------------------------------------
https://heise.de/-3736872
*** [2017-06-07] Various WiMAX CPEs Authentication Bypass ***
---------------------------------------------
Various WiMAX routers by GreenPacket, Huawei, MADA, MitraStar, ZTE and ZyXEL are affected by an authentication bypass vulnerability that allows an attacker to take over the web interface.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** Ghosts from the past: Authentication bypass and OEM backdoors in WiMAX routers ***
---------------------------------------------
SEC Consult has found a vulnerability in several WiMAX routers, distributed by WiMAX ISPs to subscribers. The vulnerability allows an attacker to change the password of the admin user.
---------------------------------------------
http://blog.sec-consult.com/2017/06/ghosts-from-past-authentication-bypass.…
*** PLATINUM continues to evolve, find ways to maintain invisibility ***
---------------------------------------------
Back in April 2016, we released the paper PLATINUM: Targeted attacks in South and Southeast Asia, where we detailed the tactics, techniques, and procedures of the PLATINUM activity group.
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-e…
*** VMSA-2017-0010 ***
---------------------------------------------
vSphere Data Protection (VDP) updates address multiple security issues.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2017-0010.html
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 02-06-2017 18:00 − Dienstag 06-06-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Hack Brief: Dangerous ‘Fireball’ Adware Infects a Quarter Billion PCs ***
---------------------------------------------
A widespread adware infection hides the ability to inflict far worse than spammy browser tweaks.
---------------------------------------------
https://www.wired.com/2017/06/hack-brief-dangerous-fireball-adware-infects-…
*** FakeGlobe and Cerber Ransomware: Sneaking under the radar while WeCry ***
---------------------------------------------
Recently, we observed a constant influx of spam that distributes two ransomware families, perhaps trying to sneak in while everyone is focused with the recent WannaCry malware. Based on data ..
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/FakeGlobe-and-Cerber-Ransomw…
*** Wie Hacker mit ihren Smartphones beim Glücksspiel betrügen ***
---------------------------------------------
Russische Mafia konnte Automaten durch Reverse Engineering durchschauen und per Vibrationsalarm richtigen Moment zum Drücken festlegen
---------------------------------------------
http://derstandard.at/2000052237768
*** DSA-3873 perl - security update ***
---------------------------------------------
The cPanel Security Team reported a time of check to time of use(TOCTTOU) race condition flaw in File::Path, a core module from Perl to create or remove directory trees. An attacker can take ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3873
*** 53 Percent of Enterprise Flash Installs are Outdated ***
---------------------------------------------
More than half of enterprises are exposing themselves to unnecessary risk by running out-of-date versions of Flash.
---------------------------------------------
http://threatpost.com/53-percent-of-enterprise-flash-installs-are-outdated/…
*** 40,000 Subdomains Tied to RIG Exploit Kit Shut Down ***
---------------------------------------------
GoDaddy, along with researchers from RSA Security and other companies, shut down tens of thousands of illegal established subdomains tied to the RIG Exploit Kit.
---------------------------------------------
http://threatpost.com/40000-subdomains-tied-to-rig-exploit-kit-shut-down/12…
*** Passwortmanager: Kundendaten von Onelogin gehackt ***
---------------------------------------------
Ein Passwortmanager soll Nutzern helfen, sichere Passwörter zu generieren und sicher zu speichern. Bei dem Betreiber Onelogin wurden jedoch zahlreiche Informationen von Nutzern durch ..
---------------------------------------------
https://www.golem.de/news/passwortmanger-kundendaten-von-onelogin-gehackt-1…
*** Security Advisory 2017-03: Security Update for all OTRS Versions ***
---------------------------------------------
https://www.otrs.com/security-advisory-2017-03-security-update-otrs-version…
*** Security Advisory 2017-02: Security Update for all OTRS Versions ***
---------------------------------------------
https://www.otrs.com/security-advisory-2017-02-security-update-otrs-version…
*** Erpressungstrojaner WannaCry: Mängel im Code steigern Chancen für Opfer ***
---------------------------------------------
Sicherheitsforscher haben sich den Code der Ransomware angeschaut und diverse Schnitzer gefunden. Mit etwas Glück können Opfer wieder Zugriff auf ihre Dateien bekommen.
---------------------------------------------
https://heise.de/-3734698
*** Patchday: Fehlerbereinigte Android-Versionen für Nexus, Pixel & Co. veröffentlicht ***
---------------------------------------------
Google hat mehrere Sicherheitslücken in Android gestopft – darunter auch kritische. Wer ein Google-Gerät besitzt, sollte es zügig aktualisieren. Auch Besitzer von Geräten anderer Hersteller sollten prüfen, ob es eine Aktualisierung gibt.
---------------------------------------------
https://heise.de/-3735188
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 01-06-2017 18:00 − Freitag 02-06-2017 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Phoenix Broadband Technologies LLC PowerAgent SC3 Site Controller ***
---------------------------------------------
This advisory contains mitigation details for a use of hard-coded password vulnerability in the Phoenix Broadband Technologies LLC PowerAgent SC3 Site Controller.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-152-01
*** Passwords at the Border ***
---------------------------------------------
The password-manager 1Password has just implemented a travel mode that tries to protect users while crossing borders. It doesnt make much sense. To enable it, you have to create a list of passwords you feel safe traveling with, and then you can turn on the mode ..
---------------------------------------------
https://www.schneier.com/blog/archives/2017/06/passwords_at_th.html
*** Financial malware more than twice as prevalent as ransomware ***
---------------------------------------------
Three Trojans dominated the financial threat landscape in 2016 and attackers increased their focus on corporate ..
---------------------------------------------
https://www.symantec.com/connect/blogs/financial-malware-more-twice-prevale…
*** CIA Malware Can Switch Clean Files With Malware When You Download Them via SMB ***
---------------------------------------------
After taking last week off, WikiLeaks came back today and released documentation on another ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cia-malware-can-switch-clean…
*** DSA-3872 nss - security update ***
---------------------------------------------
Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service or information disclosure.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3872
*** DSA-3871 zookeeper - security update ***
---------------------------------------------
It was discovered that Zookeeper, a service for maintaining configuration information, didn't restrict access to the computationally expensive wchp/wchc commands which could result in denial of service by elevated CPU consumption.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3871
*** Riverbed SteelHead VCX 9.6.0a Arbitrary File Read ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017060017
*** Weak DevOps cryptographic policies increase financial services cyber risk ***
---------------------------------------------
Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications. This is a particular issue for financial services organizations, which have ..
---------------------------------------------
https://www.helpnetsecurity.com/2017/06/02/weak-devops-cryptographic-polici…
*** Phishing Campaigns Follow Trends ***
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22482
*** WannaCry and Vulnerabilities ***
---------------------------------------------
There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which ..
---------------------------------------------
https://www.schneier.com/blog/archives/2017/06/wannacry_and_vu.html
*** Hadoop Servers Expose Over 5 Petabytes of Data ***
---------------------------------------------
Improperly configured HDFS-based servers, mostly Hadoop installs, are exposing over five petabytes of information, according to John Matherly, founder of Shodan, a ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hadoop-servers-expose-over-5…
*** IBM Security Bulletin: Vulnerability in Samba affects IBM Netezza Host Management ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22003112
*** Check-Point-Bericht: Gefährliche Backdoor in jedem zehnten deutschen Unternehmensnetz ***
---------------------------------------------
Die Fireball getaufte Adware ist mit über 250 Millionen Installationen nicht nur sehr verbreitet, sondern auch sehr gefährlich: Laut Check Point kann sie beliebigen Code auf dem System ausführen und so auch Malware nachladen.
---------------------------------------------
https://heise.de/-3732893
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 31-05-2017 18:00 − Donnerstag 01-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Aufgepasst: Googles AMP wird zur Tarnung von Phishing-Angriffen missbraucht ***
---------------------------------------------
Russische Hacker benutzen Googles AMP-Dienst, um böse URLs als Google-Dienste zu tarnen. Es ist nur eine Frage der Zeit, bis das Schule macht.
---------------------------------------------
https://heise.de/-3731578
*** Cisco, Netgear Readying Patches for Samba Vulnerability ***
---------------------------------------------
Cisco is prepping fixes for two of its products affected by last weeks Samba vulnerability. Netgear has also pushed out a fix for NAS devices that were affected.
---------------------------------------------
http://threatpost.com/cisco-netgear-readying-patches-for-samba-vulnerabilit…
*** Sharing Private Data with Webcast Invitations, (Thu, Jun 1st) ***
---------------------------------------------
Last week, at a customer, we received a forwarded emailin a shared mailbox. It was somebody from another department that shared an invitation for a webcast that could be interesting for you, guys!. This time, no phishing attempt, no malware, just a regular email sent from a well-known security vendor. A colleague was interested in the webcast and clicked on the registration link. He was redirected to a page and was surprised to see all the fields already prefilled with the personal details of [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22478&rss
*** Motorcycle Gang Busted For Hacking and Stealing Over 150 Jeep Wranglers ***
---------------------------------------------
An anonymous reader writes: "The FBI has arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California, which they later crossed the border into Mexico to have stripped down for parts," reports Bleeping Computer. What stands apart is how the gang operated. This involved gang members getting the Jeep Wrangler VIN (Vehicle Identification Number), accessing a proprietary Jeep database, and getting two codes needed to create a [...]
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/xYKBhycly0Q/motorcycle-gang…
*** An Elegant Way to Ruin Your Company's Day - Introduction to Public AWS EBS Snapshots ***
---------------------------------------------
TL;DR Creating public (unencrypted) EBS Snapshots might not be a great idea. Even if you are going to share them "just for a second". A lot can be fished out of these snapshots: ssh keys, tls/ssl certificates, aws credentials, private source code and internal (extremely) valuable HR/Accounting/IT documents.
---------------------------------------------
https://www.nvteh.com/news/problems-with-public-ebs-snapshots
*** Credit Card Breach at Kmart Stores. Again. ***
---------------------------------------------
For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in comment: They were all used at Kmart locations. Ask to respond to rumors about a card breach, [...]
---------------------------------------------
https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-agai…
*** NCSC releases factsheet Indicators of Compromise ***
---------------------------------------------
In order to observe malicious digital activities within an organisation, Indicators of Compromise (IoCs) are a valuable asset. With IoCs, organisations can gain quick insights at central points in the network into malicious digital activities. When your organisation observes these activities, it is important to know what you can do to trace back which system is infected. Obtain as much contextual information with an IoC as possible, so that you get a clear picture of what is happening and how
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/ncsc-releases-factsheet-ind…
*** WannaCry Development Errors Enable File Recovery ***
---------------------------------------------
Researchers at Kaspersky Lab have found a number of programming errors in the WannaCry ransomware code that put file recovery within reach of sysadmins.
---------------------------------------------
http://threatpost.com/wannacry-development-errors-enable-file-recovery/1260…
*** OneLogin suffers data breach, again ***
---------------------------------------------
OneLogin, a popular single sign-on service that allows users to access thousands of popular cloud-based apps with just one password, has suffered what seems to be a serious data breach. According to a short blog post by the company's Chief Information Security Officer Alvaro Hoyos, they discovered the breach when, on Wednesday, they detected unauthorized access to OneLogin data in their US data region.
---------------------------------------------
https://www.helpnetsecurity.com/2017/06/01/onelogin-data-breach/
*** [webapps] OV3 Online Administration 3.0 - Remote Code Execution ***
---------------------------------------------
OV3 Online Administration 3.0 - Remote Code Execution
---------------------------------------------
https://www.exploit-db.com/exploits/42096/?rss
*** Indicators Associated With WannaCry Ransomware (Update H) ***
---------------------------------------------
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01G Indicators Associated With WannaCry Ransomware that was published May 30, 2017, on the NCCIC/ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01H
*** Security Advisory - Multiple Security Vulnerabilities in HedEx product ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-…
*** DFN-CERT-2017-0945: Red Hat CloudForms Management Engine: Zwei Schwachstellen ermöglichen u.a. das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0945/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier (CVE-2016-9977) ***
http://www.ibm.com/support/docview.wss?uid=swg22003981
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in expat, nss, bind , policycoreutils, sudo shipped with SmartCloud Entry Appliance ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025119
---------------------------------------------
*** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2016-6816, CVE-2016-6817, CVE-2016-8735 ) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009962
---------------------------------------------
*** IBM Security Bulletin: IBM Spectrum Protect (formerly Tivoli Storage Manager) Windows Client password exposure (CVE-2016-8939) ***
http://www.ibm.com/support/docview.wss?uid=swg22003738
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware ***
http://www.ibm.com/support/docview.wss?uid=swg22003673
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004078
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Storage FlashCopy Manager VMware (CVE-2016-6303, CVE-2016-2182, CVE-2016-2177, CVE-2016-2183, CVE-2016-6309, CVE-2016-7052, CVE-2016-2178, CVE-2016-6306) ***
http://www.ibm.com/support/docview.wss?uid=swg22000589
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit library affects IBM Cognos Metrics Manager ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004075
---------------------------------------------
*** IBM Security Bulletin: Multiple Security vulnerabilities in WebSphere Application Server Community Edition ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002267
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010243
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cognos Metrics Manager ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004074
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004077
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002135
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM RackSwitch Products ***
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50…
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset Analyzer ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003418
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2017-3731, CVE-2016-7055) ***
http://www.ibm.com/support/docview.wss?uid=swg22003793
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libX11 affect IBM BladeCenter Advanced Management Module (AMM) ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BladeCenter Advanced Management Module (AMM) ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in cURL/libcurl affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects MegaRAID Storage Manager (CVE-2016-8610) ***
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in dosfstools affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
*** IBM Security Bulletin: IBM Development Package for Apache Spark update of IBM SDK Java Technology Edition ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003200
---------------------------------------------
*** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2017Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. ***
http://www.ibm.com/support/docview.wss?uid=swg22004036
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 30-05-2017 18:00 − Mittwoch 31-05-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Personal Security Guide - WiFi Network ***
---------------------------------------------
This is the third part in our series on personal security that offers methods to strengthen your overall security posture. By taking a holistic approach to security, you are protecting your website against attack vectors due to poor security practices in various aspects of your digital life. This post shares some insight on how to secure your network. When we talk about a network, we mean the way you connect to the internet.
---------------------------------------------
https://blog.sucuri.net/2017/05/personal-security-guide-network-connection.…
*** Kritische Infrastruktur: Meldepflicht für IT-Vorfälle deutlich erweitert ***
---------------------------------------------
Die Meldepflicht für IT-Sicherheitsvorfälle ist auf weitere Branchen ausgedehnt worden. Damit steigt die Gesamtzahl auf mehr als 1.600 Einrichtungen in ganz Deutschland.
---------------------------------------------
https://www.golem.de/news/kritische-infrastruktur-meldepflicht-fuer-it-vorf…
*** HospitalGown: Appthority Discovers Backend Exposure of 43TB of Enterprise Data ***
---------------------------------------------
[...] It's understandable that in mobile security we focus on the device, the apps it runs, and the networks it connects to. But what happens to the data from there? Cloud computing and storage are ubiquitous, advertising networks are the default revenue model for many apps, and analytics frameworks are driving design and implementation decisions. We can't ignore where the data goes. Like any other component of the larger system, these backend servers can introduce additional risk, [...]
---------------------------------------------
https://www.appthority.com/mobile-threat-center/blog/hospitalgown-appthorit…http://info.appthority.com/hubfs/website-LEARN-content/Appthority%20Q2-17%2…
*** XData Ransomware Master Decryption Keys Released. Kaspersky Releases Decryptor. ***
---------------------------------------------
In what has become a welcome trend, today another ransomware master decryption key was released on BleepingComputer.com. This time the key that was released is for the XData Ransomware that was targeting the Ukraine around May 19th 2017. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/xdata-ransomware-master-decr…
*** Indicators Associated With WannaCry Ransomware (Update G) ***
---------------------------------------------
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01F Indicators Associated With WannaCry Ransomware that was published May 25, 2017, on the NCCIC/ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01G
*** WannaCry: Two Weeks and 16 Million Averted Ransoms Later ***
---------------------------------------------
[...] What WannaCry does has been extensively documented by others, as seen in reports by BAE Systems, MalwareBytes, Endgame, and Talos. Rather than focusing on the technical functionality of the malware, this article will open a window into our recent experience with managing, mitigating, and tracking the propagation and evolution of the WannaCry outbreak, and the true extent of its reach.
---------------------------------------------
https://blog.kryptoslogic.com/malware/2017/05/29/two-weeks-later.html
*** Analysis of Competing Hypotheses, WCry and Lazarus (ACH part 2), (Wed, May 31st) ***
---------------------------------------------
Introduction In my previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22470&rss
*** [webapps] Trend Micro Deep Security version 6.5 - XML External Entity Injection / Local Privilege Escalation / Remote Code Execution ***
---------------------------------------------
https://www.exploit-db.com/exploits/42089/?rss
*** Vulnerability in Samba Affecting Cisco Products: May 2017 ***
---------------------------------------------
On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated attacker to execute arbitrary code remotely on a targeted system.This vulnerability has been assigned CVE ID CVE-2017-7494This advisory is available at the following link:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/… On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated [...]
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Huawei Security Advisories ***
---------------------------------------------
*** Security Advisory - Command Injection Vulnerability in the GaussDB ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-…
---------------------------------------------
*** Security Advisory - Command Injection Vulnerability in the NetEco ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-…
---------------------------------------------
*** Security Advisory - Buffer Overflow Vulnerability in The GaussDB ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-…
---------------------------------------------
*** Security Advisory - Four Command Injection Vulnerabilities in The FusionSphere OpenStack ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-…
---------------------------------------------
*** Security Advisory - Authentication Bypass Vulnerability in the Backup Function of GaussDB ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-…
---------------------------------------------
*** Security Advisory - Two Buffer Overflow Vulnerabilities in the GaussDB ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-…
---------------------------------------------
*** Security Advisory - Two Privilege Escalation Vulnerabilities in the GaussDB ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in tcpdump affect AIX ***
http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager appliances ***
http://www.ibm.com/support/docview.wss?uid=swg22003237
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct FTP+ ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003752
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java affect IBM OS Images for Red Hat Linux Systems, AIX-based, and Windows-based deployments. ***
http://www.ibm.com/support/docview.wss?uid=swg22004048
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affects IBM BigFix Compliance Analytics. ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002991
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web ***
http://www.ibm.com/support/docview.wss?uid=swg22003236
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect Tivoli Storage Manager (IBM Spectrum Protect) for Virtual Environments: Data Protection for VMware and FlashCopy Manager (IBM Spectrum Protect Snapshot) for VMware ***
http://www.ibm.com/support/docview.wss?uid=swg22000212
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances may be affected by a kernel vulnerability known as the Dirty COW bug (CVE-2016-5195) ***
http://www.ibm.com/support/docview.wss?uid=swg21997991
---------------------------------------------
*** IBM Security Bulletin: MQ Explorer directory created with owner '555' on Linux x86-64 vulnerability affects IBM MQ (CVE-2016-6089) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003509
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware ***
http://www.ibm.com/support/docview.wss?uid=swg22003620
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware ***
http://www.ibm.com/support/docview.wss?uid=swg22003480
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 29-05-2017 18:00 − Dienstag 30-05-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Chrome Bug Allows Sites to Record Audio and Video Without a Visual Indicator ***
---------------------------------------------
Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/chrome-bug-allows-sites-to-r…
*** 5 incident response practices that keep enterprises from adapting to new threats ***
---------------------------------------------
Security analysts within enterprises are living a nightmare that never ends. 24 hours a day, their organizations are being attacked by outside (and sometimes inside) perpetrators - hackers, hacktivists, competitors, disgruntled employees, etc. Attacks range in scope and sophistication, but are always there, haunting the security teams tasked with guarding against them. To cope with this never-ending, ever-changing slew of threats, most organizations rely on established best practices to [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/05/30/incident-response-practices/
*** Darauf sollen Unternehmer bei der IT-Sicherheit achten ***
---------------------------------------------
Nahezu jeden Tag werden Cyberangriffe auf Unternehmen publik. Der Schaden ist oft erheblich. Wer ein paar einfache Tipps beachtet, kann das Risiko deutlich reduzieren.
---------------------------------------------
https://futurezone.at/b2b/darauf-sollen-unternehmer-bei-der-it-sicherheit-a…
*** Erpressungstrojaner Jaff: Vorsicht vor Mails mit PDF-Anhang ***
---------------------------------------------
Derzeit landen vermehrt E-Mails mit einem manipulierten PDF-Dokument in Posteingängen. Wer das Dokument unter Windows öffnet, kann sich die Ransomware Jaff einfangen. Diese verschlüsselt Daten und versieht sie mit der Dateiendung .wlc.
---------------------------------------------
https://heise.de/-3728073
*** FreeRADIUS: Anmelde-Server dank Sicherheitslücke viel zu gutgläubig ***
---------------------------------------------
Bei der Wiederaufnahme von TLS-Verbindungen überprüft der Anmelde-Server FreeRADIUS unter Umständen nicht, ob der Nutzer sich jemals richtig angemeldet hat. Für eine Software, die Anmeldungen prüfen soll, ist das fatal.
---------------------------------------------
https://heise.de/-3728535
*** SANS Securing the Human Security Awareness Report 2017 ***
---------------------------------------------
[...] The report highlights what successful programs do right to change behavior and what lagging programs can do to improve and move beyond compliance.
---------------------------------------------
https://securingthehuman.sans.org/resources/security-awareness-report-2017https://securingthehuman.sans.org/media/resources/STH-SecurityAwarenessRepo…
*** The Most Common Social Engineering Attacks ***
---------------------------------------------
Many years ago, one of the world's most popular hacker Kevin Mitnick explained in his book "The Art of Deception" the power of social engineering techniques, today we are aware that social engineering can be combined with hacking to power insidious attacks. Let's consider for example social media and mobile platforms; they are considered powerful attack [...]
---------------------------------------------
http://resources.infosecinstitute.com/common-social-engineering-attacks/
*** Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution ***
---------------------------------------------
The version of Serviio installed on the remote Windows/Linux host is affected by an unauthenticated password modification vulnerability due to improper access control enforcement of the Configuration REST API. A remote attacker can exploit this, via a specially crafted request, to change the login password for the mediabrowser protected page.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php
*** IBM Security Bulletin: Security vulnerabilities in IBM Java Runtime affect IBM RLKS Administration and Reporting Tool Admin ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22001029
*** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Standards Processing Engine and IBM Transformation Extender Advanced (CVE-2016-5597) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22003602
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 26-05-2017 18:00 − Montag 29-05-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw ***
---------------------------------------------
Microsoft quietly patched a critical vulnerability found by Googles Project Zero team in the Malware Protection Engine.
---------------------------------------------
http://threatpost.com/microsoft-quietly-patches-another-critical-malware-pr…
*** Crysis ransomware master keys posted to Pastebin ***
---------------------------------------------
Why would someone release the keys to victims? Who knows, but as the poster who uploaded them says, Enjoy!
---------------------------------------------
https://nakedsecurity.sophos.com/2017/05/26/crysis-ransomware-master-keys-p…
*** File2pcap - A new tool for your toolkit!, (Fri, May 26th) ***
---------------------------------------------
One of our readers, Gebhard, submitted a pointer to a tool today, released byTalos, that I wasnt familiar with. However, when I realized it could generate packets, I had to try it out. Its called File2pcap. The concept of the tool is that instead of having to download a file and capture the traffic in order to write detection content, the tool would simulate the download and generate the traffic that you would see. You get a nice pcap in the end.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22456&rss
*** CyberChef a Must Have Tool in your Tool bag!, (Sun, May 28th) ***
---------------------------------------------
This multipurpose and feature rich tool has been available for a while now and is updated regularly. What I find the most interesting is the number of features that are available this tool. CyberChef is fully portable and can be downloaded locally as an simple HTML self-contained page that can run in any browsers or if you prefer, you can download the package from Github and compile it yourself[2] but why bother. Since the code is updated regularly, I find the first option more practical. It [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22458&rss
*** Analysis of Competing Hypotheses (ACH part 1), (Sun, May 28th) ***
---------------------------------------------
In threat intelligence, by definition, an analyst will most of the times have to perform assessments in an environment of incomplete information, and/or with information that is being produced with the purpose of misleading the analyst. One of the well-known methodologies is the Analysis of Competing Hypotheses (ACH) [1], developed by Richards J. Heuer, Jr., a former CIA veteran. ACH is an analytic process that identifies a set of alternative hypotheses, and assesses whether data available are [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22460&rss
*** Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience ***
---------------------------------------------
[Primary authors: Dan Simon and Nir Ben Zvi] The Windows operating system includes many system services that provide important functionality. Different services have different default startup policies: some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run. These defaults were...
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2017/05/29/guidance-on-disabli…
*** Network Time Protocol updated to spook-harden user comms ***
---------------------------------------------
Network time lords decide we dont need IP address swaps The Internet Engineering Task Force has taken another small step in protecting everybodys privacy - this time, in making the Network Time Protocol a bit less spaffy.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/05/29/network_tim…
*** CFP Time ***
---------------------------------------------
We decided to create a website for a clearer view of what conferences are happening all around the world. The project is still in beta and after seeing how the community takes it, we might take it one step further.
---------------------------------------------
https://cfptime.org/cfps/about
*** Dirty COW and why lying is bad even if you are the Linux kernel ***
---------------------------------------------
[...] There have been plenty of articles and blog posts about the exploit, but none of them give a satisfactory explanation on exactly how Dirty COW works under the hood from the kernel's perspective. The following analysis is based on this attack POC, although the idea applies to all other similar attacks.
---------------------------------------------
https://chao-tic.github.io/blog/2017/05/24/dirty-cow
*** DFN-CERT-2017-0928: Microsoft Malware Protection Engine: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0928/
*** DFN-CERT-2017-0913: WebKitGTK+: Mehrere Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und einen Cross-Site-Scripting-Angriff ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0913/https://webkitgtk.org/security/WSA-2017-0004.html
*** DFN-CERT-2017-0925: FortiOS: Mehrere Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0925/
*** Security Advisory - Multiple Vulnerabilities in MTK Platform ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170527-…
*** Bugtraq: Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Key and Token ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540636
*** Bugtraq: [security bulletin] HPESBHF03730 rev.1 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540635
*** Bugtraq: [security bulletin] HPESBHF03754 rev.1 - HPE ML10 Gen 9 Server using Intel Xeon E3-1200 v5 Processor, Remote Access Restriction Bypass ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540634
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM PowerVC is affected by vulnerability in OpenStack Nova (CVE-2017-7214) ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1022011
---------------------------------------------
*** IBM Security Bulletin: A security vulnerability has been identified in Red Hat Enterprise Linux (RHEL) Server shipped with PurePower Integrated Manager (PPIM) (CVE-2017-6462 CVE-2017-6463 CVE-2017-6464) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025209
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDKs affect IBM Virtualization Engine TS7700 - January 2017 ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010245
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM Virtual Fabric 10Gb Switch Module ***
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 24-05-2017 18:00 − Freitag 26-05-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Reflections on reflection (attacks) ***
---------------------------------------------
Recently Akamai published an article about CLDAP reflection attacks. This got us thinking. We saw attacks from Conectionless LDAP servers back in November 2016 but totally ignored them because our systems were automatically dropping the attack ..
---------------------------------------------
https://blog.cloudflare.com/reflections-on-reflections/
*** Cloak & Dagger ***
---------------------------------------------
Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks ..
---------------------------------------------
http://cloak-and-dagger.org/
*** Trump’s Dumps: ‘Making Dumps Great Again’ ***
---------------------------------------------
Its not uncommon for crooks who peddle stolen credit cards to seize on iconic American figures of wealth and power in the digital advertisements for these shops that run continuously on various ..
---------------------------------------------
https://krebsonsecurity.com/2017/05/trumps-dumps-making-dumps-great-again/
*** Österreichs Unternehmen sind bei IT-Sicherheit Nachzügler ***
---------------------------------------------
Investitionen in die Sicherheit als Chance verstehen
---------------------------------------------
http://derstandard.at/2000058280565
*** 83% of Security Pros Waste Time Fixing Co-Workers Non-Security Problems ***
---------------------------------------------
Security personnel in many organizations waste time every week helping co-workers with general IT problems, rather than doing their own work, which in the long run, ..
---------------------------------------------
https://www.bleepingcomputer.com/news/technology/83-percent-of-security-pro…
*** Schwere Sicherheitslücke in Samba gefunden ***
---------------------------------------------
Exploits bereits im Netz – Updates sollten rasch eingespielt werden
---------------------------------------------
http://derstandard.at/2000058287863
*** DSA-3863 imagemagick - security update ***
---------------------------------------------
This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3863
*** DSA-3862 puppet - security update ***
---------------------------------------------
It was discovered that unrestricted YAML deserialisation of data sent from agents to the server in the Puppet configuration management ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3862
*** Manipulierte Webseiten legen Windows lahm ***
---------------------------------------------
Problem mit Dateinamen verlangsamt System bis zum Stillstand – Windows 7, 8 und Vista betroffen
---------------------------------------------
http://derstandard.at/2000058292526
*** Tanze (aktualisierten) Samba mit mir ***
---------------------------------------------
Die Erinnerung an CVE-2017-0144, und die Auswirkungen von WannaCry, ist bei uns allen noch frisch im Gedächtnis verankert, und damit keine Langeweile aufkommt, hat Samba nun ein Advisory bezüglich einer kritischen Schwachstelle veröffentlicht: All versions of Samba ..
---------------------------------------------
http://www.cert.at/services/blog/20170526134531-2020.html
*** FileZilla FTP Client Adds Support for Master Password That Encrypts Your Logins ***
---------------------------------------------
Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password ..
---------------------------------------------
https://www.bleepingcomputer.com/news/software/filezilla-ftp-client-adds-su…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 23-05-2017 18:00 − Mittwoch 24-05-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** FIRST releases version 1.1 of the CSIRT Services Framework ***
---------------------------------------------
The leading association of incident response and security teams released a new version of its CSIRT Services Framework. This is a formal list of services a Computer Security Incident Response Team (CSIRT) may consider implementing to address the needs of their constituency.
---------------------------------------------
https://www.first.org/newsroom/releases/20170524
*** B. Braun Medical SpaceCom Open Redirect Vulnerability ***
---------------------------------------------
This advisory was originally posted to the NCCIC Portal on March 23, 2017, and is being released to the ICS-CERT web site. This advisory contains mitigation details for an open redirect vulnerability in B. Braun Medical's SpaceCom module, which is integrated into the SpaceStation docking station.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSMA-17-082-02
*** Trend Micro ServerProtect for Linux Multiple Bugs Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks and Let Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1038548
*** OpenVPN Access Server Input Validation Flaw Lets Remote Users Conduct Session Fixation Attacks to Hijack a Target Users Session ***
---------------------------------------------
A remote user can create a specially crafted URL containing the '%0A' character that, when loaded by the target user prior to authentication, will inject headers and set the session cookie to a specified value. After the target user authenticates to the target OpenVPN Access Server, the remote user can hijack the target user's session.
---------------------------------------------
http://www.securitytracker.com/id/1038547
*** DFN-CERT-2017-0901/">Puppet, Puppet Enterprise: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ***
---------------------------------------------
Betroffene Software
Puppet < 4.10.1
Puppet Enterprise < 2016.4.5
Puppet Enterprise < 2017.2.1
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0901/
*** [Announce] Samba 4.6.4, 4.5.10 and 4.4.14 Available for Download ***
---------------------------------------------
CVE-2017-7494: All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
---------------------------------------------
https://lists.samba.org/archive/samba-announce/2017/000406.html
*** Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ***
---------------------------------------------
There is Factory Reset Protection (FRP) bypass security vulnerability in some Huawei smart phones. When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can perform some operations to update the Google account. As a result, the FRP function is bypassed. (Vulnerability ID: HWPSIRT-2017-02036). This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-2710.
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170524-…
*** Jaff ransomware gets a makeover ***
---------------------------------------------
With all the recent news about WannaCry ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now.
---------------------------------------------
https://isc.sans.edu/diary/Jaff+ransomware+gets+a+makeover/22446
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Security Guardium Data Redaction. . ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003466
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management generates error messages that could reveal sensitive information that could be used in further attacks against the system (CVE-2017-1292) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003414
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to HTTP response splitting attacks (CVE-2017-1291) ***
http://www.ibm.com/support/docview.wss?uid=swg22003413
---------------------------------------------
*** IBM Security Bulletin: Fix Available for IBM iNotes Cross-Site Scripting Vulnerability (CVE-2017-1325) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003497
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Notes ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000602
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Domino ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000516
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 22-05-2017 18:00 − Dienstag 23-05-2017 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** EU security think tank ENISA looks for IoT security, cant find any ***
---------------------------------------------
Proposes baseline security spec, plus stickers to prove thing-makers have complied European network and infosec agency ENISA has taken a look at Internet of Things security, and doesnt much like what it sees.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/05/23/enisa_propo…
*** Biometrie: Iris-Scanner des Galaxy S8 kann einfach manipuliert werden ***
---------------------------------------------
Schon wieder zeigt sich: Biometrische Merkmale sind praktisch zum Entsperren von Geräten - sicher sind sie hingegen nicht. Ein Hacker hat gezeigt, dass sich der Irisscanner des Galaxy S8 von Samsung mit einem einfachen Foto und einer Kontaktlinse austricksen lässt.
---------------------------------------------
https://www.golem.de/news/biometrie-iris-scanner-des-galaxy-s8-kann-einfach…
*** Preloading in Internet Explorer 11 sends complete browsing history to Microsoft ***
---------------------------------------------
Your entire browsing history will periodically be sent to Microsoft. The data sent includes all addresses you visit and when you visited them (derived from that is also how long you spent on each page), and the address of the page that referred you to each page.
---------------------------------------------
https://ctrl.blog/entry/ie11-flip-out-privacy
*** Windows 10 UAC Bypass Uses "Apps & Features" Utility ***
---------------------------------------------
Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/windows-10-uac-bypass-uses-a…
*** Hackers can use subtitles to take over millions of devices running VLC, Kodi, Popcorn Time and Stremio ***
---------------------------------------------
Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms.
---------------------------------------------
https://www.helpnetsecurity.com/2017/05/23/subtitle-hack/
*** [2017-05-23] Arbitrary File Upload & Stored XSS in InvoicePlane ***
---------------------------------------------
Multiple high risk vulnerabilities, such as arbitrary file upload and stored cross site-scripting, within the InvoicePlane software allow an attacker to compromise the affected server.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** BIG-IP Azure cloud vulnerability CVE-2017-6131 ***
---------------------------------------------
BIG-IP Azure cloud vulnerability CVE-2017-6131. Security Advisory. Security Advisory Description. In some circumstances ...
---------------------------------------------
https://support.f5.com/csp/article/K61757346
*** Cisco Integrated Management Controller Remote Code Execution Vulnerability ***
---------------------------------------------
A vulnerability in the web-based GUI of Cisco Integrated Management Controller (CIMC) could allow an unauthenticated, remote attacker to perform unauthorized remote command execution on the affected device.The vulnerability exists because the affected software does not sufficiently sanitize specific values that are received as part of a user-supplied HTTP request. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. Successful exploitation...
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Cisco Integrated Management Controller Privilege Escalation Vulnerability ***
---------------------------------------------
A vulnerability in the web-based GUI of Cisco Integrated Management Controller (CIMC) could allow an authenticated, remote attacker to elevate the privileges of user accounts on the affected device.The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected device. Successful exploitation could allow an authenticated attacker to elevate the privileges of user accounts configured on the device.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System Chassis Management Module (CMM) ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in xorg-x11-libX11 affect IBM Flex System Chassis Management Module (CMM) ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in cURL affect IBM Flex System Chassis Management Module (CMM) ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect MegaRAID Storage Manager ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in tcpdump affect IBM Flex System Chassis Management Module (CMM) ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5…
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Web Experience Factory ***
http://www.ibm.com/support/docview.wss?uid=swg22003695
---------------------------------------------
*** IBM Security Bulletin: Directory Traversal vulnerabilities impact IBM Network Advisor. ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009700
---------------------------------------------
*** IBM Security Bulletin: Rational DOORS Web Access is affected by Apache Tomcat vulnerability (CVE-2016-6816) ***
http://www.ibm.com/support/docview.wss?uid=swg22003660
---------------------------------------------
*** IBM Security Bulletin: Open Source cURL Libcurl, used by BigFix Platform, has security vulnerabilities (CVE-2016-8617 CVE-2016-8624 CVE-2016-8621) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001818
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager (CVE-2016-5597, CVE-2016-5554) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002446
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web (CVE-2016-5597, CVE-2016-5554) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002445
---------------------------------------------