- Daily - CERT.at

Tageszusammenfassung - Montag 22-05-2017
by Daily end-of-shift report 22 May '17

22 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-05-2017 18:00 − Montag 22-05-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Terror Exploit Kit Evolves Into Larger Threat *** --------------------------------------------- The Terror exploit kit has matured into a greater threat and carefully crafts attacks based on a users browser environment. --------------------------------------------- http://threatpost.com/terror-exploit-kit-evolves-into-larger-threat/125816/ *** DSA-3859 dropbear - security update *** --------------------------------------------- https://www.debian.org/security/2017/dsa-3859 *** DSA-3858 openjdk-7 - security update *** --------------------------------------------- Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in privilege escalation, denial of service, newline injection in SMTP or use of insecure cryptography. --------------------------------------------- https://www.debian.org/security/2017/dsa-3858 *** WannaCry: Fast nur Windows-7-PCs infiziert *** --------------------------------------------- Mehr als 98 Prozent aller mit WannaCry infizierten PCs laufen nach Zahlen von Kaspersky Lab unter Windows 7. --------------------------------------------- https://heise.de/-3719145 *** Nordkorea unterhält offenbar Spezialeinheit für Cyberangriffe auf Banken *** --------------------------------------------- Soll angeblich hauptsächlich Devisen beschaffen --------------------------------------------- http://derstandard.at/2000058034871 *** Netgear fixes router by adding phone-home features that record your IP and MAC address *** --------------------------------------------- Yeah, that'll be secure for sure Netgear NightHawk R7000 users who ran last weeks firmware upgrade need to check their settings, because the company added a remote data collection feature to the units. --------------------------------------------- www.theregister.co.uk/2017/05/21/netgear_updates_router_with_phone_home_fea… *** "Athena": Mächtiges CIA-Tool knackt alle Windows-Versionen seit XP *** --------------------------------------------- Wikileaks publiziert Dokumente - Umfassende Überwachungsmöglichkeiten, Malware kann auch Daten löschen --------------------------------------------- http://derstandard.at/2000058071298 *** IT threat evolution Q1 2017. Statistics *** --------------------------------------------- According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world. File antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects. --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/78475/it-threat-ev… *** Operation "Porto": 159 Dealer im Darknet ausgeforscht *** --------------------------------------------- Ermittlungsverfahren gegen 697 Personen - 35 kg Suchtgift sowie 4.500 Tabletten sichergestellt --------------------------------------------- http://derstandard.at/2000058084813 *** Achtung, Abzocke: Microsoft warnt erneut vor betrügerischen Anrufen *** --------------------------------------------- Mit angeblichen Support-Anrufen von Unternehmen wie Microsoft oder Dell versuchen Betrüger, PC-Besitzer abzuzocken. Trotz einiger Erfolge der Ermittler bleibt das Problem virulent. --------------------------------------------- https://heise.de/-3720168 *** The Problem with OCSP Stapling and Must Staple and why Certificate Revocation is still broken *** --------------------------------------------- Today the OCSP servers from Let's Encrypt were offline for a while. This has caused far more trouble than it should have, because in theory we have all the technologies available to handle such an incident. However due to failures in how they are implemented they don't really work. --------------------------------------------- https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must… *** Was die Datenschutzverordnung bringt: Sammelklagen, Beauftragte *** --------------------------------------------- Nutzer können ab Mai 2018 ihre Rechte leichter durchsetzen, sagt IT-Anwalt Lukas Feiler --------------------------------------------- http://derstandard.at/2000058102109 *** Yahoo schmeisst ImageMagick nach Sicherheitslücke aus eigenem Webmail-Code *** --------------------------------------------- Durch die Schwachstelle konnten Angreifer Speicherinhalte der Yahoo-Server auslesen und so die E-Mail-Anhänge anderer Nutzer ausspionieren. Yahoo schloss die Lücke innerhalb eines selbstverordneten 90-Tage-Ultimatums. --------------------------------------------- https://heise.de/-3720803

1 0

Tageszusammenfassung - Freitag 19-05-2017
by Daily end-of-shift report 19 May '17

19 May '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-05-2017 18:00 − Freitag 19-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** How did the WannaCry Ransomworm spread? *** --------------------------------------------- Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. How did it all happen? --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomwor… *** Who's responsible for fixing SS7 security issues? *** --------------------------------------------- The WannaCry ransomware onslaught has overshadowed some of the other notable happenings this month, including the spectacular Google-themed phishing/spamming attack, and the news that attackers have managed to exploit vulnerabilities in the SS7 protocol suite to bypass German banks' two-factor authentication and drain their customers' bank accounts. According to the reports, the attackers were able to pull this scheme off by gaining access to the network of a foreign mobile network [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/19/ss7-security-issues/ *** Number of HTTPS phishing sites triples *** --------------------------------------------- When, in January 2017, Mozilla and Google made Firefox and Chrome flag HTTP login pages as insecure, the intent was to make phishing pages easier to recognize, as well as push more website owners towards deploying HTTPS. But while the latter aim was achieved, and the number of phishing sites making use of HTTPS has increased noticeably, the move also had one unintended consequence: the number of phishing sites with HTTPS has increased, too. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/19/number-https-phishing-sites-trip… *** Hintergrund: Chrome blockt ab sofort Zertifikate mit Common Name *** --------------------------------------------- Wenn der seit Jahren etablierte, hauseigene Dienst plötzlich den HTTPS-Zugang verwehrt, liegt das vermutlich an einer Neuerung der aktuellen Chrome-Version: Google erzwingt den Einsatz der RFC-konformen "Subject Alt Names" und viele Admins müssen deshalb jetzt Hand anlegen. --------------------------------------------- https://heise.de/-3717594 *** Bypassing Application Whitelisting with BGInfo *** --------------------------------------------- TL;DR: BGinfo.exe older than version 4.22 can be used to bypass application whitelisting using vbscript inside a bgi file. This can run directly from a webdav server. --------------------------------------------- https://msitpros.com/?p=3831 *** "Four Keys to Effective ICS Incident Response" *** --------------------------------------------- While incident response in Information Technology (IT) and Operational Technology (OT) or Industrial Control Systems (ICS) may appear to be very similar, incident response in an ICS environment has different considerations and priorities. Many organizations leverage their existing IT incident response capabilities in an OT environment which may not be ideal for successful incident response [...] --------------------------------------------- http://ics.sans.org/blog/2017/05/19/four-keys-to-effective-ics-incident-res… *** ETERNALBLUE vs Internet Security Suites and nextgen protections *** --------------------------------------------- Due to the recent #wannacry ransomware events, we initiated a quick test in our lab. Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010). Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)! --------------------------------------------- https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nex… *** Forensik-Tool soll gelöschte Notizen aus iCloud auslesen können *** --------------------------------------------- Der Softwareanbieter Elcomsoft hat seine App "Phone Breaker" um eine Funktion erweitert, die den Umstand ausnutzt, dass Apple offenbar auch vom Nutzer eigentlich vernichtete Notizen länger aufbewahrt. --------------------------------------------- https://heise.de/-3718361 *** MS17-010 (Ransomware WannaCry) Impact to Cisco Products *** --------------------------------------------- The Cisco PSIRT Team is continuing to investigate the impact of this vulnerability on Cisco products that have not reached end of software maintenance support and that do not support automated or manual updates of the Microsoft patch for these vulnerabilities. Investigation is expected to be completed by Friday, May 19th. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco… *** HPESBGN03748 rev.1 - HPE Cloud Optimizer, Remote Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified in HPE Cloud Optimizer. The vulnerability could be remotely exploited resulting in disclosure of information. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn037… *** Bugtraq: Nextcloud/Owncloud - Reflected Cross Site Scripting in error pages *** --------------------------------------------- http://www.securityfocus.com/archive/1/540569 *** DSA-3855 jbig2dec - security update *** --------------------------------------------- Multiple security issues have been found in the JBIG2 decoder library,which may lead to denial of service, disclosure of sensitive informationfrom process memory or the execution of arbitrary code if a malformedimage file (usually embedded in a PDF document) is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-3855 *** Indicators Associated With WannaCry Ransomware (Update C) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01B Indicators Associated With WannaCry Ransomware that was published May 17, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01C *** McAfee Network Data Loss Prevention Multiple Bugs Let Remote Users Conduct Session Hijacking and Cross-Site Scripting Attacks and Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1038523 *** VMSA-2017-0009 *** --------------------------------------------- VMware Workstation update addresses multiple security issues --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0009.html *** DFN-CERT-2017-0885: Red Hat JBoss Enterprise Application Platform, RESTEasy: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0885/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2125, CVE-2016-2126) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010052 --------------------------------------------- *** IBM Security Bulletin: IBM Cisco Switches and Directors vulnerable to Sweet32 Birthday attacks (CVE-2016-2183 CVE-2016-6329). *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010239 --------------------------------------------- *** IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability *** http://www-01.ibm.com/support/docview.wss?uid=swg22002356 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Network Security Services (NSS) component affect SAN Volume Controller, Storwize family and FlashSystem V9000 products. *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010118 --------------------------------------------- *** IBM Security Bulletin: Open redirect vulnerability in IBM Business Process Manager (CVE-2017-1159) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000253 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affect IBM SONAS (CVE-2017-3731) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010136 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 18-05-2017
by Daily end-of-shift report 18 May '17

18 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-05-2017 18:00 − Donnerstag 18-05-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Bootstrap - Critical - Information Disclosure - SA-CONTRIB-2017-048 *** --------------------------------------------- This theme enables you to bridge the gap between the Bootstrap Framework and Drupal. The theme does not sufficiently exclude the submitted password value when an incorrect value .. --------------------------------------------- https://www.drupal.org/node/2879177 *** 4022345 - Identifying and correcting failure of Windows Update client to receive updates - Version: 1.3 *** --------------------------------------------- Microsoft is releasing this security advisory to provide information related to an uncommon deployment scenario in which the Windows Update Client may not properly scan for, or download, updates. This scenario may affect customers who installed .. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/4022345 *** iPrint Appliance 2.0 Patch 5 *** --------------------------------------------- iPrint Appliance 2.0 Patch 5 includes bug fixes, security fixes and a consolidation of previously released patches and hot patches for the iPrint Appliance 2.0. --------------------------------------------- https://download.novell.com/Download?buildid=nKiTte1j9yM~ *** iPrint Appliance 2.1 Patch 3 *** --------------------------------------------- iPrint Appliance 2.1 Patch 3 is a cumulative patch including fixes from all the previous 2.1 patches and hot fixes. --------------------------------------------- https://download.novell.com/Download?buildid=4QmSWkUlwrA~ *** Indicators Associated With WannaCry Ransomware (Update B) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01A Indicators Associated With WannaCry Ransomware that was published May 16, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01B *** My Little CVE Bot *** --------------------------------------------- The massive spread of the WannaCry ransomware last Friday was another good proof that many organisations still fail to patch their systems. Everybody admits that patching is a boring task. They are many constraints that make this process very difficult to implement .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22432 *** Handbrake-Trojaner: Quellcode des Mac-Entwicklerstudios Panic entwendet *** --------------------------------------------- Die auf Mac-Nutzer abzielene Malware “Proton” hat ein erstes prominentes Opfer gefordert: Unbekannte klauten den Quelltext zu mehreren Apps des Entwicklerstudios Panic. Kundendaten sind nicht betroffen, betont das Unternehmen. --------------------------------------------- https://heise.de/-3716479 *** Why the most successful Retefe spam campaign never paid off *** --------------------------------------------- Switzerland is one of the main targets of the Retefe banking trojan since its first appearance in November 2013. At .. --------------------------------------------- https://securityblog.switch.ch/2017/05/18/why-the-most-successful-retefe-sp… *** SSB-412479 (Last Update 2017-05-17): Customer Information on WannaCry Malware for Siemens Healthineers Imaging and Diagnostics Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-412479… *** [2017-05-18] Multiple critical vulnerabilities in Western Digital TV Media Player *** --------------------------------------------- Multiple critical vulnerabilities, such as unauthenticated arbitrary file upload or local file inclusion, within the WDTV Media Player devices allow an attacker to take over the device over the network. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Security Alert: BlueDoom Worm Caught Spreading through EternalBlue, Integrates Batch of Leaked NSA Exploits *** --------------------------------------------- Unfortunately for users who haven’t patched their systems yet after the WannaCry ransomware campaign, there has been an increase in attempts to abuse the EternalBlue exploit in the past few .. --------------------------------------------- https://heimdalsecurity.com/blog/bluedoom-worm-eternablue-nsa-exploits/ *** ATM Black Box attacks: 27 arrested all over Europe *** --------------------------------------------- The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM Black Box attacks across .. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/18/black-box-attacks/ *** 22 Cisco Security Advisories 2017-05-17 *** --------------------------------------------- 1 Critical, 3 High, 18 Medium --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x

1 0

Tageszusammenfassung - Mittwoch 17-05-2017
by Daily end-of-shift report 17 May '17

17 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 16-05-2017 18:00 − Mittwoch 17-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Jetzt patchen: Gerfährliche Sicherheitslücke in Joomla *** --------------------------------------------- Das Joomla-Team schließt mit Version 3.7.1 eine SQL-Injection-Lücke, die fatale Folgen haben kann. Joomla-Admins sollten zügig reagieren. --------------------------------------------- https://heise.de/-3716175 *** WordPress-Update 4.7.5 schließt sechs Sicherheitslücken *** --------------------------------------------- Zwar werden keine der Lücken als kritisch eingestuft, Admins sollten sich aber trotzdem um die XSS- und CSRF-Lücken kümmern. --------------------------------------------- https://heise.de/-3716055 *** Extending Microsoft Edge Bounty Program *** --------------------------------------------- Over the past 10 months, we've paid out more than $200,000 USD in bounties to researchers reporting vulnerabilities through the Microsoft Edge Bounty Program. Partnering with the research community has helped improve Microsoft Edge security, and to continue this collaboration, today we're extending the end date of the Edge on Windows Insider Preview (WIP) bounty... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/05/16/extending-microsoft-edg… *** BSI veröffentlicht Mindeststandard für Mobile Device Management *** --------------------------------------------- Der Mindeststandard definiert in 40 technischen und organisatorischen Regeln die Anforderungen an MDM-Systeme des Bundes sowie deren Betrieb. Er definiert, welche Richtlinien ein System umsetzen können muss, lässt aber Spielraum bei deren Ausgestaltung. --------------------------------------------- https://heise.de/-3715500 *** Basic Best Practices for Securing LDAP and Active Directory with Red Hat *** --------------------------------------------- In the enterprise, its very popular to manage Windows client PCs through Red Hat servers. This sort of configuration is especially common in healthcare and the financial services industries. Red Hat Enterprise Linux (RHEL) has good software for working with Windows Active Directory. Red Hat Enterprise Linux can also manage clients with multiple platforms, such as Windows, OS X, Android, and other Linux distributions with OpenLDAP, an opensource implementation of the Lightweight Directory Access [...] --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/basic-best-practices-f… *** Gefälschtes easybank-Schreiben: Konto gesperrt *** --------------------------------------------- Kriminelle versenden eine gefälschte easybank-Nachricht. Darin heißt es, dass Unbekannte auf das Konto zugegriffen haben. Deshalb sollen Kund/innen eine Website aufrufen, persönliche Bankdaten bekannt geben und ihr Konto bestätigen. Wer die verlangten Informationen Preis gibt, übermittelt sie an Verbrecher/innen. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschtes-easybank-schreiben-… *** Why Phishing Attacks Succeed *** --------------------------------------------- The first time I received a "secure" email message from my bank, I was a bit suspicious of what I was actually seeing. It looked too much like a phishing attempt for my comfort. The message in my inbox was from my banker's email address, not from Chase 1 directly. It also included an attached HTML page and instructions to "open the attached page in an browser for instructions on how to proceed." --------------------------------------------- https://ttmm.io/tech/why-phishing-attacks-succeed/ *** How Big Fuzzing helps find holes in open source projects *** --------------------------------------------- Googles beta project, OSS-Fuzz, has found 264 vulnerabilities in 47 open-source projects - so is it an idea whose time has come? --------------------------------------------- https://nakedsecurity.sophos.com/2017/05/17/how-big-fuzzing-helps-find-hole… *** Security Advisory - DoS Vulnerability in Some Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170517-… *** SSB-412479 (Last Update 2017-05-16): Customer Information on WannaCry Malware for Siemens Healthineers Imaging and Diagnostics Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-421479… *** Indicators Associated With WannaCry Ransomware (Update A) *** --------------------------------------------- This updated alert is a follow-up to the original alert titled ICS-ALERT-17-135-01 Indicators Associated With WannaCry Ransomware that was published May 15, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01A *** FortiOS stored XSS vulnerability in the policy global-label parameter *** --------------------------------------------- FortiOS is subject to a Cross-Site Scripting vulnerability, due to an improperly sanitized parameter in a hidden CLI configuration setting named global-label . This can however only be exploited by an administrator with write privileges. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-057 *** NTP vulnerability CVE-2017-6463 *** --------------------------------------------- NTP vulnerability CVE-2017-6463. Security Advisory. Security Advisory Description. NTP before 4.2.8p10 and 4.3.x before ... --------------------------------------------- https://support.f5.com/csp/article/K02951273 *** Linux kernel vulnerability CVE-2017-8106 *** --------------------------------------------- Linux kernel vulnerability CVE-2017-8106. Security Advisory. Security Advisory Description. The handle_invept function ... --------------------------------------------- https://support.f5.com/csp/article/K34886212 *** Schneider Electric VAMPSET *** --------------------------------------------- This advisory contains mitigation details for a memory corruption vulnerability in Schneider Electric's VAMPSET. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-04 *** Detcon SiteWatch Gateway *** --------------------------------------------- This advisory contains mitigation details for authentication bypass and plaintext storage of a password vulnerabilities in Detcon's SiteWatch Gateway. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-01 *** Hanwha Techwin SRN-4000 *** --------------------------------------------- This advisory contains mitigation details for an unauthenticated access vulnerability in Hanwha Techwin's SRN-4000. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-03 *** Schneider Electric SoMachine HVAC *** --------------------------------------------- This advisory contains mitigation details for buffer overflow and DLL hijack vulnerabilities in Schneider Electric's SoMachine HVAC. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-02 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg21999513 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affects IBM Algo One Algo Risk Application and Core (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22000818 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility *** http://www-01.ibm.com/support/docview.wss?uid=swg22003157 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring *** http://www.ibm.com/support/docview.wss?uid=swg22002865 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer and WebSphere Integration Developer *** http://www-01.ibm.com/support/docview.wss?uid=swg22002555 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One Core (CVE-2016-8745) *** http://www.ibm.com/support/docview.wss?uid=swg22001932 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSH affects IBM Security Network Protection (CVE-2015-8325) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999248 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime IBM affect IBM Decision Optimization Center and IBM ILOG ODM Enterprise *** http://www-01.ibm.com/support/docview.wss?uid=swg22003304 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio *** http://www-01.ibm.com/support/docview.wss?uid=swg22003305 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GNU C library (glibc) affect IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg22001907 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network Protection (CVE-2016-8610, and CVE-2017-3731) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999162 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in NTP affect IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg21999246 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 16-05-2017
by Daily end-of-shift report 16 May '17

16 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 15-05-2017 18:00 − Dienstag 16-05-2017 18:00 Handler: Petr Sikuta Co-Handler: Stephan Richter *** WannaCry? Do your own data analysis., (Tue, May 16th) *** --------------------------------------------- In God we trust. All others must bring data ~Bob Rudis With endless amounts of data, technical detail, and insights on WannaCrypt/WannaCry, and even more FUD, speculation, and even downright trolling, herein is a proposal for you to do your own data-driven security analysis. My favorite book to help you scratch that itch? Data Driven Security: Analysis, Visualization and Dashboards, by Jay Jacobs Bob Rudis. A few quick samples, using WannaCry data and R, the open source programming language and [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22424&rss *** Digital signature service DocuSign hacked and email addresses stolen *** --------------------------------------------- Digital signature service DocuSign said Monday that an unnamed third-party had got access to email addresses of its users after hacking into its systems.The hackers gained temporary access to a peripheral sub-system for communicating service-related announcements to users through email, the company said. It confirmed after what it described as a complete forensic analysis that only email addresses were accessed, and not other details such as names, physical addresses, passwords, social security [...] --------------------------------------------- http://www.cio.com/article/3196854/security/digital-signature-service-docus… *** Apple-Updates schließen unangenehme Sicherheitslücken in iCloud, iTunes und iOS *** --------------------------------------------- Patchday bei Apple: Das BSI warnt vor mehreren Sicherheitslücken in iTunes und iCloud auf Windows, sowie dem Mobilbetriebssystem iOS, die es Angreifern ermöglichen, Code auszuführen. Anwender sollten sicherstellen, dass die Updates installiert wurden --------------------------------------------- https://heise.de/-3715077 *** Chrome Browser Hack Opens Door to Credential Theft *** --------------------------------------------- Researchers at DefenseCode claim a vulnerability in Google's Chrome browser allows hackers to steal credentials and launch SMB relay attacks. --------------------------------------------- http://threatpost.com/chrome-browser-hack-opens-door-to-credential-theft/12… *** Cisco Snort++ Protocol Decoder Denial of Service Vulnerabilities *** --------------------------------------------- Two vulnerabilities in the protocol decoders of Snort++ (Snort 3) could allow an unauthenticated, remote attacker to create a Denial of Service (DoS) condition.The vulnerabilities are due to lack of validation in the protocol decoders. An attacker could exploit these vulnerabilities by crafting a malicious packet and sending it through the targeted device. A successful exploit could allow the attacker to cause a DoS condition if the Snort process restarts and traffic inspection is bypassed or [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Indicators Associated With WannaCry Ransomware *** --------------------------------------------- This alert is a follow-up to US-CERT alert TA17-132A Indicators Associated With WannaCry Ransomware, which was originally posted to the US-CERT web site on May 12, 2017. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01 *** Novell Messenger 3.0.3 P3 *** --------------------------------------------- Abstract: Novell Messenger 3.0.3 P3 has been released. This release only includes fixes for the Linux platform. Please view the Change Log for modifications made to the program. There have also been changes to update security issues with the product. Please see the Security Fix section for details. NOTE: This version is not designed to work with eDir 9. If you require eDir 9 support, contact Micro Focus Technical Support. Document ID: 5296730Security Alert: YesDistribution Type: --------------------------------------------- https://download.novell.com/Download?buildid=U3MFbmzMet0~ *** IDM 4.6 RACF Driver 4.0.3.1 *** --------------------------------------------- Abstract: IDM 4.6 Bi-Directional RACF Driver Version 4.0.3.1. This patch is for the Identity Manager 4.6 RACF Driver. Field patch for IDMLOAD.XMT, SAMPLIB.XMT, RACFEXEC.XMTDocument ID: 5297291Security Alert: YesDistribution Type: Field Test FileEntitlement Required: YesFiles:idm46racf-patch1.tar.gz (2.66 MB)Products:Identity Manager 4.5Identity Manager 4.6Superceded Patches:IDM 4.0.2 RACF Driver Version 4.0.0.11 Patch 3 --------------------------------------------- https://download.novell.com/Download?buildid=LSTFMkrcRo0~ *** Apple Security Updates *** --------------------------------------------- *** macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite *** https://support.apple.com/kb/HT207797 --------------------------------------------- *** iOS 10.3.2 *** https://support.apple.com/kb/HT207798 --------------------------------------------- *** watchOS 3.2.2 *** https://support.apple.com/kb/HT207800 --------------------------------------------- *** tvOS 10.2.1 *** https://support.apple.com/kb/HT207801 --------------------------------------------- *** iCloud for Windows 6.2.1 *** https://support.apple.com/kb/HT207803 --------------------------------------------- *** Safari 10.1.1 *** https://support.apple.com/kb/HT207804 --------------------------------------------- *** iTunes 12.6.1 for Windows *** https://support.apple.com/kb/HT207805 --------------------------------------------- *** IBM Security Bulletin *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM SPSS Statistics (CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22002966 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU Jan 2017 Includes Oracle Jan 2017 CPU affect Content Collector for SAP Applications *** https://www-01.ibm.com/support/docview.wss?uid=swg22001462 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010199 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the zlib component affect IBM SPSS Statistics (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) *** http://www.ibm.com/support/docview.wss?uid=swg22003212 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025160 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Informix Dynamic Server and Informix Open Admin Tool *** http://www.ibm.com/support/docview.wss?uid=swg22002897 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in Expat affects HTTP Server shipped with Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-4472, CVE-2016-0718) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000234 --------------------------------------------- *** IBM Security Bulletin: Apache Commons FileUpload Vulnerabilities IBM WebSphere MQ (CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg22001563 --------------------------------------------- *** IBM Security Bulletin: Vulnerability CVE-2017-2619 in Samba affects IBM i *** http://www.ibm.com/support/docview.wss?uid=nas8N1022009 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by a missing secure attribute in the encrypted session (SSL) cookie (CVE-2017-1319) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002871 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by a cross-site scripting vulnerability (CVE-2017-1320) *** http://www.ibm.com/support/docview.wss?uid=swg22002877 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GnuTLS and OpenSSL affect IBM Flex System Manager (FSM) (CVE-2016-8610) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024887 --------------------------------------------- *** IBM Security Bulletin: A Vulnerability in IBM Java SDK affects IBM Streams (CVE-2016-5546, CVE-2017-3253, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-5552, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002804 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 15-05-2017
by Daily end-of-shift report 15 May '17

15 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 12-05-2017 18:00 − Montag 15-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Ransomware: Experten warnen vor Zahlung der Wanna-Crypt-Erpressersumme *** --------------------------------------------- Experten raten davon ab, im Falle einer Infektion mit Wanna Crypt die geforderten Bitcoins zu zahlen, denn offenbar sind die Angreifer vom Erfolg ihrer Operation überrascht. Ein kostenloses Werkzeug zum Wiederherstellen der Daten ist bislang auch nicht verfügbar. --------------------------------------------- https://www.golem.de/news/ransomware-experten-warnen-vor-zahlung-der-wanna-… *** WannaCry & Co.: So schützen Sie sich *** --------------------------------------------- Nach WannaCry ist vor dem nächsten Erpressungstrojaner. Was Gefährdete jetzt tun sollten, wie Sie sich vor Nachahmern schützen können und welche Optionen bleiben, wenn der Verschlüsselungstrojaner schon zugeschlagen hat. --------------------------------------------- https://heise.de/-3714596 *** Customer Guidance for WannaCrypt attacks *** --------------------------------------------- Microsoft solution available to protect additional products Today many of our customers around the world and the critical systems they depend on were victims of malicious "WannaCrypt" software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-w… *** Security Alert: Uiwix Ransomware Is Here and It Can Be Worse Than Wannacry *** --------------------------------------------- WannaCry distribution may have dropped, but the ransomware pandemic is not over. As we feared in yesterday's alert, another ransomware variant, known as Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have huge potential of infection, [...] --------------------------------------------- https://heimdalsecurity.com/blog/security-alert-uiwix-ransomware/ *** Microsoft posts PowerShell script that spawns pseudo security bulletins *** --------------------------------------------- A Microsoft manager this week offered IT administrators a way to replicate -- in a fashion -- the security bulletins the company discarded last month."If you want a report summarizing todays #MSRC security bulletins, heres a script that uses the MSRC Portal API," John Lambert, general manager of the Microsoft Threat Intelligence Center, said in a Tuesday message on Twitter.Lamberts tweet linked to code depository GitHub, where he posted a PowerShell script that polled data using a new [...] --------------------------------------------- http://www.cio.com/article/3196254/windows/microsoft-posts-powershell-scrip… *** WannaCry/WannaCrypt Ransomware Summary, (Mon, May 15th) *** --------------------------------------------- The ransomware was first noticed on Fridayand spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 ETERNALBLUE exploit to spread. ETERNALBLUE became public about a month ago in April when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow]. A month prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March Patch Tuesday release. The patch was released [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22420&rss *** Ein paar Gedanken zu WannaCry *** --------------------------------------------- Wir haben heute unsere offizielle Warnung bezüglich der WannaCry Ransomware veröffentlicht. Ich will in diesem Blogbeitrag ein bisschen Kontext liefern, und etwas strategischer denken. --------------------------------------------- http://www.cert.at/services/blog/20170514232126-2007.html *** DSA-3852 squirrelmail - security update *** --------------------------------------------- Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, awebmail application, incorrectly handled a user-supplied value. Thiswould allow a logged-in user to run arbitrary commands on the server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3852 *** EMC Isilon OneFS NFS Export Upgrade *** --------------------------------------------- Topic: EMC Isilon OneFS NFS Export Upgrade Risk: Medium Text:ESA-2017-027: EMC Isilon OneFS NFS Export Upgrade Vulnerability EMC Identifier: ESA-2017-027 CVE Identifier: CVE-2017-49... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017050087 *** Security Advisory - WannaCry ransomware Vulnerabilities in Microsoft Windows Systems *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170513-… *** Security Notice - Statement on "WannaCry ransomware" attacks *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170513-01-… *** DRD Agent - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-047 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-047Project: DRD agent (third-party module)Version: 6.x, 7.x, 8.xDate: 2017-May-10Security risk: 19/25 ( Critical) AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Cross Site Request Forgery, Open RedirectDescriptionThe Drupal Remote Dashboard (DRD) module enables you to manage and monitor any remote Drupal site and, this module, the DRD Agent is the remote module which responds to requests from authorised DRD sites.The module doesnt [...] --------------------------------------------- https://www.drupal.org/node/2877392 *** DSA-3854 bind9 - security update *** --------------------------------------------- Several vulnerabilities were discovered in BIND, a DNS serverimplementation. The Common Vulnerabilities and Exposures projectidentifies the following problems: --------------------------------------------- https://www.debian.org/security/2017/dsa-3854 *** FortiPortal Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities impacting FortiPortal were disclosed to Fortinet with details as follows:CVE-2017-7337: Improper Access Control allows a user to potentially view firewall policies and objects from a VDOM s/he is not authorized to, enumerate other customer ADOMs and view other customers dataCVE-2017-7338: Application returns password hashes, and passwords for associated FortiAnalyzer devices via the UICVE-2017-7339: Persistent XSS via the Name and Description fields in the pop-up to add [...] --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-114 *** DFN-CERT-2017-0842: Moodle: Mehrere Schwachstellen ermöglichen u.a. einen Cross-Site-Request-Forgery-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0842/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issue on IBM SONAS (CVE-2016-2125, CVE-2016-2126 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010051 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009957 --------------------------------------------- *** IBM Security Bulletin: Tomcat apache vulnerability affects IBM Storwize V7000 Unified *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009993 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Storwize V7000 Unified (CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009995 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM SONAS (CVE-2016-5597 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009963 --------------------------------------------- *** IBM Security Bulletin: Open Source Apache Struts Vulnerabilities affect IBM Enterprise Records *** https://www-01.ibm.com/support/docview.wss?uid=swg22000471 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Struts v2 affect IBM Enterprise Records *** https://www-01.ibm.com/support/docview.wss?uid=swg22000469 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by an XML External Entity vulnerability (CVE-2016-2908) *** http://www.ibm.com/support/docview.wss?uid=swg22001175 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 12-05-2017
by Daily end-of-shift report 12 May '17

12 May '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 11-05-2017 18:00 − Freitag 12-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter *** Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak *** --------------------------------------------- A ransomware outbreak is wreaking havoc all over the world, but especially in Spain, where Telefonica - one of the countrys biggest telecommunications companies - has fallen victim, and its IT staff is desperately telling employees to shut down computers and VPN connections in order to limit the ransomwares reach. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-t… *** NHS hit by ransomware attack, hospitals across country shutting down *** --------------------------------------------- GP told of National hack of the computer health care system Updated Multiple NHS hospitals have shut down systems and are telling patients not to come in due to what is being described as a massive nationwide cyber attack. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/12/nhs_hospita… *** Jaff argh snakes: 5m emails/hour ransomware floods inboxes *** --------------------------------------------- Locky-style nasty will squeeze you for two whole bitcoins The Necurs botnet has been harnessed to fling a new strain of ransomware dubbed "Jaff". --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/12/jaff_ransom… *** When Bad Guys are Pwning Bad Guys..., (Fri, May 12th) *** --------------------------------------------- A few months ago, I wrote a diary about webshells[1] and the numerous interesting features they offer. Theyre plenty of web shells available, there are easy to find and install. They are usually delivered as one big obfuscated (read: Base64, ROT13 encoded and gzip'd) PHP file that can be simply dropped on a compromised computer. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22410 *** Sicherheitslücke: Fehlerhaft konfiguriertes Git-Verzeichnis bei Redcoon *** --------------------------------------------- Was haben der Online-Händler Redcoon und die Volksverschlüsselung gemeinsam? Ein unsicher konfiguriertes Git-Repository. Immer wieder machen Webseitenbetreiber denselben Fehler. (Security, API) --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-fehlerhaft-konfiguriertes-git-v… *** HP Releases Driver Update to Remove Accidental Keylogger *** --------------------------------------------- HP has issued an update to remove a keylogging mechanism found in the audio drivers included with some of its high-end laptops. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/hardware/hp-releases-driver-update-to… *** Phoenix Contact GmbH mGuard *** --------------------------------------------- This advisory contains mitigation details for resource exhaustion and improper authentication vulnerabilities in Phoenix Contact GmbH's mGuard network device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-131-01 *** Satel Iberia SenNet Data Logger and Electricity Meters *** --------------------------------------------- This advisory contains mitigation details for a command injection vulnerability in Satel Iberia's SenNet Data Logger and Electricity Meters. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02 *** HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution *** --------------------------------------------- HPESBHF03743 rev.1 - A potential security vulnerability has been identified in HPE Intelligent Management Center (iMC) PLAT. The vulnerability could be exploited remotely to allow execution of code. --------------------------------------------- http://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf0374… *** DSA-3849 kde4libs - security update *** --------------------------------------------- Several vulnerabilities were discovered in kde4libs, the core librariesfor all KDE 4 applications. The Common Vulnerabilities and Exposuresproject identifies the following problems: --------------------------------------------- https://www.debian.org/security/2017/dsa-3849 *** PostgreSQL 2017-05-11 Security Update Release *** --------------------------------------------- Three security vulnerabilities have been closed by this release: CVE-2017-7484: selectivity estimators bypass SELECT privilege checks, CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable, CVE-2017-7486: pg_user_mappings view discloses foreign server passwords --------------------------------------------- https://www.postgresql.org/about/news/1746/ *** IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services potential Cross Site Scripting vulnerabilities (CVE-2017-1160) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001575 *** IBM Security Bulletin: Vulnerability in the OpenSSL library affects IBM Tealeaf Customer Experience PCA (CVE-2017-3730). *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22000513 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Financial Transaction Manager for Corporate Payment Services *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001540 *** IBM Security Bulletin: Information disclosure vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-9735) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003064 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003204

1 0

Tageszusammenfassung - Donnerstag 11-05-2017
by Daily end-of-shift report 11 May '17

11 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 10-05-2017 18:00 − Donnerstag 11-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Alexander Riepl *** Cisco WebEx Meetings Server Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in Cisco WebEx Meetings Server could allow unauthenticated, remote attackers to gain information that could allow them to access scheduled customer meetings. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Google Wont Patch A Critical Android Flaw Before 'Android O' Release *** --------------------------------------------- Millions of Android smartphones are at serious risk of "screen hijack" vulnerability that allows hackers to steal your passwords, bank details, as well as helps ransomware apps extort money from victims. The worse thing is that Google says it wont be patched until the release of Android O version .. --------------------------------------------- http://thehackernews.com/2017/05/android-permissions-vulnerability.html *** Microsoft Bans SHA-1 Certificates in Edge and Internet Explorer *** --------------------------------------------- Starting yesterday, via updates delivered in the May 2017 Patch Tuesday, Microsoft browsers such as Edge and Internet Explorer, have begun flagging websites as insecure if they use SSL/TLS certificates signed with the SHA-1 algorithm. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-bans-sha-1-certifi… *** Most companies falsely believe their Active Directory is secure *** --------------------------------------------- A majority of companies falsely believe their Active Directory (AD) is secure, according to a new survey conducted jointly by Skyport Systems and Redmond Magazine. The response from more than 300 IT professionals located in North America revealed that AD security is in fact underperforming at those companies participating in the survey, leaving organizations open to attack from outside hackers and insider threats. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/11/active-directory-insecurity/ *** Bugtraq: ESA-2017-017: RSA Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/540552 *** HP-Notebooks: Audio-Treiber belauscht Tastatur *** --------------------------------------------- Bei der Sicherheits-Analyse von HP-Business-Notebooks stießen Sicherheitsforscher auf ein merkwürdiges Keylogging. Dabei schreibt der Audio-Treiber alle Tastatureingaben einschließlich der Passwörter des Anwenders in eine öffentlich lesbare Datei. --------------------------------------------- https://heise.de/-3710250 *** Chainsaw of Custody: Manipulating forensic evidence the easy way *** --------------------------------------------- When it comes to computer forensics, or for that matter forensics in general, one of the main challenges is to ensure that evidence that is collected is not tampered with. To achieve this, computer forensic experts adhere to a strict protocol and use many specialized .. --------------------------------------------- http://blog.sec-consult.com/2017/05/chainsaw-of-custody-manipulating.html *** DFN-CERT-2017-0825/">NVIDIA GPU-Treiber: Mehrere Schwachstellen ermöglichen u.a. das Eskalieren von Privilegien *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0825/ *** Edge Security Flaw Allows Theft of Facebook and Twitter Credentials *** --------------------------------------------- Argentinian security researcher Manuel Caballero has discovered another vulnerability in Microsofts Edge browser that can be exploited to bypass a security protection feature and steal data such as passwords from other sites, or cookie files that contain sensitive information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/edge-security-flaw-allows-th… *** Analyzing the doublepulsar kernel dll injection technique *** --------------------------------------------- Like many in the security industry, we have been busy the last few days investigating the implications of the Shadow Brokers leak with regard to attack detection. Whilst there is a lot of interesting content, one particular component that attracted our attention initially was the DOUBLEPULSAR payload. This is because it .. --------------------------------------------- https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-… *** Asus-Router können beim Vorbeisurfen im Netz gekapert werden *** --------------------------------------------- Eine ganze Reihe Router der RT-Serie von Asus beinhalten eine CSRF-Lücke und weitere Schwachstellen, die es unter Umständen möglich machen, die Einstellungen des Gerätes aus dem Web zu ändern. Updates stehen bereit. --------------------------------------------- https://heise.de/-3712001 *** OpenVPN 2.4.1: Quarkslab and Cryptography Engineering LCC audit overview *** --------------------------------------------- OpenVPN 2.4.1 was simultaneously reviewed by Quarkslab (funded by OSTIF) and Cryptography Engineering LCC (funded by Private Internet Access). The reports have been published on OSTIFs and PIAs web pages [..] This page lists the findings in their respective reports and shows how the issues were resolved. --------------------------------------------- https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineer…

1 0

Tageszusammenfassung - Mittwoch 10-05-2017
by Daily end-of-shift report 10 May '17

10 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 09-05-2017 18:00 − Mittwoch 10-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Alexander Riepl *** EPS Processing Zero-Days Exploited by Multiple Threat Actors *** --------------------------------------------- In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-day… *** Persirai: Mehr als 100.000 IP-Kameras für neues IoT-Botnetz verwundbar *** --------------------------------------------- Derzeit entsteht ein neues IoT-Botnetz, das bislang aber noch keine Angriffe durchgeführt hat. Die Malware zur Infektion nutzt eine im März veröffentlichte Sicherheitslücke aus. --------------------------------------------- https://www.golem.de/news/persirai-mehr-als-100-000-ip-kameras-fuer-neues-i… *** Git Shell Bypass By Abusing Less (CVE-2017-8386) *** --------------------------------------------- The git-shell is a restricted shell maintained by the git developers and is meant to be used as the upstream peer in a git remote session over a ssh tunnel. The basic idea behind this shell is to restrict the allowed commands in a ssh session to the ones required by git which are as follows .. --------------------------------------------- https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-83… *** [2017-05-10] Insecure Handling Of URI Schemes in Microsoft OneDrive iOS App *** --------------------------------------------- Due to the lack of URI scheme validation, any external URI scheme can be invoked by the Microsoft OneDrive iOS application with out any user interaction. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Patchday: Internet Explorer, Office und Windows im Visier von Hackern *** --------------------------------------------- Nach dem Notfall-Patch für Windows stellt Microsoft zum gewohnten Termin weitere als kritisch eingestufte Sicherheitsupdates bereit. Angreifer nutzen derzeit diverse Lücken aktiv aus. --------------------------------------------- https://heise.de/-3709022 *** Cisco: Kritische Sicherheitslücke in mehreren Switches behoben *** --------------------------------------------- Dank CIA-Tools auf Wikileaks ein Leichtes: Über einen Fehler in IOS-Switches konnte Schadcode selbst von Amateuren direkt auf dem Gerät ausgeführt werden. Damit ist jetzt Schluss, denn Cisco hat diesen Fehler offenbar behoben. --------------------------------------------- https://www.golem.de/news/cisco-kritische-sicherheitsluecke-in-mehreren-swi… *** Feature, not bug: DNSAdmin to DC compromise in one line *** --------------------------------------------- In addition to implementing their own DNS server, Microsoft has also implemented their own management protocol for that server, to allow for easy management and integration with Active Directory domains [...] We will shallowly delve into the protocol's implementation and detail a cute feature (certainly not a bug!) which allows us, under some circumstances, to run code as SYSTEM on domain controllers, without being a domain admin. --------------------------------------------- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-… *** Identifying Sources of Leaks with the Gmail "+" Feature *** --------------------------------------------- For years, Google is offering two nice features with his gmail.com platform to gain more power of your email address. You can play with the "+" (plus) sign or "." (dot) to create more email addresses linked to your primary one. Let's take an example with John who's the owner .. --------------------------------------------- https://blog.rootshell.be/2017/05/10/identifying-sources-leaks-gmail-featur… *** IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities (CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021999 --------------------------------------------- *** IBM Security Bulletin: Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009964 --------------------------------------------- *** IBM Security Bulletin: Multiple Apache Tomcat vulnerabilities affect IBM SONAS. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009960 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerabilities *** http://www-01.ibm.com/support/docview.wss?uid=swg22002522 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 9-05-2017
by Daily end-of-shift report 09 May '17

09 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 08-05-2017 18:00 − Dienstag 09-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** SAP Security Patch Day - May 2017 *** --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...] --------------------------------------------- https://blogs.sap.com/2017/05/09/sap-security-patch-day-may-2017/ *** Project Zero: Microsofts Antivirensoftware gefährdet Windows-Nutzer *** --------------------------------------------- Googles Project Zero hat eine schwerwiegende Sicherheitslücke in der Anti-Viren-Engine von Microsoft entdeckt. Schuld daran ist die simulierte Ausführung von Javascript-Code ohne Sandbox. --------------------------------------------- https://www.golem.de/news/project-zero-microsofts-antivirensoftware-gefaehr… *** Defeating Magento security mechanisms: Attacks used in the real world *** --------------------------------------------- DefenseCode recently discovered and reported multiple stored cross-site scripting and cross-site request forgery vulnerabilities in Magento 1 and 2 which will be addressed in one of the future patches. In light of these findings, this article describes examples of several attacks used in the real world that combine common vulnerabilities with faulty security mechanisms in Magento, leading to an unfavourable outcome. Examples will be aimed at Magento 2, but most of them can be applied [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/09/defeating-magento-security/ *** Zeit für eine AMTshandlung? *** --------------------------------------------- Letzte Woche veröffentlichte Intel ein Advisory über eine Schwachstelle in "Intel Active Management Technology", kurz AMT. Besagte Schwachstelle erlaubt einem Angreifer, auf einem Rechner mit aktiviertem AMT, die Zugriffskontrollen für eben jenes auszuhebeln, und so administrativen Zugriff zu erlangen - [...] --------------------------------------------- http://www.cert.at/services/blog/20170508175554-1982.html *** [2017-05-09] Multiple vulnerabilities in I, Librarian PDF manager *** --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Bugtraq: ESA-2017-035: EMC Mainframe Enablers ResourcePak Base privilege management vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/540531 *** Security Update for Microsoft Malware Protection Engine *** --------------------------------------------- The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/4022344 *** Security Bulletin posted for Adobe Flash Player and Adobe Experience Manager Forms *** --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-15) and Adobe Experience Manager Forms (APSB17-16). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1465 *** Vuln: Trend Micro Threat Discovery Appliance CVE-2016-8591 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98343 *** Vuln: Trend Micro Threat Discovery Appliance CVE-2016-8592 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98345 *** Cisco IOS and IOS XE Software Simple Network Management Protocol Subsystem Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition.The vulnerability is due to a race condition that could occur when the affected software processes an SNMP read request that contains certain criteria for a specific object ID (OID) and an active crypto session is disconnected on an affected device. An attacker who can authenticate [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** F5 Security Advisories *** --------------------------------------------- *** NTP vulnerability CVE-2017-6451 *** https://support.f5.com/csp/article/K32262483 --------------------------------------------- *** NTP vulnerability CVE-2017-6462 *** https://support.f5.com/csp/article/K07082049 --------------------------------------------- *** NTP vulnerability CVE-2017-6458 *** https://support.f5.com/csp/article/K99254031 --------------------------------------------- *** NTP vulnerability CVE-2017-6460 *** https://support.f5.com/csp/article/K31310492 --------------------------------------------- *** NTP vulnerability CVE-2017-6464 *** https://support.f5.com/csp/article/K96670746 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition *** https://www.ibm.com/support/docview.wss?uid=swg22002169 --------------------------------------------- *** IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2017-1095) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001006 --------------------------------------------- *** IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2017-1094) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001002 --------------------------------------------- *** IBM Security Bulletin: There are multiple vulnerabilities in IBM Java Runtime and Apache Tomcat that affect IBM Cognos Business Viewpoint *** http://www.ibm.com/support/docview.wss?uid=swg22003122 --------------------------------------------- *** IBM Security Bulletin: Secure properties can be shown in plain text in IBM UrbanCode Deploy (CVE-2016-9007) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000236 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Business Developer *** http://www.ibm.com/support/docview.wss?uid=swg22002667 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software *** http://www-01.ibm.com/support/docview.wss?uid=swg22003145 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the SQLite component of the Response Time agent affects IBM Performance Management products (CVE-2016-6153) *** http://www.ibm.com/support/docview.wss?uid=swg22000836 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 8-05-2017
by Daily end-of-shift report 08 May '17

08 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 05-05-2017 18:00 − Montag 08-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Intels ME-Sicherheitslücke: Tipps und Links *** --------------------------------------------- Praxistipps zu der am 1. Mai von Intel gemeldeten Sicherheitslücke in der Firmware der Management Engine vieler Desktop-PCs, Server und Notebooks. --------------------------------------------- https://heise.de/-3704563 *** Researchers Disclose Intel AMT Flaw Research *** --------------------------------------------- Security firm Embedi releases further details on the Intel AMT flaw, revealing how it can be exploited and how potentially dangerous it can be. --------------------------------------------- http://threatpost.com/researchers-disclose-intel-amt-flaw-research/125503/ *** Dell patches AMT-vulnerable systems *** --------------------------------------------- BIOS fixes for most boxen landed Friday Dell, which last week was scrambling to work out which of its systems are affected by the Intel AMT vulnerability, has caught up with peers HP Inc, Lenovo and Fujitsu. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/07/dell_patche… *** Hacker-Wettbewerb: Cyber Security Challenge startet *** --------------------------------------------- Zahlreiche Teilnehmer der vergangenen Jahre haben über den Hacker-Wettbewerb Jobs in der Security-Branche gefunden. Heuer wird erstmals auch eine Starter Challenge angeboten. --------------------------------------------- https://futurezone.at/digital-life/hacker-wettbewerb-cyber-security-challen… *** Emsisoft Releases a Decryptor for the Amnesia Ransomware *** --------------------------------------------- On Satruday, Emsisofts CTO and malware researcher Fabian Wosar released a decryptor for the Amnesia Ransomware. This ransomware was first spotted in early May and has had one other variant released. It was named Amnesia based on the extension appended to encrypted files by the first variant. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decrypto… *** Exploring a P2P Transient Botnet - From Discovery to Enumeration, (Mon, May 8th) *** --------------------------------------------- [This is a guest diary by Renato Marinho of Morphus Labs. If you are interested in writing a guest diary: please send suggestions to us via our contact page] 1. Introduction We recently deployed a high interaction honeypotsexpecting it to be compromised by a specific malware. But in the first few days, instead of getting infected by the expected malware, it received a variety of attacks ranging from SSH port forwarding to Viagra and Cialis SPAM to XORDDoS failed deployment attempts. By the [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22392&rss *** Phishingversuch bei willhaben-Kunden *** --------------------------------------------- Nutzer/innen von willhaben erhalten eine WhatsApp-Nachricht, die angeblich von der Kleinanzeigenplattform stammt. --------------------------------------------- https://www.watchlist-internet.at/phishing/phishingversuch-bei-willhaben-ku… *** In eigener Sache: CERT.at sucht Verstärkung *** --------------------------------------------- Für unser "Daily Business" suchen wir derzeit 1 Berufsein- oder -umsteiger/in mit ausgeprägtem Interesse an IT-Security, welche/r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich [...] --------------------------------------------- http://www.cert.at/services/blog/20170508172334-1993.html *** DFN-CERT-2017-0796: Nextcloud: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0796/ *** Vuln: Panda Mobile Security for iOS CVE-2017-8060 TLS Certificate Validation Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98327 *** HPESBGN03740 rev.1 - HPE Network Automation, Multiple Remote Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE Network Automation. The vulnerabilities could be remotely exploited to allow SQL injection, code execution, information disclosure, authentication bypass, elevated privilege execution, and invalid session management. --------------------------------------------- http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn0374… *** BlackBerry powered by Android Security Bulletin - May 2017 *** --------------------------------------------- BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes; see BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory is in response to the Android Security Bulletin (May 2017) and addresses issues in that bulletin that affect [...] --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… *** Bugtraq: CA20170504-01: Security Notice for CA Client Automation OS Installation Management *** --------------------------------------------- http://www.securityfocus.com/archive/1/540524 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Explorer for z/OS V3.0.1 (CVE-2016-5548 and CVE-2016-5549) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002413 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-5597, CVE-2016-5542) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21994526 *** Siemens Security Advisories *** --------------------------------------------- *** SSA-701708 (Last Update 2017-05-08): Local Privilege Escalation in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701708… --------------------------------------------- *** SSA-156872 (Last Update 2017-05-08): Vulnerability in SIMATIC WinCC and SIMATIC WinCC Runtime Professional *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-156872… --------------------------------------------- *** SSA-275839 (Last Update 2017-05-08): Denial-of-Service Vulnerability in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… --------------------------------------------- *** SSA-293562 (Last Update 2017-05-08): Vulnerabilities in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-293562… --------------------------------------------- *** SSA-731239 (Last Update 2017-05-08): Vulnerabilities in SIMATIC S7-300 and S7-400 CPUs *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-731239… --------------------------------------------- *** F5 Security Advisories *** --------------------------------------------- *** BIG-IP APM redirect vulnerability CVE-2017-0302 *** https://support.f5.com/csp/article/K87141725 --------------------------------------------- *** Insufficient validation of ICMP error messages CVE-2004-0790 (11.x - 13.x) *** https://support.f5.com/csp/article/K23440942 --------------------------------------------- *** BIG-IP management vulnerability CVE-2017-9250 *** https://support.f5.com/csp/article/K55792317 --------------------------------------------- *** iControl REST vulnerability CVE-2016-9251 *** https://support.f5.com/csp/article/K41107914 --------------------------------------------- *** Linux kernel vulnerability CVE-2017-2647 *** https://support.f5.com/csp/article/K32115847 --------------------------------------------- *** Websocket profile vulnerability CVE-2016-9253 *** https://support.f5.com/csp/article/K51351360 --------------------------------------------- *** TMM vulnerability CVE-2017-6137 *** https://support.f5.com/csp/article/K82851041 --------------------------------------------- *** BIG-IP APM XSS vulnerability CVE-2016-9257 *** https://support.f5.com/csp/article/K43523962 --------------------------------------------- *** Multiple Oracle MySQL vulnerabilities *** https://support.f5.com/csp/article/K77508618 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 5-05-2017
by Daily end-of-shift report 05 May '17

05 May '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 04-05-2017 18:00 − Freitag 05-05-2017 18:00 Handler: Robert Waldner Co-Handler: Petr Sikuta *** Bondnet botnet goes after vulnerable Windows servers *** --------------------------------------------- A botnet consisting of some 2,000 compromised servers has been mining cryptocurrency for its master for several months now, "earning" him around $1,000 per day. GuardiCore researchers first spotted it in December 2016, and have been mapping it out and following its evolution since then. The've dubbed it Bondnet, after the handle its herder uses online [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/04/compromised-windows-servers/ *** Unpatched WordPress Password Reset Vulnerability Lingers *** --------------------------------------------- A zero day vulnerability exists in WordPress Core that in some instances, could allow an attacker to reset a users password and in turn, gain access to their account. --------------------------------------------- http://threatpost.com/unpatched-wordpress-password-reset-vulnerability-ling… *** 1 Million Gmail Users Impacted by Google Docs Phishing Attack *** --------------------------------------------- Researchers said good social engineering and users' trust in the convenience afforded by the OAUTH mechanism guaranteed Wednesday's Google Docs phishing attacks would spread quickly. --------------------------------------------- http://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishin… *** New Mac Malware Manages to Spy on Encrypted Browser Traffic *** --------------------------------------------- This blog was written by Douglas McKee. There's a new cyberattack targeted at Mac OS users'a malware program called OSX/Dok. Discovered late last week primarily in Europe, the program is capable of spying on encrypted browser traffic to steal sensitive information. You heard correctly: it can eavesdrop on all of your web browsing. How does [...] --------------------------------------------- https://securingtomorrow.mcafee.com/business/new-mac-malware-manages-spy-en… *** Dridex and Locky Return Via PDF Attachments in Latest Campaigns *** --------------------------------------------- Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new large campaigns. While the PDF downloader described in this post is responsible for spreading both Dridex and Locky, for the purposes of this blog, we will be discussing the PDF downloader and the Dridex [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/05/dridex_and_lockyret.html *** Intel ME-Firmware: Hersteller kündigen Patches für Intel-Exploit an *** --------------------------------------------- Bald sollen die ersten Updates für die Schwachstelle in der Management Engine von Intel-Systemen erscheinen. Derweil gibt es Unklarheit über Details zu der Sicherheitslücke. --------------------------------------------- https://www.golem.de/news/intel-me-firmware-hersteller-kuendigen-patches-fu… *** Carbanak Attackers Devise Clever New Persistence Trick *** --------------------------------------------- Hackers behind the Carbanak criminal gang have devised a clever way to gain persistence on targeted systems to more effectively pull off financially motivated crimes. --------------------------------------------- http://threatpost.com/carbanak-attackers-devise-clever-new-persistence-tric… *** [SANS ISC] HTTP Headers' the Achilles' heel of many applications *** --------------------------------------------- When browsing a target web application, a pentester is looking for all "entry" or "injection" points present in the pages. Everybody knows that a static website with pure HTML code is less juicy compared to a [...] --------------------------------------------- https://blog.rootshell.be/2017/05/05/sans-isc-http-headers-achilles-heel-ma… *** Snake malware ported from Windows to Mac *** --------------------------------------------- Snake, also known as Turla and Uroburos, is backdoor malware that has been around and infecting Windows systems since at least 2008. It is thought to be Russian governmental malware and on Windows is highly-sophisticated. It was even seen infecting Linux systems in 2014. Now, it appears to have been ported to Mac.Categories: MacThreat analysisTags: Adobe Flash PlayerApplemacMac TrojanmalwareSnaketrojanTurlaUroburos [...] --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-… *** More Android phones than ever are covertly listening for inaudible sounds in ads *** --------------------------------------------- Your Android phone may be listening to ultrasonic ad beacons without your knowledge. --------------------------------------------- https://arstechnica.com/security/2017/05/theres-a-spike-in-android-apps-tha… *** DFN-CERT-2017-0790: LibreSSL : Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0790/ *** Linux kernel vulnerability CVE-2017-7308 *** --------------------------------------------- Linux kernel vulnerability CVE-2017-7308. Security Advisory. Security Advisory Description. The packet_set_ring function ... --------------------------------------------- https://support.f5.com/csp/article/K82224417 *** Apache Tomcat vulnerability CVE-2017-5647 *** --------------------------------------------- Apache Tomcat vulnerability CVE-2017-5647. Security Advisory. Security Advisory Description. A bug in the handling of ... --------------------------------------------- https://support.f5.com/csp/article/K49000195 *** Hikvision Cameras *** --------------------------------------------- This advisory contains mitigation details for use of improper authentication and password in configuration file vulnerabilities in Hikvision's cameras. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01 *** Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras *** --------------------------------------------- This advisory contains mitigation details for use of password hash instead of password for authentication and password in configuration file vulnerabilities in Dahua Technology Co., Ltd digital video recorders and IP cameras. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02 *** Advantech WebAccess *** --------------------------------------------- This advisory contains mitigation details for an absolute path traversal vulnerability in Advantech's WebAccess. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-124-03 *** Rockwell Automation ControlLogix 5580 and CompactLogix 5380 *** --------------------------------------------- This advisory was originally posted to the NCCIC Portal on April 4, 2017, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for use a resource exhaustion vulnerability in Rockwell Automations ControlLogix 5580 and CompactLogix 5380. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-094-05 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in bind affects SmartCloud Entry (CVE-2016-9147) *** http://www.ibm.com/support/docview.wss?uid=isg3T1025133 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in memcached affects SmartCloud Entry (CVE-2016-8704, CVE-2016-8705) *** http://www.ibm.com/support/docview.wss?uid=isg3T1025081 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One - Algo Risk Application (CVE-2016-8745) *** http://www.ibm.com/support/docview.wss?uid=swg22000781 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities affect IBM Rational Quality Manager and IBM Rational Team Concert with potential for security attacks *** http://www.ibm.com/support/docview.wss?uid=swg22002429 --------------------------------------------- *** IBM Security Bulletin: Cross Site Scripting (XSS) vulnerability affects Cognos Analytics *** https://www-01.ibm.com/support/docview.wss?uid=swg21999791 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Net-SNMP affects IBM Tivoli Composite Application Manager for Transactions (CVE-2015-5621) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000624 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 4-05-2017
by Daily end-of-shift report 04 May '17

04 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 03-05-2017 18:00 − Donnerstag 04-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Petr Sikuta Co-Handler: Robert Waldner *** Researcher: "Baseless Assumptions" Exist About Intel AMT Vulnerability *** --------------------------------------------- Embedi, which is behind the Intel AMT vulnerability revealed Monday, seeks to clarify "baseless assumptions" being made about the flaw. --------------------------------------------- http://threatpost.com/researcher-baseless-assumptions-exist-about-intel-amt… *** Intel-ME-Sicherheitslücke: Erste Produktliste, noch keine Updates *** --------------------------------------------- Zu der am 1. Mai von Intel gemeldeten Sicherheitslücke in der Management Engine (ME) gibt es einige neue Informationen, aber noch keine Updates. --------------------------------------------- https://heise.de/-3703356 *** WordPress 4.6 Unauthenticated Remote Code Execution (RCE) PoC Exploit *** --------------------------------------------- This advisory reveals details of exploitation of the PHPMailer vulnerability (CVE-2016-10033) in WordPress Core which (contrary to what was believed and announced by WordPress security team) was affected by the vulnerability. --------------------------------------------- https://cxsecurity.com/issue/WLB-2017050014 *** Kazuar: Multiplatform Espionage Backdoor with API Access *** --------------------------------------------- Unit 42 researchers have uncovered Kazuar, a backdoor Trojan used in an espionage campaign.The post Kazuar: Multiplatform Espionage Backdoor with API Access appeared first on Palo Alto Networks Blog. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatf… *** A set of tutorials about code injection for Windows. *** --------------------------------------------- Injectopi is a set of tutorials that Ive decided to write down in order to learn about various injection techniques in the Windows environment. --------------------------------------------- https://github.com/peperunas/injectopi *** Master-Fingerabdruck: Forscher können fast alle Smartphones entsperren *** --------------------------------------------- Mithilfe von Maschinenlernen Trefferquote von 65 Prozent erreicht - Aktuelle Scanner zu niedrig aufgelöst --------------------------------------------- http://derstandard.at/2000056971421 *** Checker ATM Security: Sicherheitslücke ermöglicht Übernahme von Geldautomaten *** --------------------------------------------- Eine Sicherheitslücke in einer Sicherheitslösung für Geldautomaten konnte von Angreifern ausgenutzt werden, um illegal Geld auszuzahlen. Der Hersteller beschwichtigt und hat einen Patch bereitgestellt. --------------------------------------------- https://www.golem.de/news/checker-atm-security-sicherheitsluecke-ermoeglich… *** DFN-CERT-2017-0775/">LibTIFF: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- Mehrere Schwachstellen in LibTIFF ermöglichen einem entfernten, nicht authentisierten Angreifer die Ausführung beliebigen Programmcodes, die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe und das Ausspähen von Informationen mit Hilfe speziell präparierter Bilddateien. Betroffene Plattformen Debian Linux 8.7 Jessie Debian Linux 9.0 Stretch --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0775/ *** USB-Sticks: IBM liefert Installationsmedien mit Malware aus *** --------------------------------------------- Vom USB-Stick auf das Betriebssystem: Eine Schadsoftware verteilt sich von IBM-Produkten selbstständig. Betroffen sind die mitgelieferten Sticks mehrerer Storwize-Geräte. IBM rät, den USB-Stick zu formatieren oder gleich zu zerstören. --------------------------------------------- https://www.golem.de/news/usb-sticks-ibm-liefert-installationsmedien-mit-ma… *** Cisco Security Advisories *** --------------------------------------------- *** Cisco CVR100W Wireless-N VPN Router Universal Plug-and-Play Buffer Overflow Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XR Software Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Aironet 1800, 2800, and 3800 Series Access Points Plug-and-Play Arbitrary Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wide Area Application Services SMART-SSL Accelerator Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Firepower Threat Defense and Cisco ASA with FirePOWER Module Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Finesse for Cisco Unified Contact Center Enterprise Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco CVR100W Wireless-N VPN Router Remote Management Security Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Unity Connection ImageID Parameter Unauthorized Access Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco TelePresence ICMP Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco CallManager Express Unauthorized Access Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability has been discovered in 40-GbE network interface modules for the IBM QRadar Network Security XGS 7100 appliance (CVE-2016-8106) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002624 --------------------------------------------- *** IBM Security Bulletin: A vulnerability has been discovered in 40-GbE network interface modules for the IBM Security Network Protection XGS 7100 appliance (CVE-2016-8106) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002507 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2017-5638) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001731 --------------------------------------------- *** IBM Security Bulletin: Potential security vulnerability in WebSphere Application Server Administrative Console (CVE-2017-1137) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998469 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM B2B Advanced Communications *** http://www.ibm.com/support/docview.wss?uid=swg22002517 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Security Network Controller (CVE-2016-7055) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002309 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Security Network Active Bypass (CVE-2016-7055) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002310 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSource ICU4C may affect IBM Streams (CVE-2016-6293, CVE-2016-7415) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002225 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in SQLite affects IBM Tivoli Composite Application Manager for Transactions (CVE-2016-6153 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996590 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the BigFix Platform (CVE-2016-2177 CVE-2016-6304 CVE-2016-6305 CVE-2016-2182 CVE-2016-6306 CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002870 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 3-05-2017
by Daily end-of-shift report 03 May '17

03 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 02-05-2017 18:00 − Mittwoch 03-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Petr Sikuta Co-Handler: Stephan Richter *** Malware Hunter - Shodans new tool to find Malware C&C Servers *** --------------------------------------------- Rapidly growing, insecure internet-connected devices are becoming albatross around the necks of individuals and organizations with malware authors routinely hacking them to form botnets that can be further used as weapons in DDoS and other cyber attacks. But now finding malicious servers, hosted by attackers, that control botnet of infected machines gets a bit easier. Thanks to Shodan and [...] --------------------------------------------- https://thehackernews.com/2017/05/shodan-malware-hunter.html *** Disambiguate "Zero-Day" Before Considering Countermeasures *** --------------------------------------------- "Zero-day" is the all-powerful boogieman of the information security industry. Too many of us invoke it when discussing scary threats against which we feel powerless. We need to define and disambiguate this term before attempting to determine whether we've accounted for the associated threats when designing security programs. Avoid Zero-Day Confusion I've seen "zero-day" used to describe two related, but independent concepts. First,... Read more --------------------------------------------- https://zeltser.com/zero-day-terminology/ *** Outlook Forms and Shells *** --------------------------------------------- I set out to try and find another way to get a shell through Outlook, in the case of us having valid credentials[...] Fortunately for us, Outlook has a massive attack surface and provides several other interesting automation features. One of these is Outlook Forms. --------------------------------------------- https://sensepost.com/blog/2017/outlook-forms-and-shells/ *** Compromising Industrial Robots: The Fallacy of Industrial Routers in the Industry 4.0 Ecosystem *** --------------------------------------------- The increased connectivity of computer and robot systems in the industry 4.0. ecosystem, is, and will be exposing robots to cyber attacks in the future. Indeed, industrial robots - originally conceived to be isolated - have evolved, and are now exposed to corporate networks and the internet.While this provides synergy effects and higher efficiency in production, the security posture is not on par. In our latest report Rogue Robots: Testing the Limits of an Industrial Robot's [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/6F0kroJASMA/ *** Steps to Stronger Passwords *** --------------------------------------------- A journey of password The utilization of passwords is known to be old. Sentries would challenge those wishing to enter a territory or moving toward it to supply a secret word, and would just enable a man or gathering to pass if they knew the secret key. In present day times, username and passwords are [...] --------------------------------------------- http://resources.infosecinstitute.com/steps-make-stronger-passwords/ *** Deutsche Bankkonten über UMTS-Sicherheitslücken ausgeräumt *** --------------------------------------------- Kriminelle Hacker haben Konten von deutschen Bankkunden über Sicherheitslücken im Mobilfunknetz ausgeräumt, die seit Jahren bekannt sind. Eigentlich wollten die Provider schon 2014 entsprechende Gegenmaßnahmen ergreifen. --------------------------------------------- https://heise.de/-3702194 *** Diskurs|Digital - Einblicke in gelebte Partizipation *** --------------------------------------------- May 23, 2017 - 6:00 pm - 8:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/diskursdigital-einblicke-in-gelebte-par… *** Linuxwochen gastieren wieder in Wien *** --------------------------------------------- Sowohl technische als auch netzpolitische Vorträge - Von Open Source bis Softwarepatenten --------------------------------------------- http://derstandard.at/2000056925982 *** DFN-CERT-2017-0755: Intel Active Management Technology (AMT), Intel Small Business Technology (SBT), Intel Standard Manageability (ISM): Eine Schwachstelle ermöglicht die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0755/ *** Android Security Bulletin—May 2017 *** --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Nexus devices through an over-the-air (OTA) update. The Google device firmware images have also been released to the Google Developer site. Security patch levels of May 05, 2017 or later address all of these issues. Refer to the Pixel and Nexus update schedule to learn how to check a device's security patch level. --------------------------------------------- https://source.android.com/security/bulletin/2017-05-01 *** Schneider Electric Wonderware Historian Client *** --------------------------------------------- This advisory contains mitigation details for an improper XML parser configuration vulnerability in Schneider Electric's Wonderware Historian Client. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-122-01 *** CyberVision Kaa IoT Platform *** --------------------------------------------- This advisory contains mitigation details for a code injection vulnerability in CyberVision's Kaa IoT Platform. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-122-02 *** Advantech B+B SmartWorx MESR901 *** --------------------------------------------- This advisory contains mitigation details for a use of client-side authentication vulnerability in the Advantech B+B SmartWorx MESR901 Modbus gateway. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-122-03 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Open Redirect Vulnerability in IBM WebSphere Portal (CVE-2017-1156) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000153 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Identity Governance (CVE-2016-8610 CVE-2017-3731) *** http://www.ibm.com/support/docview.wss?uid=swg22002387 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM JAVA Runtime affect AppScan Source (CVE-2016-5547 CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22002633 --------------------------------------------- *** IBM Security Bulletin: A Vulnerability in IBM Java SDK affects IBM Streams (CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=swg22002189 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus *** http://www.ibm.com/support/docview.wss?uid=swg22002242 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Open Source openSSL affect IBM Security Identity Governance Appliance *** http://www.ibm.com/support/docview.wss?uid=swg22002397 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Composite Application Manager for Transactions *** http://www-01.ibm.com/support/docview.wss?uid=swg22002374 --------------------------------------------- *** IBM Security Bulletin: Privilege escalation vulnerability affects IBM DB2 LUW (CVE-2017-1134) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002573 --------------------------------------------- *** IBM Security Bulletin: Cross Site Scripting vulnerability in IBM Marketing Platform (CVE-2016-0255) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001950 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 2-05-2017
by Daily end-of-shift report 02 May '17

02 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 28-04-2017 18:00 − Dienstag 02-05-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Exploiting .NET Managed DCOM *** --------------------------------------------- Posted by James Forshaw, Project ZeroOne of the more interesting classes of security vulnerabilities are those affecting interoperability technology. This is because these vulnerabilities typically affect any application using the technology, regardless of what the application actually does. Also in many cases they’re difficult .. --------------------------------------------- http://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.h… *** 2017 Verizon DBIR: Sex Sells, But the Basics Get It Done *** --------------------------------------------- This year’s Verizon Data Breach Investigations Report has been published, and as with its prior nine incarnations, the report is .. --------------------------------------------- https://www.beyondtrust.com/blog/2017-verizon-dbir-sex-sells-basics-get-don… *** DSA-3838 ghostscript - security update *** --------------------------------------------- Several vulnerabilities were discovered in Ghostscript, the GPLPostScript/PDF interpreter, which may lead to the execution of arbitrary code or denial of service if a specially crafted Postscript file is processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3838 *** 7 Reasons Why IoT Hacks Will Keep Happening *** --------------------------------------------- Hacks happen almost on a daily basis, if not every minute of every day. In fact, some say that .. --------------------------------------------- https://safeandsavvy.f-secure.com/2017/04/28/7-reasons-why-iot-device-hacks… *** DSA-3839 freetype - security update *** --------------------------------------------- Several vulnerabilities were discovered in Freetype. Opening malformed fonts may result in denial of service or the execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3839 *** Forschern gelingt Autohack für 20 Euro *** --------------------------------------------- Billige Gadgets kopieren Entsperrsignal des Schlüssels – immer noch viele Autos betroffen --------------------------------------------- http://derstandard.at/2000056487404 *** Orange is the new Black: Hacker leaken Staffel 5 *** --------------------------------------------- Laut den Hackern ist dies nur der Vorgeschmack. Sie drohen damit weitere Filme und Serien zu veröffentlichen, die offiziell erst in Monaten erscheinen. --------------------------------------------- https://futurezone.at/digital-life/orange-is-the-new-black-hacker-leaken-st… *** "Dok": Neue Mac-Malware spioniert Browser aus *** --------------------------------------------- Kann gesamte Browser-Kommunikation belauschen – derzeit vor allem europäische User im Visier --------------------------------------------- http://derstandard.at/2000056812916 *** Carbanak Continues To Evolve: Quietly Creeping into Remote Hosts *** --------------------------------------------- Introduction I recently engaged in an investigation involving two new Carbanak campaigns targeting the hospitality .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Carbanak-Continues-To-E… *** Intels remote AMT vulnerablity *** --------------------------------------------- Intel just announced a vulnerability in their Active Management Technology stack. Heres what we know so far.Background Intel chipsets for some years have included a Management Engine, a small microprocessor that runs independently of the main CPU and operating .. --------------------------------------------- http://mjg59.dreamwidth.org/48429.html *** IBM Warns Customers That Some of Its USB Flash Drives May Contain Malware *** --------------------------------------------- IBM has issued a security alert last week, warning customers that some USB flash drives shipped with IBM Storwize products may contain malicious code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ibm-warns-customers-that-som… *** Sicherheitsupdates: Jenkins vielfältig angreifbar *** --------------------------------------------- Unter gewissen Voraussetzungen könnten Angreifer sich höhere Rechte erschleichen oder sogar Schadcode ausführen. --------------------------------------------- https://heise.de/-3700838 *** Spam and phishing in Q1 2017 *** --------------------------------------------- Although the beginning of Q1 2017 was marked by a decline in the amount of spam in overall global email traffic, in March the situation became more stable, and the average share of .. --------------------------------------------- http://securelist.com/analysis/quarterly-spam-reports/78221/spam-and-phishi… *** Cerber Version 6 Shows How Far the Ransomware Has Come (and How Far it’ll Go) *** --------------------------------------------- Cerber set itself apart from other file-encrypting malware when its developers commoditized the malware, adopting a business model where fellow cybercriminals can buy the ransomware as a service. The developers earn through commissions—as much as 40%—for every .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-ransomwar… *** New Shodan Tool Can Find Malware Command and Control (C&C) Servers *** --------------------------------------------- Shodan and Recorded Future have launched today a search engine for discovering malware command-and-control (C&C) servers. Named Malware Hunter, this new tool is integrated into .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-shodan-tool-can-find-mal… *** Security Scoring and Grading for Containers and Images *** --------------------------------------------- We have just rolled out an update to the interface of the Red Hat Container Catalog that helps provide the answer to the question of whether or not a particular container image we provide .. --------------------------------------------- https://access.redhat.com/blogs/product-security/posts/container-security-s… *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security issues have been identified within Citrix XenServer. These issues could, if exploited, allow a malicious .. --------------------------------------------- https://support.citrix.com/article/CTX223291

1 0

Tageszusammenfassung - Freitag 28-04-2017
by Daily end-of-shift report 28 Apr '17

28 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 27-04-2017 18:00 − Freitag 28-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** GE Multilin SR Protective Relays *** --------------------------------------------- This advisory contains mitigation details for a weak cryptography for passwords vulnerability in GEs Multilin SR protective relays. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01 *** Chrome to Mark More HTTP Pages ‘Not Secure’ *** --------------------------------------------- Starting with Chrome 62, Google will start marking any HTTP page where users may enter data, .. --------------------------------------------- http://threatpost.com/chrome-to-mark-more-http-pages-not-secure/125255/ *** Russian-controlled telecom hijacks financial services’ Internet traffic *** --------------------------------------------- Visa, MasterCard, and Symantec among dozens affected by "suspicious" BGP mishap. --------------------------------------------- https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks… *** DSA-3836 weechat - security update *** --------------------------------------------- It was discovered that weechat, a fast and light chat client, is proneto a buffer overflow vulnerability in the IRC plugin, allowing a remote attacker to cause a denial-of-service by sending a specially crafted filename via DCC. --------------------------------------------- https://www.debian.org/security/2017/dsa-3836 *** DSA-3837 libreoffice - security update *** --------------------------------------------- It was discovered that a buffer overflow in processing Windows Metafiles may result in denial of service or the execution of arbitrary code if a malformed document is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-3837 *** New MacOS Malware, Signed With Legit Apple ID, Found Spying On HTTPS Traffic *** --------------------------------------------- Many people believe that they are much less likely to be bothered by malware if they use a Mac computer, but is it really true? Unfortunately, No. According to the McAfee Labs, malware attacks on Apples Mac computers were up 744% in 2016, and its researchers .. --------------------------------------------- https://thehackernews.com/2017/04/apple-mac-malware.html *** Http 81 Botnet: the Comparison against MIRAI and New Findings *** --------------------------------------------- OverviewIn our previous blog, we introduced a new IoT botnet spreading over http 81. We will name it in this blog the http81 IoT botnet, while some anti-virus software name it Persirai, and some .. --------------------------------------------- http://blog.netlab.360.com/http-81-botnet-the-comparison-against-mirai-and-… *** Facebook und Google überwiesen Betrüger 100 Millionen Dollar *** --------------------------------------------- Litauer gab sich als Vertreter von Hardware-Zulieferer aus, Beträge zu großem Teil zurückgeholt --------------------------------------------- http://derstandard.at/2000056723656

1 0

Tageszusammenfassung - Donnerstag 27-04-2017
by Daily end-of-shift report 27 Apr '17

27 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 26-04-2017 18:00 − Donnerstag 27-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Picture this: Senate staffers’ ID cards have photo of smart chip, no security *** --------------------------------------------- https://arstechnica.com/information-technology/2017/04/picture-this-senate-… *** FIRST TC Amsterdam 2017 Wrap-Up *** --------------------------------------------- Here is my quick wrap-up of the FIRST Technical Colloquium hosted by Cisco in Amsterdam. This is my first participation to a FIRST event. FIRST is .. --------------------------------------------- https://blog.rootshell.be/2017/04/26/first-tc-amsterdam-2017-wrap/ *** A vigilante is putting a huge amount of work into infecting IoT devices *** --------------------------------------------- https://arstechnica.com/security/2017/04/a-vigilante-is-putting-huge-amount… *** Homebrew crypto SNAFU on electrical grid sees GE rush patches *** --------------------------------------------- Boffins turned up hard-coded password in ancient controllers General Electric is pushing patches for protection .. --------------------------------------------- www.theregister.co.uk/2017/04/27/ge_rushing_patches_to_grid_systems_ahead_o… *** DSA-3835 python-django - security update *** --------------------------------------------- Several vulnerabilities were discovered in Django, a high-level Pythonweb development framework. The Common .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3835 *** Cyberkriminalität: So machen Sie Ihr Unternehmen sicher *** --------------------------------------------- Bei der Roadshow "IT-Sicherheit und Datenschutz" der WKÖ und des BMI im Rahmen von "Gemeinsam.Sicher mit .. --------------------------------------------- https://futurezone.at/b2b/cyberkriminalitaet-so-machen-sie-ihr-unternehmen-… *** Peace in our time! Symantec says it can end Google cert spat *** --------------------------------------------- Its basically a promise to do better and not mess things up Symantec is hoping to get its certificates back on Googles trust list. --------------------------------------------- www.theregister.co.uk/2017/04/27/symantec_ca_proposal_for_google/ *** Ransomware up. Breaches up. What do hackers want? Research, prototypes... all your secrets *** --------------------------------------------- Verizon super depressing reports in Cyberespionage and ransomware attacks are on the increase, according .. --------------------------------------------- www.theregister.co.uk/2017/04/27/verizon_breach_report/ *** nomx: The worlds most (in)secure communications protocol *** --------------------------------------------- I was recently invited to take part in some research by BBC Click, alongside Professor Alan Woodward, to analyse a device that had quite a lot of people all excited. With slick marketing, .. --------------------------------------------- https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protoco… *** APT Trends report, Q1 2017 *** --------------------------------------------- Kaspersky Lab is currently tracking more than a hundred threat actors and sophisticated malicious operations in over 80 countries. During the first quarter of 2017, there were 33 private .. --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/78169/apt-trends-r… *** StringBleed ist kein zweites Heartbleed *** --------------------------------------------- Es wird mal wieder eine benamste Schwachstellen-Kuh durch die IT-Security Community getrieben. Der Name soll offensichtlich an Heartbleed erinnern, aber soweit wir das jetzt einschätzen können, .. --------------------------------------------- http://www.cert.at/services/blog/20170427115946-1972.html *** Cracking APT28 traffic in a few seconds *** --------------------------------------------- Security experts from security firm Redsocks published an interesting report on how to crack APT28 traffic in a few seconds. Introduction APT28 is a hacking group involved in many recent cyber incidents. The most recent attack allegedly .. --------------------------------------------- http://securityaffairs.co/wordpress/58435/apt/cracking-apt28-traffic.html *** Windows 10: Microsoft liefert Updates auch außerhalb des Patchdays *** --------------------------------------------- Microsoft will Windows 10 nach dem Creators Update nun auch außerhalb des Patchdays mit Updates versorgen. Allerdings .. --------------------------------------------- https://heise.de/-3698302 *** Broadcom-Sicherheitslücken: Samsung schützt Nutzer nicht vor WLAN-Angriffe *** --------------------------------------------- Googles Project Zero hat kürzlich in Broadcom-Chips und -Treibern zahlreiche kritische Sicherheitslücken gefunden, mit denen sich Smartphones übernehmen lassen. Wir haben .. --------------------------------------------- https://www.golem.de/news/broadcom-sicherheitsluecken-samsung-schuetzt-nutz…

1 0

Tageszusammenfassung - Mittwoch 26-04-2017
by Daily end-of-shift report 26 Apr '17

26 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 25-04-2017 18:00 − Mittwoch 26-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** FortiOS XSS via srcintf during Firewall Policy Creation *** --------------------------------------------- An XSS vulnerability caused by the scrintf parameter input during Firewall Policy Creation can be exploited to load and run a remote (malicious) Javascript in a logged in browser. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-017 *** Analyzing Cyber Insurance Policies *** --------------------------------------------- Theres a really interesting new paper analyzing over 100 different cyber insurance policies. From the abstract:In this research paper, we seek to answer .. --------------------------------------------- https://www.schneier.com/blog/archives/2017/04/analyzing_cyber.html *** Kritische Lücken: VMware sichert Anwendungen gegenüber Schadcode ab *** --------------------------------------------- Sicherheitsupdates schließen mehrere Schwachstellen in verschiedenen VMware-Anwendungen zum Umgang mit virtuellen Maschinen und für den Fernzugriff. Davon sind alle Betriebssysteme betroffen. --------------------------------------------- https://heise.de/-3696740 *** BrickerBot vs Mirai: Malware-Wettstreit um Internetkameras und Co. *** --------------------------------------------- Neue Generationen von BrickerBot versuchen schlecht geschützte Geräte zu beschädigen, und entziehen so Mirai die Grundlage --------------------------------------------- http://derstandard.at/2000056608656 *** Terror EK going ‘pro’? Not quite yet *** --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/04/terror-ek-going-pro-not-qu… *** AIT beim Citizen Science Award 2017 *** --------------------------------------------- [...] Im Rahmen des Citizen Science Awards 2017 sind Schulklassen der Unter- und Oberstufe sowie Einzelpersonen eingeladen, aktiv an der Erarbeitung möglicher Strategien gegen Cyberattacken mitzuwirken und gemeinsam das digitale Minispiel „Phishing Wars“ weiterzuentwickeln. Anhand dieses Spiels wird trainiert, worauf es beim Erkennen von Phishing-Mails ankommt, um nicht Opfer von Cyberattacken zu werden. --------------------------------------------- http://science.apa.at/site/kultur_und_gesellschaft/detail.html?key=SCI_2017… *** If there are some unexploited MSSQL Servers With Weak Passwords Left: They got you now (again), (Wed, Apr 26th) *** --------------------------------------------- Setting up a Microsoft SQL server with a stupid simple password like sa for the sa user is hard. First of all, Microsoft implemented a default password policy .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22346

1 0

Tageszusammenfassung - Dienstag 25-04-2017
by Daily end-of-shift report 25 Apr '17

25 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 24-04-2017 18:00 − Dienstag 25-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Frankreich-Wahl: Russische Hacker sollen Macron ins Visier nehmen *** --------------------------------------------- Experten bringen Gruppe mit russischen Militärgeheimdienst in Verbindung --------------------------------------------- http://derstandard.at/2000056465269 *** The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27 Year Prison Sentence *** --------------------------------------------- Roman Seleznev, a 32-year-old Russian cybercriminal and prolific credit card thief, was sentenced Friday to 27 years in federal prison. That is a record .. --------------------------------------------- https://krebsonsecurity.com/2017/04/the-backstory-behind-carder-kingpin-rom… *** Analysis of the Shadow Z118 PayPal phishing site, (Mon, Apr 24th) *** --------------------------------------------- [This is a guest post submitted by Remco Verhoef. Got something interesting to share? Please use our contact form to suggest your topic] Today I got lucky walking around within a phishing site and found some left-over .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22338 *** Alert: If youre running SquirrelMail, Sendmail... why? And oh yeah, remote code vuln found *** --------------------------------------------- This is nuts Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project. --------------------------------------------- www.theregister.co.uk/2017/04/24/squirrelmail_vuln/ *** AV provider Webroot melts down as update nukes hundreds of legit files *** --------------------------------------------- https://arstechnica.com/security/2017/04/av-provider-webroot-melts-down-as-… *** BrickerBot, the permanent denial-of-service botnet, is back with a vengeance *** --------------------------------------------- https://arstechnica.com/security/2017/04/brickerbot-the-permanent-denial-of… *** Western Digital My Cloud 2.21.126 Authentication Bypass *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2017040164 *** Bis zu 100.000 Rechner mit geleakter NSA-Malware infiziert *** --------------------------------------------- Sicherheitsforscher finden "Doublepulsar" auf zigtausenden Maschinen, darunter auch Rechner in Österreich --------------------------------------------- http://derstandard.at/2000056481284 *** Angreifer könnten Drupal-Webseiten ausspionieren *** --------------------------------------------- Im Versionsstrang 8.x klafft eine als kritisch eingestufte Sicherheitslücke. Abgesicherte Versionen schließen die Schwachstelle. --------------------------------------------- https://heise.de/-3693082 *** Doskozil: Bundesheer soll Gegner im Cyberwar auch angreifen *** --------------------------------------------- Minister: Angriffe sollen nicht nur abgewehrt werden – Wöchentlich fünf bis sechs ernste Attacken --------------------------------------------- http://derstandard.at/2000056452452 *** Sicherheitspatches in Sicht: Zehn Lücken gefährden Linksys-Router *** --------------------------------------------- Verschiedene Modelle der Smart-Wi-Fi-Serie von Linksys sind laut Sicherheitsforschern angreifbar. Unter gewissen Voraussetzungen sollen Angreifer Befehle auf Routern ausführen können. --------------------------------------------- https://heise.de/-3693136 *** New IoT Botnet Rises Feeding on Vulnerable Security Cameras *** --------------------------------------------- A new botnet is slowly building critical mass on the back of unsecured webcams and IP cameras, .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-iot-botnet-rises-feeding… *** Hard Target: Fileless Malware *** --------------------------------------------- Researchers say fileless in-memory malware attacks have become a major nuisance to businesses and have become even harder to detect and defend. --------------------------------------------- http://threatpost.com/hard-target-fileless-malware/125054/ *** DSA-3833 libav - security update *** --------------------------------------------- Several security issues have been corrected in multiple demuxers anddecoders of the libav multimedia library. A full list of the changes is available .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3833 *** Ashley Madison users blackmailed again *** --------------------------------------------- Criminals are still trying to shake down users of the Ashley Madison dating/cheating online service. As you might remember, the service was hacked in 2015, and the attackers .. --------------------------------------------- https://www.helpnetsecurity.com/2017/04/25/ashley-madison-blackmail/ *** SAP NetWeaver durch Lücken gefährdet *** --------------------------------------------- In verschiedenen Komponenten der NetWeaver-Plattform klaffen Sicherheitslücken. Sicherheitsforschern zufolge könnten Angreifer über die Schlupflöcher unter anderem an Log-in-Daten kommen. --------------------------------------------- https://heise.de/-3693658 *** Security Bulletin Posted for ColdFusion (APSB17-14) *** --------------------------------------------- Adobe has published a Security Bulletin (APSB17-14) announcing the availability of hotfixes for ColdFusion versions 2016, 11 and 10. These hotfixes resolve an input validation .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1460 *** Hackers uncork experimental Linux-targeting malware *** --------------------------------------------- SSH... its Shishiga Hackers have unleashed a new malware strain that targets Linux-based systems. --------------------------------------------- www.theregister.co.uk/2017/04/25/linux_malware/ *** [2017-04-25] Portrait Display SDK Service privilege escalation *** --------------------------------------------- The Portrait Display SDK Service (PdiService.exe) configuration was found to be writable for every authenticated user in a default installation. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** [20170402] - Core - XSS Vulnerability *** --------------------------------------------- https://developer.joomla.org/security-centre/684-20170402-core-xss-vulnerab… *** [20170403] - Core - XSS Vulnerability *** --------------------------------------------- https://developer.joomla.org/security-centre/685-20170403-core-xss-vulnerab… *** [20170404] - Core - XSS Vulnerability *** --------------------------------------------- https://developer.joomla.org/security-centre/686-20170404-core-xss-vulnerab… *** [20170405] - Core - XSS Vulnerability *** --------------------------------------------- https://developer.joomla.org/security-centre/687-20170405-core-xss-vulnerab…

1 0

Tageszusammenfassung - Montag 24-04-2017
by Daily end-of-shift report 24 Apr '17

24 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 21-04-2017 18:00 − Montag 24-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Eingebauter Node.js-Server: Per Nvidia-Treiber lassen sich Schädlinge einschleusen *** --------------------------------------------- Nvidia-Treiber enthalten einen Node.js-Server - keine gute Idee: Damit lassen sich Sicherungsmechanismen wie Application Whitelisting umgehen. --------------------------------------------- https://heise.de/-3691119 *** OWASP Top 10: Die zehn wichtigsten Sicherheitsrisiken bekommen ein Update *** --------------------------------------------- Risiken durch Injections, Fehler beim Session Management und XSS bleiben weiterhin hoch. Im vorliegenden Entwurf finden sich neben bekannten Sicherheitslücken .. --------------------------------------------- https://www.golem.de/news/owasp-top-10-die-zehn-wichtigsten-sicherheitsrisi… *** SquirrelMail < 1.4.22 - Remote Code Execution *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2017040157 *** Shellcode Analysis- Basics *** --------------------------------------------- In this article, we will look at how what shellcode is, what is its purpose and various shellcode patterns, etc. Please note that this article will not cover how a shellcode is .. --------------------------------------------- http://resources.infosecinstitute.com/shellcode-analysis-basics/ *** FIN7 Evolution and the Phishing LNK *** --------------------------------------------- FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, .. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html *** Amazon: Phishing-Kampagne ködert mit Datenschutzgrundverordnung *** --------------------------------------------- Angebliche von Amazon versendete Mails sind derzeit häufig im E-Mail-Postfach zu finden. Nach gefälschten Umsatzsteuerrechnungen gibt es neuerdings eine Phishing-Kampagne, die .. --------------------------------------------- https://www.golem.de/news/amazon-phishing-kampagne-koedert-mit-datenschutzg… *** Sicherheitsupdate: Angreifer könnten Inhalte von Confluence-Wikis einsehen *** --------------------------------------------- Wer Confluence einsetzt, sollte eine der ab sofort verfügbaren abgesicherte Version installieren. --------------------------------------------- https://heise.de/-3692816

1 0

Tageszusammenfassung - Freitag 21-04-2017
by Daily end-of-shift report 21 Apr '17

21 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 20-04-2017 18:00 − Freitag 21-04-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** 20 Linksys Router Models Vulnerable To Attack *** --------------------------------------------- Researchers say more than 100,000 Linksys routers in use today could be vulnerable to 10 flaws found in 20 separate router models made by the company. --------------------------------------------- http://threatpost.com/20-linksys-router-models-vulnerable-to-attack/125085/ *** The History of Fileless Malware - Looking Beyond the Buzzword *** --------------------------------------------- What's the deal with "fileless malware"? Though many security professionals cringe when they hear this term, lots of articles and product brochures mention fileless malware in the context of threats that are difficult to resist and investigate. Below is my attempt to look beyond the buzzword, tracing the origins of this term and outlining the malware samples that influenced how we use... Read more --------------------------------------------- https://zeltser.com/fileless-malware-beyond-buzzword/ *** Archive.org Abused to Deliver Phishing Pages *** --------------------------------------------- The Internet Archive is a well-known website and more precisely for its "WaybackMachine" service. It allows you to search for and display old versions of websites. The current Alexa ranking is 262 which makes it a "popular and trusted" website. Indeed, like I explained in a recent SANS ISC diary, whitelists [...] --------------------------------------------- https://blog.rootshell.be/2017/04/20/archive-org-abused-deliver-phishing-pa… *** Analysis of a Maldoc with Multiple Layers of Obfuscation, (Fri, Apr 21st) *** --------------------------------------------- Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called Invoice_6083.doc (which was delivered in a zip archive). I had a quick look [...] --------------------------------------------- https://isc.sans.edu/diary/Analysis+of+a+Maldoc+with+Multiple+Layers+of+Obf… *** TLS-Interception: Sophos-Firewall wird von Chrome-Änderung überrascht *** --------------------------------------------- Nutzer, die den Chrome-Browser hinter einer Firewall von Sophos nutzen, sehen zur Zeit nur Zertifikatswarnungen. Die neue Chrome-Version ignoriert den sogenannten CommonName, der schon seit 17 Jahren als veraltet gilt. (Sophos, Browser) --------------------------------------------- https://www.golem.de/news/tls-interception-sophos-firewall-wurd-von-chrome-… *** Domain Fronting *** --------------------------------------------- In this article, we are going to learn about a very interesting and powerful technique known as Domain Fronting which is a circumvention technique based on HTTPS that hides the true destination from the censor. What is Domain Fronting? Domain fronting is a technique to circumvent the censorship employed for certain domains(censorship may be for [...] --------------------------------------------- http://resources.infosecinstitute.com/domain-fronting/ *** Top-ranked programming Web tutorials introduce vulnerabilities into software *** --------------------------------------------- Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. The process The researchers identified popular tutorials by inputing search terms such as "mysql tutorial", [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/04/21/programming-tutorials-vulnerabil… *** Security vulnerability in unmaintained Drupal contrib module puts 120000 sites at risk *** --------------------------------------------- [...] The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38: [...] --------------------------------------------- http://drupal.sh/vulnerable-drupal-contrib-module-puts-120000-sites-at-risk *** References - Unsupported - SA-CONTRIB-2017-38 *** --------------------------------------------- [...] Updates: 2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2 --------------------------------------------- https://www.drupal.org/node/2869138 *** cURL/libcurl TLS Session Resumption Client Certificate Bug Lets Remote Users Bypass Security Restrictions on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1038341 *** SSHD vulnerability CVE-2017-6128 *** --------------------------------------------- https://support.f5.com/csp/article/K92140924 *** DFN-CERT-2017-0704: FreeType: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0704/ *** Security Advisory - Buffer Overflow vulnerability in the GaussDB *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170420-… *** Security updates available in Foxit Reader 8.3 and Foxit PhantomPDF 8.3 *** --------------------------------------------- Foxit has released Foxit Reader 8.3 and Foxit PhantomPDF 8.3, which address potential security and stability issues. --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.php *** Vuln: Linux Kernel CVE-2017-7645 Multiple Denial of Service Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/97950 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274) *** http://www.ibm.com/support/docview.wss?uid=swg22002280 --------------------------------------------- *** IBM Security Bulletin: Plugin Uploads in IBM UrbanCode Deploy Vulnerable to XML Injection (CVE-2016-9007) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000289 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM BigFix Remote Control. *** http://www-01.ibm.com/support/docview.wss?uid=swg22000544 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions(CVE-2016-5556, CVE-2016-5597 and CVE-2016-5542) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996985 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerability in IBM Java Runtime affect IBM Security SiteProtector System (CVE-2016-5597 CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000580 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Pivotal Spring Framework affects IBM Marketing Software products suite (CVE-2014-3625) *** http://www.ibm.com/support/docview.wss?uid=swg22002110 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect InfoSphere Optim Performance Manager (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002204 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 20-04-2017
by Daily end-of-shift report 20 Apr '17

20 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 19-04-2017 18:00 − Donnerstag 20-04-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** DFN-CERT-2017-0683/">GnuTLS: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes mit den Rechten des Dienstes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0683/ *** Cisco Security Advisories *** --------------------------------------------- *** Cisco ASA Software DNS Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Unified Communications Manager Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Network Registrar DNS Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XE Software Simple Network Management Protocol Subsystem Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Firepower Detection Engine Pragmatic General Multicast Protocol Decoding Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco FindIT Network Probe Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Infrastructure Web Framework Code Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Integrated Management Controller Arbitrary Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Integrated Management Controller User Session Hijacking Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Integrated Management Controller Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Integrated Management Controller Command Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASA Software Internet Key Exchange Version 1 XAUTH Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASA Software SSL/TLS Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASA Software and Cisco FTD Software TCP Normalizer Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASA Software IPsec Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Bereiten Sie sich schon 2017 auf die Datenschutz-Grundverordnung vor: Wichtige Fragen *** --------------------------------------------- Die neue Datenschutz-Grundverordnung wird in diesem Jahr in vielen Branchen bei Entscheidungen zu Sicherheitslösungen eine wichtige Rolle spielen. Die Höhe der möglichen Geldbußen .. --------------------------------------------- https://securingtomorrow.mcafee.com/languages/german/bereiten-sie-sich-scho… *** Drupal Core - Critical - Access Bypass - SA-CORE-2017-002 *** --------------------------------------------- https://www.drupal.org/SA-CORE-2017-002 *** Organizations are not effectively dealing with open source security threats *** --------------------------------------------- Black Duck conducts hundreds of open source code audits annually, primarily related to Merger & Acquisition transactions. Its Center for Open Source Research & Innovation .. --------------------------------------------- https://www.helpnetsecurity.com/2017/04/20/open-source-security-threats/ *** DNS Query Length... Because Size Does Matter, (Thu, Apr 20th) *** --------------------------------------------- In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass securitycontrols. DNS tunnelling is a common way to establish .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22326 *** Malware: Schadsoftware bei 1.200 Holiday-Inn- und Crown-Plaza-Hotels *** --------------------------------------------- Wer im vergangenen Jahr auf Geschäftsreise oder im Urlaub in den USA gewesen ist, sollte seine Kreditkartenabrechnungen prüfen: Zahlungsterminals zahlreicher .. --------------------------------------------- https://www.golem.de/news/malware-schadsoftware-bei-1-200-holiday-inn-und-c… *** Spyware Disguised as System Update Survived on Play Store for Almost Three Years *** --------------------------------------------- An Android app named "System Update" that secretly contained a spyware family named SMSVova, survived on the official .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spyware-disguised-as-system-… *** [R2] Tenable Appliance 4.5.0 Fixes Multiple Vulnerabilities *** --------------------------------------------- On 2017-04-18, security researcher "agix" published an exploit for the remote command execution flaw (VulnDB 153135). As such, customers are more strongly encouraged to upgrade immediately. --------------------------------------------- https://www.tenable.com/security/tns-2017-07 *** Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) *** --------------------------------------------- In the last few months, I have been testing several Trend Micro products with Steven Seeley (@steventseeley). Together, we have found more than 200+ RCE (Remote Code Execution) vulnerabilities .. --------------------------------------------- http://blog.malerisch.net/2017/04/trend-micro-threat-discovery-appliance-se… *** Stealing sensitive browser data with the W3C Ambient Light Sensor API *** --------------------------------------------- In this post we describe and demonstrate a neat trick to exfiltrate sensitive information from your // --------------------------------------------- https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c… *** Combating a spate of Java malware with machine learning in real-time *** --------------------------------------------- In recent weeks, we have seen a surge in emails carrying fresh malicious Java (.jar) malware that use new techniques to evade antivirus protection. But with our research team’s automated expert .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/04/20/combating-a-wave-of-jav… *** Browser-Updates für Chrome und Firefox stopfen kritische Lücken *** --------------------------------------------- Sowohl Google als auch Mozilla haben kritische Sicherheitslücken in ihren Web-Browsern gestopft. Diese können von Angreifern für Drive-By-Attacken missbraucht werden. --------------------------------------------- https://heise.de/-3689571 *** Abusing NVIDIAs node.js to bypass application whitelisting *** --------------------------------------------- Application WhitelistingApplication whitelisting is an important security concept which can be found in many environments during penetration testing. The basic idea is to create a .. --------------------------------------------- http://blog.sec-consult.com/2017/04/application-whitelisting-application.ht… *** DNSSEC: ISC läutet Schlüsseltausch für BIND9 ein *** --------------------------------------------- Das Update ist für alle BIND9-Betreiber wichtig, die die Software zum Validieren von signierten DNS-Antworten einsetzen, aber kein automatisches Schlüssel-Update eingerichtet haben. --------------------------------------------- https://heise.de/-3689170

1 0

Tageszusammenfassung - Mittwoch 19-04-2017
by Daily end-of-shift report 19 Apr '17

19 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 18-04-2017 18:00 − Mittwoch 19-04-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Trojaner greift gezielt österreichische Banken-Apps an *** --------------------------------------------- Eine kürzlich im Play Store entdeckte Malware versucht Bankdaten von 400 Apps abzugreifen, darunter Bawag, Erste Bank und Volksbank. --------------------------------------------- https://futurezone.at/digital-life/trojaner-greift-gezielt-oesterreichische… *** Hajime IoT worm infects devices to head off Mirai *** --------------------------------------------- Mirai is the name of the worm that has taken control of many IoT devices around the world and used them to mount DDoS attacks, the most high-profile of which was directed against US-based DNS provider Dyn and resulted in many websites and online services being inaccessible for hours on end. Its source code was leaked by the author, which lead to the creation of more botnets, and an increased fear that [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/04/19/hajime-iot-worm/ *** Firmware-Status von AVM-Routern checken: Kritisches Sicherheitsloch in Fritzbox-Firmware gestopft *** --------------------------------------------- Durch eine kritische Sicherheitslücke in FritzOS könnten Angreifer beliebte Fritzbox-Modelle wie die 7490 aus der Ferne kapern. AVM hat die Lücke in den Routern bereits mit Firmware-Version 6.83 geschlossen - allerdings ohne es zu wissen. --------------------------------------------- https://heise.de/-3687437 *** Hunting for Malicious Excel Sheets, (Wed, Apr 19th) *** --------------------------------------------- Recently, I found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros: But below, around the 1000th row, some cells were hidden: Once expanded, they revealed interesting values: The macro code used the contain of those cells: [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22322&rss *** Owncloud/Nextcloud: Passwörter im Bugtracker *** --------------------------------------------- Wer bei Owncloud oder Nextcloud einen Bugreport melden möchte, wird nach dem Inhalt seiner Konfigurationsdatei gefragt. Viele Nutzer kamen dem nach - und gaben damit ihre Passwörter öffentlich preis. --------------------------------------------- https://www.golem.de/news/owncloud-nextcloud-passwoerter-im-bugtracker-1704… *** A Remote Attack on the Bosch Drivelog Connector Dongle *** --------------------------------------------- In this blog post, I discuss the vulnerabilities of the Bosch Drivelog Connector OBD-II dongle found by the Argus Research Team. The vulnerabilities allowed us to stop the engine of a moving vehicle using the Drivelog platform. --------------------------------------------- https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/ *** Internet routing weakness could cost Bitcoin users *** --------------------------------------------- A flaw in the underlying design of the Internet could be very expensive for Bitcoin users, researchers find. --------------------------------------------- https://nakedsecurity.sophos.com/2017/04/18/internet-routing-weakness-could… *** Meet PINLogger, the drive-by exploit that steals smartphone PINs *** --------------------------------------------- Sensors in phones running both iOS and Android reveal all kinds of sensitive info. --------------------------------------------- https://arstechnica.com/security/2017/04/meet-pinlogger-the-drive-by-exploi… *** BrickerBot Permanent Denial-of-Service Attack (Update A) *** --------------------------------------------- This updated alert is a follow-up to the original alert titled ICS-ALERT-17-102-01A BrickerBot Permanent Denial-of-Service Attack that was published April 12, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of open-source reports of "BrickerBot" attacks, which exploit hard-coded passwords in IoT devices in order to cause a permanent denial of service (PDoS). This family of botnets, which consists of BrickerBot.1 and BrickerBot.2, was described in a Radware Attack Report. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A *** Cryptographic security risks are amplified in DevOps settings *** --------------------------------------------- Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications, according to a study conducted by Dimensional Research. According to the study, many organizations fail to enforce vital cryptographic security measures in their DevOps environments. These problems are especially acute among organizations that are in the midst of adopting DevOps practices, but even organizations that say their [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/04/19/devops-settings/ *** What is File Integrity Monitoring and Why You Need It *** --------------------------------------------- The news is rife with stories of successful attacks against servers, point-of-sale (POS) systems, IoT devices and more where an attacker has gained access to an organization's IT assets and changed or inserted new files and data to do something malicious. Just a search on malware highlights a seemingly-endless list of variants including the recent exposure of NSA-backed malware that exploits Windows systems, the re-emergence of Dridex (designed to capture banking credentials), new malware [...] --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/what-is-file-integrity… *** HPESBGN03734 rev.1 - HPE Vertica Analytics Platform, Remote Gain Privileged Access *** --------------------------------------------- A potential security vulnerability has been identified in HPE Vertica Analytics Platform. This vulnerability could be remotely exploited to gain privileged access. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn037… *** VMSA-2017-0008 *** --------------------------------------------- VMware Unified Access Gateway, Horizon View and Workstation updates resolve multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0008.html *** Oracle Critical Patch Update - April 2017 *** --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html *** Solaris Third Party Bulletin - April 2017 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinapr2017-3680911.h… *** Oracle Linux Bulletin - April 2017 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2017-3664… *** Oracle VM Server for x86 Bulletin - April 2017 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/ovmbulletinapr2017-366462… *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Products *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-… --------------------------------------------- *** Security Advisory - OpenSSL Montgomery multiplication may produce incorrect results Vulnerability *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-… --------------------------------------------- *** Security Advisory - DoS Vulnerability in Some Huawei Products *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-… --------------------------------------------- *** Security Advisory - Input Validation Vulnerability in Multiple Huawei Products *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-… --------------------------------------------- *** Security Advisory - Plaintext Storage of Users' Safe Passwords in the Files APP in Huawei Mobile Phones *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in zlib affect IBM SDK for Node.js (CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843) *** http://www.ibm.com/support/docview.wss?uid=swg22001567 --------------------------------------------- *** IBM Security Bulletin: Privilege escalation vulnerability affects IBM Security Guardium (CVE-2017-1122) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997868 --------------------------------------------- *** IBM Security Bulletin: Fix available for Sensitive Data Exposure Vulnerability in IBM Cúram Social Program Management (CVE-2016-9978) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001782 --------------------------------------------- *** IBM Security Bulletin: Fix available for DOM based Cross Site Scripting (XSS) Vulnerability in IBM Cúram Social Program Management (CVE-2016-9979) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001780 --------------------------------------------- *** IBM Security Bulletin: Fix available for Reflected Cross Site Scripting (XSS) Vulnerability in IBM Cúram Social Program Management (CVE-2016-9980) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001779 --------------------------------------------- *** IBM Security Bulletin: Fix available for a Privilege Escalation Vulnerability in IBM Cúram Social Program Management (CVE-2016-8923) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001774 --------------------------------------------- *** IBM Security Bulletin: Access Manager Client in IBM DataPower Gateways is vulnerable to a denial of service attack. *** http://www.ibm.com/support/docview.wss?uid=swg22001789 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the IBM FlashSystem models 840 and 900 *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010111 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the IBM FlashSystem model V840 *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010112 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 18-04-2017
by Daily end-of-shift report 18 Apr '17

18 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 14-04-2017 18:00 − Dienstag 18-04-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Protecting customers and evaluating risk *** --------------------------------------------- Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation. When a potential vulnerability is reported to... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-an… *** Ab sofort keine Updates mehr für Windows 7 und 8.1-Nutzer mit neuer Hardware *** --------------------------------------------- Es bleibt den Usern somit nur mehr das Upgrade auf Windows 10 --------------------------------------------- http://derstandard.at/2000056017223 *** Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers *** --------------------------------------------- Microsoft fixed critical vulnerabilities in uncredited update released in March. --------------------------------------------- https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-wer… *** Warnung - Betrugsversuche *** --------------------------------------------- Wir weisen darauf hin, dass E-Mails im Umlauf sind, die von gefälschten OeNB-Absende-Adressen aus verschickt werden. [...] Die versendeten E-Mails beinhalten Schadsoftware [...] --------------------------------------------- https://www.oenb.at/Ueber-Uns/Rechtliche-Grundlagen/warnung-betrugsversuche… *** Email Tracking Pixels Used for Pre-Hack Info Gathering *** --------------------------------------------- A simple email marketing trick is also abused by cyber-criminals, who are employing a technique known as "pixel tracking" to gather information on possible targets or to improve the efficiency of phishing attacks. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/email-tracking-pixels-used-f… *** FIRST releases twenty years of conference materials *** --------------------------------------------- The leading association of incident response and security teams publishes its repository of twenty years of incident response learnings. --------------------------------------------- https://www.first.org/newsroom/releases/20170418 *** Edge Plagued by Various Security Flaws, Not as Secure as Microsoft Boasts *** --------------------------------------------- Microsoft never shied away from claiming that Edge is a much more secure browser than Chrome. Even some third-party tests have sustained its claims. Nonetheless, there are currently three different issues affecting Edge, which Microsoft might not like you knowing about. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/edge-plagued-by-various-secu… *** Wartungsarbeiten Donnerstag, 20. 4. 2017 *** --------------------------------------------- Am Donnerstag, 20. April 2017, ab etwa 19h, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu kurzen Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen,... --------------------------------------------- http://www.cert.at/services/blog/20170418151642-1969.html *** VU#676632: IBM Lotus Domino server IMAP EXAMINE command stack buffer overflow *** --------------------------------------------- Vulnerability Note VU#676632 IBM Lotus Domino server IMAP EXAMINE command stack buffer overflow Original Release date: 17 Apr 2017 | Last revised: 17 Apr 2017 Overview IBM Lotus Domino server, versions IMAP service contains a stack-based buffer overflow vulnerability in the EXAMINE command. This can allow a remote, authenticated attacker to execute arbitrary code with the privileges of the Domino server Description IBM Lotus Domino includes an IMAP server. This server contains a stack buffer... --------------------------------------------- http://www.kb.cert.org/vuls/id/676632 *** NETGEAR ProSAFE Plus Configuration Utility vulnerable to improper access control *** --------------------------------------------- ProSAFE Plus Configuration Utility is vulnerable to improper access control. --------------------------------------------- http://jvn.jp/en/jp/JVN08740778/ *** Security Notice - Statement on Command Injection Vulnerability in Huawei HG532n Product *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170418-01-… *** 2107-04 Security Bulletin: Multiple Vulnerabilities in NorthStar Controller Application before version 2.1.0 Service Pack 1. *** --------------------------------------------- Multiple vulnerabilities have been resolved in the NorthStar Controller Application starting from version 2.1.0 Service Pack 1 and all subsequent releases. --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10783&cat=SIRT_1… *** cURL and libcurl vulnerabilities in F5 products *** --------------------------------------------- https://support.f5.com/csp/article/K84940705 https://support.f5.com/csp/article/K85235351 https://support.f5.com/csp/article/K17742627 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Tealeaf Customer Experience (CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000439 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-8610 and CVE-2017-3731 ) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021869 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Systems Director Platform Agent (CVE-2017-3731, CVE-2017-3732) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025103 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA (CVE-2016-5597, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000386 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Docs is Vulnerable to a Denial of Service (CVE-2016-4483) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001680 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010105 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem model V840 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010106 --------------------------------------------- *** IBM Security Bulletin: Multiple security issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On *** http://www-01.ibm.com/support/docview.wss?uid=swg22000445 --------------------------------------------- *** IBM Security Bulletin: Multiple ZLIB vulnerabilities affect IBM Mobile Connect *** http://www.ibm.com/support/docview.wss?uid=swg22000094 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the Firefox component of the Synthetic Playback agent affects IBM Performance Management products. *** http://www-01.ibm.com/support/docview.wss?uid=swg22000816 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Monitoring Basic Services component. (CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22001712 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect the IBM FlashSystem models 840 and 900 *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010012 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Campaign, IBM Contact Optimization *** http://www.ibm.com/support/docview.wss?uid=swg21992598 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 14-04-2017
by Daily end-of-shift report 14 Apr '17

14 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 13-04-2017 18:00 − Freitag 14-04-2017 18:02 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Zero Day Exploit: Magento-Onlineshops sind wieder gefährdet *** --------------------------------------------- Wer eine Magento-basierte Onlineshop-Lösung verwendet, sollte dringend seine Einstellungen überprüfen. Ein Sicherheitslücke erlaubt die Kompromittierung der Installation und bringt die Kunden in Gefahr. Der Hersteller arbeitet wohl an einem Patch, kommuniziert dies jedoch nicht vernünftig. --------------------------------------------- https://www.golem.de/news/zero-day-exploit-magento-onlineshops-sind-wieder-… *** Exploit Kit Activity Quiets, But Is Far From Silent *** --------------------------------------------- Here are the exploit kits to watch for over the next three to six months. --------------------------------------------- http://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/12… *** Shadow Brokers Release New Batch of Files Containing Windows and SWIFT Exploits *** --------------------------------------------- On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsofts Windows OS and the SWIFT banking system. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/shadow-brokers-release-new-b… *** BSI definiert Mindeststandard für sichere Web-Browser *** --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat Mindestanforderungen für sichere Web-Browser veröffentlicht. In einer Tabelle vergleicht die Behörde vier aktuelle Browser - einer wies demnach eine schwerwiegende Einschränkung auf. --------------------------------------------- https://heise.de/-3686044 *** Phishing with Unicode Domains *** --------------------------------------------- If I told you this could be a phishing site, would you believed me? tl;dr: check out the proof-of-concept --------------------------------------------- https://www.xudongz.com/blog/2017/idn-phishing/ *** Critical Patch Update - April 2017 - Pre-Release Announcement *** --------------------------------------------- Critical Patch Update - April 2017 - Pre-Release Announcement --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html *** 2017-04 Security Bulletin: EX Series: Crafted IPv6 NDP packet causing a slow memory leak on EX Series Switches (CVE-2017-2315) *** --------------------------------------------- A vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet destined to an EX Series Ethernet Switches to cause a slow memory leak. A malicious network-based packet flood of these crafted IPv6 NDP packets may eventually lead to resource exhaustion and a denial of service. --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10781 *** Heap Overflow Vulnerability in Citrix NetScaler Gateway Could Result in Arbitrary Code Execution *** --------------------------------------------- A heap overflow vulnerability has been identified in Citrix NetScaler Gateway that could allow a remote, authenticated user to execute arbitrary commands on the NetScaler Gateway appliance as a root user. --------------------------------------------- https://support.citrix.com/article/CTX222657 *** cURL and libcurl vulnerability CVE-2016-8622 *** --------------------------------------------- cURL and libcurl vulnerability CVE-2016-8622. Security Advisory. Security Advisory Description. ** RESERVED ** This candidate ... --------------------------------------------- https://support.f5.com/csp/article/K23391972 *** VMSA-2017-0007 *** --------------------------------------------- VMware vCenter Server updates resolve a remote code execution vulnerability via BlazeDS --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0007.html *** Wecon Technologies LEVI Studio HMI Editor *** --------------------------------------------- This advisory contains mitigation details for heap-based buffer overflow and stack-based buffer overflow vulnerabilities in the Wecon Technologies LEVI Studio HMI Editor. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-103-01 *** Schneider Electric Modicon M221 PLCs and SoMachine Basic *** --------------------------------------------- This advisory contains mitigation details for use of hard-coded cryptographic key and protection mechanism failure vulnerabilities in Schneider Electric's Modicon M221 PLCs and SoMachine Basic. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-103-02 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Financial Transaction Manager for ACH Services, Check Services and Corporate Payment Services potential Cross Site Scripting vulnerabilities (CVE-2017-1160) *** http://www.ibm.com/support/docview.wss?uid=swg22001574 --------------------------------------------- *** IBM Security Bulletin: IBM API Connect Developer Portal is vulnerable to unauthenticated remote code execution (CVE-2017-1161) *** http://www.ibm.com/support/docview.wss?uid=swg22000316 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Financial Transaction Manager for ACH Services, Check Services and Corporate Payment Services *** http://www.ibm.com/support/docview.wss?uid=swg22001536 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by tar vulnerabilities (CVE-2010-0624 CVE-2016-6321) *** http://www.ibm.com/support/docview.wss?uid=isg3T1025085 --------------------------------------------- *** IBM Security Bulletin: Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerability (CVE-2016-6816) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998864 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Insight *** http://www.ibm.com/support/docview.wss?uid=swg21999652 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos TM1 *** http://www.ibm.com/support/docview.wss?uid=swg21999649 --------------------------------------------- *** IBM Security Bulletin: Unvalidated redirection URL vulnerability in IBM Marketing Platform (CVE-2016-0228) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001952 --------------------------------------------- Next End-of-Shift report: 2017-04-18

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily