=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 27-12-2016 18:00 − Mittwoch 28-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Bugtraq: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539967
*** Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161228-…
*** Android Trojan Switcher Infects Routers via DNS Hijacking ***
---------------------------------------------
A new Android Trojan, Switcher, uses victims devices to infect WiFi routers and funnel users of the network to malicious sites.
---------------------------------------------
http://threatpost.com/android-trojan-switcher-infects-routers-via-dns-hijac…
*** Security Advisory - Input Validation Vulnerability in Huawei VRP Platform ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161228-…
*** 33C3: Bluetooth-Schlösser: Smart, aber nicht sicher ***
---------------------------------------------
App statt Schlüssel: Immer mehr Hersteller bieten Schlösser mit Cloud-Anbindung an. Doch Lockpicker können die teuren Geräte ohne große Probleme knacken.
---------------------------------------------
https://heise.de/-3582323
*** IT-Sicherheit im Jahr 2016: Der Nutzer ist nicht schuld ***
---------------------------------------------
Geht es um IT-Sicherheitsprobleme, wird gern über die Nutzer geschimpft. Und auch wenn viele Nutzer tatsächlich Fehler machen, liegt die Verantwortung für Sicherheitslücken, Botnetze und mangelnden Datenschutz meist bei anderen.
---------------------------------------------
http://www.golem.de/news/it-sicherheit-im-jahr-2016-der-nutzer-ist-nicht-sc…
*** Bugtraq: [CVE-2016-8741] Apache Qpid Broker for Java - Information Leakage ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539968
*** Using Guzzle and PHPUnit for REST API Testing ***
---------------------------------------------
APIs are increasingly becoming the backbone of the modern internet - whether youre ordering ..
---------------------------------------------
https://blog.cloudflare.com/using-guzzle-and-phpunit-for-rest-api-testing/
*** Vuln: Multiple Samsung Devices OTP Service Remote Heap Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95134
*** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by OS Command Injection (CVE-2016-6065) ***
---------------------------------------------
IBM Security Guardium Database Activity Monitor appliance could allow a local user to inject commands that would be executed as root. IBM Security Guardium Database Activity ..
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21995657
*** Hacker-Angriff auf OSZE in Wien: Daten gestohlen ***
---------------------------------------------
Die OSZE mit Sitz in Wien wurde Anfang November Ziel einer Hackerattacke. Daten und die Integrität des Netzwerkes der OSZE waren gefährdet, sagte eine Sprecherin.
---------------------------------------------
https://futurezone.at/netzpolitik/hacker-angriff-auf-osze-in-wien-daten-ges…
*** Reverse Engineering: Sicherheitsforscher öffnen Threema-Blackbox ***
---------------------------------------------
Zwei Sicherheitsforscher haben auf dem 33C3 einen genauen Blick in die innereien des Messengers Threema geworfen. Ihre Ergebnisse sind bei Github dokumentiert - und sollen sich für die Entwicklung von Bots eignen.
---------------------------------------------
http://www.golem.de/news/reverse-engineering-sicherheitsforscher-oeffnen-th…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 23-12-2016 18:00 − Dienstag 27-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** NetApp Snap Creator Framework Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1037530
*** BMC Remedy Action Request System Password Reset Flaw Lets Remote Users Modify Passwords on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1037529
*** Netgear-Router N300 mit massiver Sicherheitslücke ***
---------------------------------------------
Netgears Router N300 (Modell WNR2000) weist eine Schwachstelle auf, über die Angreifer Zugriff auf die Admin-Funktionen des Geräts erlangen können. Ein ..
---------------------------------------------
http://derstandard.at/2000049819772
*** [local] - OpenSSH < 7.4 - UsePrivilegeSeparation Disabled Forwarded Unix Domain Sockets Privilege Escalation ***
---------------------------------------------
This issue affects OpenSSH if privilege separation is disabled (config option UsePrivilegeSeparation=no). While privilege separation is enabled by default, it ..
---------------------------------------------
https://www.exploit-db.com/exploits/40962/
*** ZyXEL and Netgear Fail to Patch Seven Security Flaws Affecting Their Routers ***
---------------------------------------------
Router manufacturers such as Netgear and ZyXEL have failed to address seven security flaws reported ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/zyxel-and-netgear-fail-to-pa…
*** DFN-CERT-2016-2141/">Exim: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und die Eskalation von Privilegien ***
---------------------------------------------
Ein entfernter, nicht authentifizierter Angreifer kann sensitive Informationen ausspähen und möglicherweise weitere Angriffe ausführen, wenn Exim unter bestimmten Bedingungen kompiliert wurde und ausgeführt wird. Dazu muss ..
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-2141/
*** 33C3: CCC-Kongress beginnt in Hamburg ***
---------------------------------------------
Unter dem Motto "Works for me" hat der Kongress des Chaos Computer Clubs in Hamburg begonnen. Vier Tage lang beschäftigen sich die 12.000 Teilnehmer mit Hacks, Politik und alternativen Lebensentwürfen.
---------------------------------------------
https://heise.de/-3582149
*** Vuln: PyCrypto cryptmsg.py Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95122
*** IBM Security Bulletin: Vulnerabilities in Bind affect IBM SmartCloud Entry (CVE-2016-2776 CVE-2016-2848 ) ***
---------------------------------------------
IBM SmartCloud Entry is vulnerable to bind vulnerabilities. Remote attackers could exploit the vulnerabilities to trigger an assertion failures and make named ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1024649
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 22-12-2016 18:00 − Freitag 23-12-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Litauen entdeckt russische Spionage-Software auf Regierungsrechnern ***
---------------------------------------------
Schadsoftware wurde offenbar mittels infizierter USB-Sticks auf die Computer eingebracht
---------------------------------------------
http://derstandard.at/2000049749836
*** So somebody is throwing HTML at your sshd. What to do? ***
---------------------------------------------
Yes, its exactly as wrong as it sounds. Heres a distraction with bizarre twists for the true log file junkies among you. Happy reading for the holidays!As will probably not surprise ..
---------------------------------------------
http://bsdly.blogspot.com/2016/12/so-somebody-is-throwing-html-at-your.html
*** Cerber Ransomware Doesnt Delete Shadow Volume Copies Anymore, Prioritizes Office Docs ***
---------------------------------------------
Recent versions of the Cerber ransomware are behaving somewhat different from older variants, with the ransomware ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cerber-ransomware-doesnt-del…
*** Before You Pay that Ransomware Demand… ***
---------------------------------------------
A decade ago, if a desktop computer got infected with malware the chief symptom probably was an intrusive browser toolbar of some kind. Five years ago you were more likely to whacked ..
---------------------------------------------
https://krebsonsecurity.com/2016/12/before-you-pay-that-ransomware-demand/
*** Steganalysis, the Counterpart of Steganography ***
---------------------------------------------
In my last blog post I discussed the art of embedding secret messages in any file so that only the sender and the receiver ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Steganalysis,-the-Count…
*** New Guide to Fixing Google Blacklist Warnings ***
---------------------------------------------
One of the worst experiences a website owner can have is being blacklisted by Google. If you are one of the 10,000 websites that has been slapped with a ..
---------------------------------------------
https://blog.sucuri.net/2016/12/guide-to-fix-site-warnings.html
*** Fidelix FX-20 Series Controllers Path Traversal Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a path traversal vulnerability in Fidelix FX-20 series controllers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-357-01
*** WAGO Ethernet Web-based Management Authentication Bypass Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an authentication bypass vulnerability in WAGO’s Ethernet Web-based Management products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-357-02
*** Your password expiry policy may have reached its expiry date ***
---------------------------------------------
In cyber security as much as anywhere else, its important to use the right tools for the job at hand. However, sometimes we can get a bit too attached to particular tools, ..
---------------------------------------------
https://www.ncsc.gov.uk/blog-post/your-password-expiry-policy-may-have-reac…
*** As Bitcoin Price Surges, Phishing Attacks on Cryptocurrency Wallets Intensify ***
---------------------------------------------
Bitcoin price surge reverberates through cybercriminal landscape, as cyber-criminals ramp up phishing attacks ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/as-bitcoin-price-surges-phis…
*** Using Monitor Resolution as Obfuscation Technique ***
---------------------------------------------
A quick blog post about a malicious VBScript macro that I analysed. Bad guys have always plenty of ..
---------------------------------------------
https://blog.rootshell.be/2016/12/23/using-monitor-resolution-obfuscation-t…
*** Keine Belege für geplante russische Cyberangriffe auf die Bundestagswahl ***
---------------------------------------------
http://derstandard.at/2000049777463
*** Drastische Warnungen vor dem "Internet der Dildos" ***
---------------------------------------------
Neue Gruppe will auf Gefahren durch smarte Sexspielzeuge aufmerksam machen
---------------------------------------------
http://derstandard.at/2000049785388
*** Alle Jahre wieder: Netgear-Router N300 / WNR2000 angreifbar ***
---------------------------------------------
Eine Zero-Day-Lücke plagt mal wieder Router von Netgear. Das verwundbare Modell ist in der Vergangenheit auch schon Opfer gravierender Lücken geworden.
---------------------------------------------
https://heise.de/-3581275
*** Koolova Ransomware Decrypts for Free if you Read Two Articles about Ransomware ***
---------------------------------------------
A new in-development variant of the Koolova Ransomware has been discovered that will decrypt your ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-…
Aufgrund des Feiertages am Montag, den 26.12.2016, erscheint der nächste End-of-Shift-Report erst am Dienstag, den 27.12.2016
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 21-12-2016 18:00 − Donnerstag 22-12-2016 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** MS16-DEC - Microsoft Security Bulletin Summary for December 2016 - Version: 1.2 ***
---------------------------------------------
V1.2 (December21, 2016): The December 13, 2016, Security and Quality Rollups updates 3210137 and 3210138 contain a known issue that affects the .NET Framework 4.5.2 running on Windows 8.1, Windows Server 2012 R2, and Windows Server 2012. The issue was also present in the November 15, 2016, Preview of Quality rollup updates that were superseded by the December 13, 2016 Rollup updates. The issue causes applications that connect to an instance of Microsoft SQL Server on the same computer to generate the following error message: “provider: Shared Memory Provider, error: 15 - Function not supported”
For more information please refer to Knowledge Based Article 3214106
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-DEC
*** NIST Asks Public For Help With Quantum-Proof Cryptography ***
---------------------------------------------
chicksdaddy quotes a report from The Security Ledger: With functional, quantum computers on the (distant?) horizon, The National Institute of Standards and Technology (NIST) is asking the public for help heading off what it calls "a looming threat to information security:" powerful quantum computers capable of breaking even the strongest encryption codes used to protect the privacy of digital information. In a statement Tuesday, NIST asked the public to submit ideas for...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/_VC9qbMlmm8/nist-asks-publi…
*** HTTPS-Zwang für Apps: Apple verlängert Deadline ***
---------------------------------------------
Eigentlich sollten iPhone- und iPad-Apps ab Jahresende nicht mehr über ungesicherte HTTP-Verbindungen kommunizieren, nun hat Apple zusätzliche Zeit für die Umstellung eingeräumt.
---------------------------------------------
https://heise.de/-3579891
*** vSphere Data Protection: VMware entfernt hart-codierten Root-Key ***
---------------------------------------------
Angreifer sollen die Backup- und Recovery-Lösung für virtuelle Maschinen mit vergleichsweise wenig Aufwand übernehmen können. Sicherheitspatches stehen zum Download bereit.
---------------------------------------------
https://heise.de/-3579872
*** Security Alert: Malicious Script Injections Spread Cerber Ransomware, Make Use of Nemucod Downloader ***
---------------------------------------------
This ongoing ransomware campaign packs a big punch against its victims, aiming for a high success rate in terms of infected systems. Using a malware cocktail to drive infection rates The cybercriminals behind the campaign are compromising legitimate websites by injecting malicious scripts. The injects then redirect the victims' Internet traffic to a Cerber gateway...
---------------------------------------------
https://heimdalsecurity.com/blog/security-alert-malicious-script-injections…
*** Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units ***
---------------------------------------------
In June CrowdStrike identified and attributed a series of targeted intrusions at the Democratic National Committee (DNC), and other political organizations that utilized a well known implant commonly called X-Agent. X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple's iOS, and likely the MacOS. Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the...
---------------------------------------------
https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian…
*** Writing Burp Extensions (Shodan Scanner) ***
---------------------------------------------
In this article, we will have an overview of writing Burp extensions. At the end of the post, we will have an extension that will take any HTTP request, determine the IP address of domain and get specific information using Shodan API. I have divided the article in the following hierarchy so that you can...
---------------------------------------------
http://resources.infosecinstitute.com/writing-burp-extensions-shodan-scanne…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 20-12-2016 18:00 − Mittwoch 21-12-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** PrestaShop Attack Steals Login Credentials ***
---------------------------------------------
Attackers compromise sites with a number of goals in mind – also referred to as actions on objective. In some instances they aim to abuse resources or gain SEO power, and in others they are seeking access to sensitive data, also known as data exfiltration. The ..
---------------------------------------------
https://blog.sucuri.net/2016/12/prestashop-attack-steals-login-credentials.…
*** Data Center Physical Security ***
---------------------------------------------
A data center is the epicenter of any online infrastructure. A data center’s size can vary widely, depending on an organization’s needs. Broadly speaking, a ..
---------------------------------------------
http://resources.infosecinstitute.com/data-center-physical-security/
*** DSA-3741 tor - security update ***
---------------------------------------------
It was discovered that Tor, a connection-based low-latency anonymouscommunication system, ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3741
*** Kaspersky updates RannohDecryptor to decrypt CryptXXXs Crypt, Cryp1, and Crypz Extensions ***
---------------------------------------------
If you are a CryptXXX Ransomware victim who didnt pay the ransom and instead decided to store their encrypted files and ransom notes for future fixes then you ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/kaspersky-updates-rannohdecr…
*** 33c3-Programm: Was vom Hacker-Kongress zu erwarten ist ***
---------------------------------------------
Von 27. bis 30. Dezember findet in Hamburg zum 33. Mal das jährliche Hackertreffen des Chaos Computer Club (CCC) statt. Fahrplan und Wiki geben eine erste Programmübersicht.
---------------------------------------------
https://futurezone.at/netzpolitik/33c3-programm-was-vom-hacker-kongress-zu-…
*** Netgear-Sicherheitslücke: Updates für vier betroffene Router fertig ***
---------------------------------------------
Für die Router R6250, R6400, R7000 und R8000 stehen ab sofort Firmware-Updates zur Verfügung. Die Installation der Updates wird dringend empfohlen. Für weitere sieben Router mit Sicherheitslücke steht bisher nur die Beta-Version zum Download bereit.
---------------------------------------------
https://heise.de/-3578415
*** Antivirensoftware: Die Schlangenöl-Branche ***
---------------------------------------------
Antivirenprogramme gelten Nutzern und Systemadministratoren als unverzichtbar. Doch viele IT-Sicherheitsexperten sind extrem skeptisch. Antivirensoftware ist oft selbst voller Sicherheitslücken - und hat sehr grundsätzliche Grenzen.
---------------------------------------------
http://www.golem.de/news/antivirensoftware-die-schlangenoel-branche-1612-12…
*** Panasonic Plays Down Security Bugs Found in Airplane In-Flight Entertainment Systems ***
---------------------------------------------
Security firm IOActive published research yesterday detailing security flaws in ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/panasonic-plays-down-securit…
*** How Skype fixes security vulnerabilities ***
---------------------------------------------
This post describes my fruitless effort to convince Microsoft employees that their service is vulnerable, and the humiliation one has to go through should one’s account be blocked by a hacker. This is a story of ignorance, pain and despair.
---------------------------------------------
https://hub.zhovner.com/geek/how-skype-fixes-security-vulnerabilities/
*** Beliebte Passwörter: "Arschloch" unter den Top Ten ***
---------------------------------------------
http://derstandard.at/2000049660283
*** Berlin-Anschlag: DDOS-Angriff auf Hinweisportal ***
---------------------------------------------
http://derstandard.at/2000049672324
*** Linux/Rakos, the new Linux malware threatening devices and servers ***
---------------------------------------------
A new Linux malware, dubbed Linux/Rakos is threatening devices and servers. The malware searches for victims via SSH scan. A new Linux malware, dubbed ..
---------------------------------------------
http://securityaffairs.co/wordpress/54603/malware/linuxrakos-malware.html
*** XSA-203 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-203.html
*** XSA-202 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-202.html
*** Auswertung: "Hallo" ist Deutschlands meistgenutztes Passwort ***
---------------------------------------------
Eine Auswertung von Passwörtern aus frei zugänglichen Daten-Leaks hat ergeben, dass die meistgenutzten Passwörter in Deutschland alles andere als sicher sind. Nach "hallo" finden sich auch die Klassiker "passwort" und "passwort1" in der Liste.
---------------------------------------------
http://www.golem.de/news/auswertung-hallo-ist-deutschlands-meistgenutztes-p…
*** Cisco CloudCenter Orchestrator Docker Engine Privilege Escalation Vulnerability ***
---------------------------------------------
A vulnerability in the Docker Engine configuration of Cisco CloudCenterOrchestrator (CCO; formely CliQr) could allow an unauthenticated, remote ..
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 19-12-2016 18:00 − Dienstag 20-12-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** OpenSSH verabschiedet sich von SSHv1 ***
---------------------------------------------
Die gerade veröffentlichte Version OpenSSH 7.4 entfernt die Unterstützung für das veraltete Protokoll SSHv1 auf Server-Seite. Im August soll es ganz beerdigt werden. Darüber hinaus gibt es auch ein paar Bug-Fixes.
---------------------------------------------
https://heise.de/-3576071
*** Adobe Releases Flash Player 24 for Linux Four Years After the Last Major Update ***
---------------------------------------------
Adobe released today Flash Player 24 for Linux, after previously abandoning the application without explanation in 2012. Flash Player for Linux is now on par with Windows and ..
---------------------------------------------
https://www.bleepingcomputer.com/news/software/adobe-releases-flash-player-…
*** ShadowBrokers Dump Came from Internal Code Repository, Insider ***
---------------------------------------------
Researchers at Flashpoint said their analysis of the latest ShadowBrokers dump of NSA tools leads them to believe an insider with access to a code repository stole the data.
---------------------------------------------
http://threatpost.com/shadowbrokers-dump-came-from-internal-code-repository…
*** Raiding the Piggy Bank: Webshell Secrets Revealed ***
---------------------------------------------
Introduction A recent investigation into credit card fraud that was enabled by a webshell revealed several ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Raiding-the-Piggy-Bank-…
*** Unrestricted Backend Login Backdoor on OpenCart ***
---------------------------------------------
>From the attacker’s perspective, creating ways to maintain access to a compromised website is desirable. We call them backdoors. Backdoors can be done in different ways, either by adding fake admin users to the site, or ..
---------------------------------------------
https://blog.sucuri.net/2016/12/unrestricted-backend-login.html
*** "How do you say Ground Hog Day in Ukrainian?" ***
---------------------------------------------
http://ics.sans.org/blog/2016/12/20/how-do-you-say-ground-hog-day-in-ukrain…
*** XSA-204 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-204.html
*** Ubuntu: Schwerer Fehler erlaubt Einschmuggeln von Schadcode ***
---------------------------------------------
Crash-Reporter erwies sich als unbeabsichtigtes Einfallstor – Canonical bereinigt Bug mit Update
---------------------------------------------
http://derstandard.at/2000049548961
*** Krypto-Messenger Signal in Ägypten blockiert ***
---------------------------------------------
In Ägypten wird offenbar seit dem Wochenende Signal blockiert. Der Betreiber des Krypto-Messengers ..
---------------------------------------------
https://heise.de/-3576578
*** Nagios Core ist angreifbar: Sicherheitslücken in Server-Überwachungssoftware ***
---------------------------------------------
Nagios Core, eine Software zur Server-Überwachung, weist derzeit zwei kritische Sicherheitslücken auf. Angreifer können durch sie die absolute Systemkontrolle erhalten. Die aktuelle Version 4.2.4 schließt die Lücken.
---------------------------------------------
https://heise.de/-3576359
*** Project Wycheproof: Krypto-Implementierung auf Sicherheit abklopfen ***
---------------------------------------------
Von AES über ECDH bis RSA: Admins können mit Googles Project Wycheproof eine Sammlung von Tests auf ihre Server loslassen, um die Sicherheit der Konfiguration von Krpyto-Funktionen zu testen.
---------------------------------------------
https://heise.de/-3576686
*** Ethereum Cryptocurrency Forum Suffers Data Breach ***
---------------------------------------------
Administrators of the Ethereum Project have announced today a data breach that affected over 16,500 users of the platforms community forums. The breach took place ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ethereum-cryptocurrency-foru…
*** Türkei blockiert wohl mit Deep Packet Inspection Zugang zu Tor ***
---------------------------------------------
Türkische Provider blockieren offenbar seit dem Wochenende den direkten Zugang zum Anonymisierungsdienst Tor. Um die Verbindungsversuche zu identifizieren, kommt offenbar Deep Packet Inspection zum Einsatz.
---------------------------------------------
https://heise.de/-3577109
*** Alice: A Lightweight, Compact, No-Nonsense ATM Malware ***
---------------------------------------------
Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered. Unlike other ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweigh…
*** Offizielles Forum der Krypto-Währung Ethereum gehackt ***
---------------------------------------------
Unbekannte Angreifer haben Daten von rund 16.500 Nutzern abgezogen. Darunter finden sich auch Passwörter, die aber zum Großteil mit einem als sicher geltenden Verfahren geschützt sind.
---------------------------------------------
https://heise.de/-3577111
*** Op-ed: Why I’m not giving up on PGP ***
---------------------------------------------
http://arstechnica.com/information-technology/2016/12/signal-does-not-repla…
*** Gefälschte card complete-Mail: Ihre Karte wurde gesperrt! ***
---------------------------------------------
Kriminelle versenden eine gefälschte card complete-Nachricht. Darin behaupten sie, dass die Bank die Karte gesperrt habe. Kund/innen sollen sie deshalb ..
---------------------------------------------
https://www.watchlist-internet.at/phishing/gefaelschte-card-complete-mail-i…
*** VMSA-2016-0023 ***
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0023.html
*** Sicherheitslücke bei Routern: Netgear liefert erste finale Firmware-Updates ***
---------------------------------------------
Nach der schwerwiegenden Sicherheitslücke stellt Netgear erste Updates zur Verfügung. Für sieben betroffene Router liegen weiterhin nur Beta-Versionen vor.
---------------------------------------------
http://www.golem.de/news/sicherheitsluecke-bei-routern-netgear-liefert-erst…
*** Report: $3-5M in Ad Fraud Daily from ‘Methbot’ ***
---------------------------------------------
New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video ..
---------------------------------------------
https://krebsonsecurity.com/2016/12/report-3-5m-in-ad-fraud-daily-from-meth…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 16-12-2016 18:00 − Montag 19-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Vuln: Exim CVE-2016-9963 Unspecified Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94947
*** Blocking Powershell Connection via Windows Firewall. ***
---------------------------------------------
In my last post, I mapped controls to stop a malicious doc calling out via Powershell. Im now going to cover how using the Windows firewall can stop the attack ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21829
*** The banker that encrypted files ***
---------------------------------------------
Many mobile bankers can block a device in order to extort money from its user. But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data. In addition to that, this modification is attacking more than 2,000 financial apps around the world.
---------------------------------------------
http://securelist.com/blog/research/76913/the-banker-that-encrypted-files/
*** IBM Security Bulletin: Code execution vulnerability in IBM MessageSight (CVE-2016-5983) ***
---------------------------------------------
There is a potential code execution vulnerability in WebSphere Application Server Liberty Profile ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21995510
*** IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server ***
---------------------------------------------
The following security issues have been identified in WebSphere Application Server ..
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21995683
*** IBM Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-5983, CVE-2016-2923, CVE-2016-3092) ***
---------------------------------------------
IBM WebSphere Application Server is shipped as a component of IBM Control Center. Multiple ..
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21995686
*** IBM Security Bulletin: Reflected XXS vulnerability in IBM Campaign (CVE-2016-0265) ***
---------------------------------------------
Reflected cross-site scripting vulnerability affecting IBM Campaign has been addressed. CVE(s): CVE-2016-0265 ..
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21986033
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 15-12-2016 18:00 − Freitag 16-12-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** My Yahoo Account Was Hacked! Now What? ***
---------------------------------------------
Many readers are asking what they should be doing in response to Yahoos disclosure Wednesday that a billion of its user accounts were hacked. Here are a few suggestions and pointers, fashioned into a good old Q&A format.
---------------------------------------------
https://krebsonsecurity.com/2016/12/my-yahoo-account-was-hacked-now-what/
*** 0-days hitting Fedora and Ubuntu open desktops to a world of hurt ***
---------------------------------------------
If your desktop runs a mainstream release of Linux, chances are youre vulnerable.
---------------------------------------------
http://arstechnica.com/security/2016/12/fedora-and-ubuntu-0days-show-that-h…
*** One, if by email, and two, if by EK: The Cerbers are coming!, (Fri, Dec 16th) ***
---------------------------------------------
Introduction One, if by land, and two, if by sea is a phrase used by American poet Henry Wadsworth Longfellow in his poem Paul Reveres Ride first published in 1861. Longfellows poem tells a somewhat fictionalized tale of Paul Revere in 1775 during the American revolution. If British troops came to attack by land, Paul would hang one lantern in a church tower as a signal light. If British troops came by sea, Paul would hang two lanterns. Much like the British arriving by land or by sea, Cerber
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21823&rss
*** Phishing: "Es gibt immer noch genügend Opfer" ***
---------------------------------------------
Olaf Schwarz, Information Security Officer bei der Direktbank ING-DiBa Austria, über Phishing und andere Betrugsmethoden bei Bankgeschäften im Internet.
---------------------------------------------
https://futurezone.at/digital-life/phishing-es-gibt-immer-noch-genuegend-op…
*** Hackerangriff auf Thyssenkrupp: Winnti spioniert deutsche Wirtschaft aus ***
---------------------------------------------
Der Angriff auf Thyssenkrupp soll auf das Konto der Hackergruppe Winnti gehen, die früher Gaming-Plattformen attackiert hat. Weitere deutsche Firmen sollen betroffen sein.
---------------------------------------------
http://www.golem.de/news/hackerangriff-auf-thyssenkrupp-winnti-spioniert-de…
*** Microsoft to ditch Flash - sort of ***
---------------------------------------------
Edge is getting more granular Flash controls, but that means you wont have to have it on for all sites just so its on for one.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/12/16/microsoft-to-ditch-flash-sort-o…
*** Mac-Passwort lässt sich über Thunderbolt auslesen ***
---------------------------------------------
Mit Hardware von der Stange kann ein Angreifer in rund 30 Sekunden das im Klartext vorliegende Passwort abgreifen und so Apples Festplattenverschlüsselung FileVault überwinden.
---------------------------------------------
https://heise.de/-3573385
*** Linux-Sicherheit: Ubuntu-Bug ermöglicht das Ausführen von Schadcode ***
---------------------------------------------
Ein schwerer Fehler in Ubuntus Crash-Handler Apport ermöglicht es Angreifern, auf einem Zielrechner beliebigen Code aus der Ferne auszuführen.
---------------------------------------------
http://www.golem.de/news/linux-sicherheit-ubuntu-bug-ermoeglicht-das-ausfue…
*** Smart Airports: How to protect airport passengers from cyber disruptions ***
---------------------------------------------
ENISA publishes a study on "Securing smart airports" providing airport decision makers and security personnel a concrete guide on preventing cyber-attacks and disruptions.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/smart-airports-how-to-protect-a…
*** Security Advisory - Input Validation Vulnerability in Wi-Fi Driver of Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161216-…
*** SSA-856492 (Last Update 2016-12-16): Limited Entropy in PRNG of Desigo PX Web Modules ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856492…
*** Bugtraq: [security bulletin] HPSBMU03684 rev.1 - HPE Version Control Repository Manager (VCRM), Multiple Remote Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539934
*** DFN-CERT-2016-2081: Red Hat JBoss Core Services: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-2081/
*** Security Advisory: TMM vulnerability CVE-2016-9247 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/33/sol33500120.html?…
*** Security Advisory: BIG-IP TMM iRules vulnerability CVE-2016-5024 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/92/sol92859602.html?…
*** Sentinel 8.0.0 P1 (Sentinel 8.0.0.1) Build 3404 ***
---------------------------------------------
Abstract: Sentinel 8.0.0. upgrade patch for Sentinel 7 and 8Document ID: 5264730Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_opensourcecomponents-8.0.0.1-3404.tar.gz (65.02 MB)sentinel_opensourcecomponents-8.0.0.1-3404.tar.gz.sha256 (117 bytes)sentinel_server-8.0.0.1-3404.x86_64.tar.gz (2.09 GB)sentinel_server-8.0.0.1-3404.x86_64.tar.gz.sha256 (109 bytes)Products:Sentinel 7SentinelSentinel 7.3Sentinel 7.3.1Sentinel 7.3.2Sentinel 7.4Sentinel 7.3.3Sentinel
---------------------------------------------
https://download.novell.com/Download?buildid=3iJxPcG2H9M~
*** Fatek Automation PLC WinProladder Stack-Based Buffer Overflow Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Fatek Automation's PLC WinProladder application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-350-01
*** OmniMetrix OmniView Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for vulnerabilities in OmniMetrix's OmniView web application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-350-02
*** Mutiple SONY Videoconference Systems do not properly perform authentication ***
---------------------------------------------
Mutiple SONY Videoconference Systems do not properly perform authentication.
---------------------------------------------
http://jvn.jp/en/jp/JVN42070907/
*** ZDI-16-670: Avira Free Antivirus ssmdrv Kernel Driver Memory Corruption Privilege Escalation Vulnerability ***
---------------------------------------------
This vulnerability allows attackers to escalate privileges on vulnerable installations of Avira Free Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-670/
*** ZDI: Autodesk Design Review Remote Code Execution Vulnerabilities ***
---------------------------------------------
*** ZDI-16-669: Autodesk Design Review JFIF Buffer Overflow Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-669/
---------------------------------------------
*** ZDI-16-668: Autodesk Design Review PNG Use-After-Free Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-668/
---------------------------------------------
*** ZDI-16-667: Autodesk Design Review BMP Buffer Overflow Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-667/
---------------------------------------------
*** ZDI-16-666: Autodesk Design Review FLI Buffer Overflow Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-666/
---------------------------------------------
*** ZDI-16-665: Autodesk Design Review GIF LZW Out-Of-Bounds Indexing Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-665/
---------------------------------------------
*** ZDI-16-664: Autodesk Design Review JPEG DHT Out-Of-Bounds Indexing Remote Code Execution Vulnerability ***
http://www.zerodayinitiative.com/advisories/ZDI-16-664/
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM StoredIQ (CVE-2016-2177, CVE-2016-2178, CVE-2016-2180) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994870
---------------------------------------------
*** IBM Security Bulletin: Sweet32 vulnerability that impacts Triple DES cipher affects Communications Server for Data Center Deployment, Communications Server for AIX, Linux, Linux on System z, and Windows (CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg21995057
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993842
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM InfoSphere Information Server (CVE-2016-3485 CVE-2016-5597) ***
http://www.ibm.com/support/docview.wss?uid=swg21990635
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Manager (FSM) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024669
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 14-12-2016 18:00 − Donnerstag 15-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** No More Ransom Project Expands with 34 New Partners, 32 New Free Decryption Tools ***
---------------------------------------------
The "No More Ransom" project, set up in July by Intel Security, Kaspersky Lab, Europol, and the Dutch National police to help victims of ransomware infections, has expanded today with 34 new partners, and 32 new decryptors that can help ransomware victims unlock their files for free. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/no-more-ransom-project-expan…
*** Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe ***
---------------------------------------------
Targeted attacks are typically carried out against individuals to obtain intellectual property and other valuable data from target organizations. These individuals are either directly in possession of the targeted information or are able to connect to networks where the information resides. Microsoft researchers have encountered twin threat activity groups that appear to target individuals for...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-p…
*** Yahoo muss erneut Massenhack beichten: Eine Milliarde Opfer ***
---------------------------------------------
Im September hatte Yahoo einen Hack von über einer halben Milliarde Nutzerkonten bekanntgegeben. Den Rekord hat Yahoo nun gebrochen. Diesmal geht es um über eine Milliarde Konten. Dazu kommen gezielte Attacken mittels Cookies.
---------------------------------------------
https://heise.de/-3570674
*** Mobile Ransomware: How to Protect Against It ***
---------------------------------------------
In our previous post, we looked at how malware can lock devices, as well as the scare tactics used to convince victims to pay the ransom. Now that we know what bad guys can do, well discuss the detection and mitigation techniques that security vendors can use to stop them. By sharing these details with other researchers, we hope to improve the industrys collective knowledge on mobile ransomware mitigation.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XaGWjnUqHoY/
*** DefCamp Romania 2016 Videos and Slides ***
---------------------------------------------
November 10-11, 2016, Bucharest, Romania
---------------------------------------------
https://def.camp/archives/2016/
*** The Kings in Your Castle, Pt #5 ***
---------------------------------------------
The last part in the article series about analyzing modern APTs deals with naming and attribution of APTs. This is far less trivial than it sounds. Analysts are often facing the same enemy all over again without realizing it.
---------------------------------------------
https://blog.gdatasoftware.com/2016/12/29379-the-kings-in-your-castle-pt-5
*** Sicherheitslücken: Updates auch für ältere macOS-Versionen ***
---------------------------------------------
Neben den in macOS Sierra und dem Browser Safari gestopften Schwachstellen hat Apple auch Sicherheits-Updates für OS X El Capitan und Yosemite veröffentlicht. Diese beheben eine kritische Schwachstelle.
---------------------------------------------
https://heise.de/-3572108
*** Ask Sucuri: How to Stop Brute Force Attacks? ***
---------------------------------------------
Again, there is no mystery to this: Enforce a strong password for all the users and a brute force attack will not succeed. The underlying problem, however, is a bit more complicated
---------------------------------------------
https://blog.sucuri.net/2016/12/ask-sucuri-how-to-stop-brute-force-attacks.…
*** A Backdoor in Skype for Mac OS X ***
---------------------------------------------
Trustwave recently reported a locally exploitable issue in the Skype Desktop API Mac OS-X which provides an API to local programs/plugins executing on the local machine. The API is formally known as the Desktop API (previously known as the Skype...
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/A-Backdoor-in-Skype-for-Mac-…
*** 5 Best Password Auditing Tools ***
---------------------------------------------
A single weak password exposes your entire network to an external threat. Password hacking is one of the most critical and commonly exploited network security threats. In many ways, passwords should be viewed as your first line of defense where protecting your company's data is concerned. The huge number of data breaches occurs because someone...
---------------------------------------------
http://resources.infosecinstitute.com/5-best-password-auditing-tools/
*** DFN-CERT-2016-2040: Netgear Router: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes mit Administratorrechten ***
---------------------------------------------
Version 3 (2016-12-15 15:42)
Der Hersteller aktualisiert den referenzierten Sicherheitshinweis und bestätigt auch die Verwundbarkeit von DSL-Modems mit den Modellnummern D6220 und D6400. Für alle verwundbaren WLAN- und DSL-Router stehen mittlerweile Firmwareupdates im Beta-Status als temporäre Lösung zur Verfügung. Netgear arbeitet weiter an einer Produktionsversion der Firmware für alle betroffenen Geräte.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-2040/
*** Remote shell execution vulnerability affects Good Enterprise Mobility Server (BSRT-2016-008) ***
---------------------------------------------
This advisory addresses a remote shell execution vulnerability that has been discovered in Good Enterprise Mobility Server (GEMS). BlackBerry is not aware of any exploitation of this vulnerability. Customer risk is limited by the requirement that a potential attacker possess access to the internal network and by the functionality of the Karaf command shell.
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?articleNumber=000038814
*** Bugtraq: Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code Execution [CVE-2016-9565] ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539925
*** F5 Security Advisory: Kerberos vulnerability CVE-2014-4343 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/500/sol15553.htm…
*** Sentinel 7.4 SP4 (Sentinel 7.4.4.0) Build 2904 ***
---------------------------------------------
Abstract: Sentinel 7.4.3 upgrade for Sentinel 7.4Document ID: 5264470Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_server-7.4.4.0-2904.x86_64.tar.gz (1.74 GB)sentinel_server-7.4.4.0-2904.x86_64.tar.gz.sha256 (109 bytes)Products:SentinelSentinel 7.4.4Sentinel 7.XSentinel 7.2Sentinel 7.4Sentinel 7.3Sentinel 7.2.1Sentinel 7.2.2Sentinel 7.3.1Sentinel 7.3.2Sentinel 7.4.1Sentinel 7.4.2Sentinel 7.3.3Sentinel 7.4.3Sentinel 7.3.4Superceded Patches:Sentinel 7.4 SP3
---------------------------------------------
https://download.novell.com/Download?buildid=RaGN-vIdupQ~
*** Security Advisory - Stack Overflow Vulnerability in Drive of Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161215-…
*** SAP ***
---------------------------------------------
*** Vuln: SAP Mobile Defense & Security Remote Authorization Bypass Vulnerability ***
http://www.securityfocus.com/bid/94902
---------------------------------------------
*** Vuln: SAP HANA Cockpit Cross Site Scripting Vulnerability ***
http://www.securityfocus.com/bid/94897
---------------------------------------------
*** Vuln: SAP HANA Remote Authorization Bypass Vulnerability ***
http://www.securityfocus.com/bid/94898
---------------------------------------------
*** Vuln: SAP HANA XS Classic Information Disclosure Vulnerability ***
http://www.securityfocus.com/bid/94896
---------------------------------------------
*** Vuln: SAP HANA Cockpit Information Disclosure Vulnerability ***
http://www.securityfocus.com/bid/94910
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances allow web pages to be stored locally (CVE-2016-3024) ***
http://www.ibm.com/support/docview.wss?uid=swg21995340
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information exposure vulnerability (CVE-2016-3021) ***
http://www.ibm.com/support/docview.wss?uid=swg21995436
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information exposure vulnerability (CVE-2016-3023) ***
http://www.ibm.com/support/docview.wss?uid=swg21995348
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability due to incorrect permission assignment (CVE-2016-3022) ***
http://www.ibm.com/support/docview.wss?uid=swg21995360
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by cross-site scripting vulnerabilities (CVE-2016-3018) ***
http://www.ibm.com/support/docview.wss?uid=swg21995347
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability due to misconfiguration (CVE-2016-3017) ***
http://www.ibm.com/support/docview.wss?uid=swg21995519
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability related to code integrity checking (CVE-2016-3016) ***
http://www.ibm.com/support/docview.wss?uid=swg21995518
---------------------------------------------
*** IBM Security Bulletin: IBM Notes is affected with Open Source Apache Struts Vulnerabilities (CVE-2016-1181, CVE-2016-1182) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988182
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-4447, CVE-2016-4448, CVE-2016-4449) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989337
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-3627) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991909
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995989
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSLaffect IBM WebSphere MQ V6.0 on OpenVMS Alpha and Itanium platforms ( CVE-2016-2183 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21995922
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in RubyOnRails affects IBM BigFix Compliance Analytics. (CVE-2016-6316, CVE-2016-6317 ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991913
---------------------------------------------
*** IBM Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and IBM Tivoli Storage FlashCopy Manager for VMware (CVE-2016-6033) ***
http://www.ibm.com/support/docview.wss?uid=swg21995545
---------------------------------------------
*** IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-Frame Scripting issue (CVE-2016-5984) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991682
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affects IBM BigFix Compliance Analytics. (CVE-2016-3485, CVE-2016-3498, CVE-2016-3552, CVE-2016-3503) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991910
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an SQL Injection vulnerability (CVE-2016-3046) ***
http://www.ibm.com/support/docview.wss?uid=swg21995527
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information disclosure vulnerability (CVE-2016-3045) ***
http://www.ibm.com/support/docview.wss?uid=swg21995435
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information exposure vulnerability (CVE-2016-3043) ***
http://www.ibm.com/support/docview.wss?uid=swg21995446
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-4483) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991911
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 13-12-2016 18:00 − Mittwoch 14-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Facebook helps companies detect rogue SSL certificates for domains ***
---------------------------------------------
Facebook has launched a tool that allows domain name owners to discover TLS/SSL certificates that were issued without their knowledge.The tool uses data collected from the many Certificate Transparency logs that are publicly accessible. Certificate Transparency (CT) is a new open standard requiring certificate authorities to disclose the certificate that they issue.Until a few years ago, there was no way of tracking the certificates issued by every certificate authority (CA). At best,...
---------------------------------------------
http://www.cio.com/article/3149737/security/facebook-helps-companies-detect…
*** MS16-DEC - Microsoft Security Bulletin Summary for December 2016 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for December 2016.
For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-DEC
*** Patchday: Kritische Lücken in Edge, Windows & Co. ***
---------------------------------------------
Microsoft veröffentlicht im Dezember insgesamt zwölf Sicherheitsupdates. Im schlimmsten Fall können Angreifer Computer von Opfern durch den bloßen Aufruf einer manipulierten Webseite kapern.
---------------------------------------------
https://heise.de/-3569916
*** MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking ***
---------------------------------------------
In this month's Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need. BrowserModifier:Win32/Clodaconas, for instance, displays ads when you're browsing the internet. It modifies search results pages so that you see unsolicited ads related to your...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/12/13/msrt-december-2016-addr…
*** "Statistisch gesehen": Verschlüsselungstrojaner - ein Millionengeschäft ***
---------------------------------------------
Petya, Goldeneye - diese und andere Erpressungstrojaner haben weltweit viele Nutzer zur Kasse gebeten. Die Zahlungsmoral hängt nicht zuletzt von Empfehlungen der Behörden ab. Wie viel bisher wo gezahlt wurde, zeigt ein neues...
---------------------------------------------
https://heise.de/-3569888
*** Malvertising Campaign Infects Your Router Instead of Your Browser ***
---------------------------------------------
Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Discovered by security researchers from US security firm Proofpoint, this malvertising campaign is powered by a new exploit kit called DNSChanger EK. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malvertising-campaign-infect…
*** Modbus Stager: Using PLCs as a payload/shellcode distribution system ***
---------------------------------------------
This weekend I have been playing around with Modbus and I have developed a stager in assembly to retrieve a payload from the holding registers of a PLC. Since there are tons of PLCs exposed to the Internet, I thought whether it would be possible to take advantage of the processing and memory provided by them to store certain payload so that it can be recovered later (from the stager).
---------------------------------------------
http://www.shelliscoming.com/2016/12/modbus-stager-using-plcs-as.html
*** UAC Bypass in JScript Dropper ***
---------------------------------------------
What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a "feature" present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc.
---------------------------------------------
https://isc.sans.edu/diary/UAC+Bypass+in+JScript+Dropper/21813
*** Sophos schließt Dirty-Cow-Lücke in Sicherheitspaket UTM ***
---------------------------------------------
Die Unified-Thread-Management-Lüsung von Sophos bekommt Sicherheitsupdates, die mehrere Schwachstellen schließen.
---------------------------------------------
https://heise.de/-3570179
*** Electronic Safe Lock Analysis: Part 2 ***
---------------------------------------------
After performing an initial tear-down, we were able to map out the device's behaviors and attack surface. We then narrowed our efforts on analyzing the device's BLE wireless communication. The Prologic B01's main feature is that it can be unlocked by a mobile Android or iOS device over BLE. The end result was a fully-automated attack that allows us to remotely compromise any Prologic B01 lock up to 100 yards away.
---------------------------------------------
http://www.somersetrecon.com/blog/2016/10/14/electronic-safe-lock-analysis-…
*** Microsoft Fixes Windows 10 Issue That Knocked People off the Internet ***
---------------------------------------------
Microsft has released KB3206632, a Windows update that fixes an issue introduced in an earlier update that crashed the CDPSVC service and prevented some users from receiving IP address information via the DCHP protocol, used by both home and enterprise-grade routers to connect users to the Internet. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-10-…
*** Xen Security Advisory 200 (CVE-2016-9932) - x86 CMPXCHG8B emulation fails to ignore operand size override ***
---------------------------------------------
Impact: A malicious unprivileged guest may be able to obtain sensitive information from the host.
---------------------------------------------
http://seclists.org/oss-sec/2016/q4/662
*** PHP: imagefilltoborder stackoverflow on truecolor images (CVE 2016-9933) ***
---------------------------------------------
Invalid color causes stack exhaustion by recursive call to function gdImageFillToBorder when the image used is truecolor. This was tested on a 64 bits platform.
---------------------------------------------
https://bugs.php.net/bug.php?id=72696
*** Joomla! Security Announcements ***
---------------------------------------------
*** [20161203] - Core - Information Disclosure ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/EY3UcBwQtzI/666-20161203-c…
---------------------------------------------
*** [20161202] - Core - Shell Upload ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/fI7Ty93n-Rk/665-20161202-c…
---------------------------------------------
*** [20161201] - Core - Elevated Privileges ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/OjvlaBoXTCU/664-20161201-c…
---------------------------------------------
*** [20161204] - Misc. Security Hardening ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/jYB3ItEGbWQ/667-20161204-m…
---------------------------------------------
*** Novell Patches ***
---------------------------------------------
*** Filr 2.0 - Security Update 3 ***
https://download.novell.com/Download?buildid=Am-_TGOll0g~
---------------------------------------------
*** Filr 3.0 - Security Update 1 ***
https://download.novell.com/Download?buildid=Qct0ao9jRAI~
---------------------------------------------
*** IDM 4.5 Delimited Text Driver 4.0.2.0 ***
https://download.novell.com/Download?buildid=hX_xlukrkNY~
---------------------------------------------
*** Huawei Security Advisories ***
---------------------------------------------
*** Security Advisory - Buffer Overflow Vulnerability in Wi-FI Driver of Huawei Smart Phone ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-…
---------------------------------------------
*** Security Advisory - DoS Vulnerability in Huawei Firewall ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-…
---------------------------------------------
*** Security Advisory - E-mail Information Leak Vulnerability in Android System ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-…
---------------------------------------------
*** Security Advisory - Memory Leak Vulnerability in Some Huawei Products ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-…
---------------------------------------------
*** ICS-CERT Advisories ***
---------------------------------------------
*** Visonic PowerLink2 Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-01
---------------------------------------------
*** Moxa DACenter Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-02
---------------------------------------------
*** Delta Electronics WPLSoft, ISPSoft, and PMSoft Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-03
---------------------------------------------
*** Siemens SIMATIC WinCC and SIMATIC PCS 7 ActiveX Vulnerability ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-04
---------------------------------------------
*** Siemens S7-300/400 PLC Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-05
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2016 - Includes Oracle Oct 2016 CPU affect Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg21988356
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset analyzer. (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995883
---------------------------------------------
*** IBM Security Bulletin: Sweet32 Birthday attacks on 64-bit block ciphers in TLS affect Content Manager for z/OS (CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995455
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in BIND affects IBM Netezza Host Management ***
http://www.ibm.com/support/docview.wss?uid=swg21994505
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009647
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009554
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities in OpenSSL affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) ***
http://www.ibm.com/support/docview.wss?uid=swg21995129
---------------------------------------------
*** IBM Security Bulletin: Password disclosure vulnerability in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware vSphere GUI (CVE-2016-6034) ***
http://www.ibm.com/support/docview.wss?uid=swg21995544
---------------------------------------------
*** IBM Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-5986 ***
http://www.ibm.com/support/docview.wss?uid=swg21995745
---------------------------------------------
*** IBM Security Bulletin: Potential Information Disclosure in WebSphere Application Server ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991469
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities affect IBM Spectrum Control formerly Tivoli Storage Productivity Center (CVE-2016-8941, CVE-2016-8942, CVE-2016-8943) ***
http://www.ibm.com/support/docview.wss?uid=swg21995128
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 12-12-2016 18:00 − Dienstag 13-12-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** (Adobe) Security Bulletins Posted ***
---------------------------------------------
- Adobe Animate (APSB16-38)
- Adobe Flash Player (APSB16-39)
- Adobe Experience Manager Forms (APSB6-40)
- Adobe DNG Converter (APSB16-41)
- Adobe Experience Manager (APSB16-42)
- Adobe InDesign (APSB16-43)
- Adobe ColdFusion Builder (APSB16-44)
- Adobe Digital Editions (APSB16-45)
- Adobe RoboHelp (APSB16-46)
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1426
*** The importance of cryptography for the digital society ***
---------------------------------------------
Following the Council meeting on 8th and 9th December 2016 in Brussels, ENISA's paper gives an overview into aspects around the current debate on encryption, while highlighting the Agency's key messages and views on the topic.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/the-importance-of-cryptography-…
*** Vuln: PHP ext/wddx/wddx.c Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94846
*** Vuln: PHP ext/standard/var.c Incomplete Fix Use After Free Remote Code Execution Vulnerability ***
---------------------------------------------
Use After Free in PHP7 unserialize()
---------------------------------------------
http://www.securityfocus.com/bid/94849
*** Unrestricted Backend Login Backdoor Method Seen in OpenCart ***
---------------------------------------------
>From the attacker's perspective, creating ways to maintain access to a compromised website is desirable. This allows them to further distribute malware and perform different kinds of malicious activities. One of the ways attackers try to secure their access is by adding admin users, or pieces of malicious code throughout the site. This allows them to regain access easily, if needed. However, we recently found a unique way to achieve this kind of breach in OpenCart version 1.5.6.4.
---------------------------------------------
https://blog.sucuri.net/2016/12/unrestricted-backend-login.html
*** State of the Web 2016: Jede zweite Website ist ein Sicherheitsrisiko ***
---------------------------------------------
Schwachstellen im Internet werden immer mehr, stellt Menlo Security in seinem Bericht über den "State of the Web" fest. Eine wichtige Rolle spielt das Nachladen externer Inhalte über Werbe-Netzwerke und Content Delivery Networks.
---------------------------------------------
https://heise.de/-3569114
*** Netgear-Lücke dramatischer als angenommen, erste Sicherheits-Updates ***
---------------------------------------------
Die hochkritische Lücke im Web-Interface betrifft deutlich mehr Netgear-Router als bislang angenommen. Für eine Handvoll Gerät hat der Hersteller inzwischen eine Beta-Firmware herausgegeben, die das Problem löst.
---------------------------------------------
https://heise.de/-3569299
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995588
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU Oct 2016 Includes Oracle Oct 2016 CPU affect Content Collector for File Systems ***
https://www-01.ibm.com/support/docview.wss?uid=swg21995474
---------------------------------------------
*** IBM Security Bulletin: Vulnerability CVE-2016-7099 and CVE-2016-5325 in Node.js affects IBM i ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021765
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Enterprise Content Management System Monitor (CVE-2016-6304, CVE-2016-2177) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995038
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Enterprise Content Management System Monitor (CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995042
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Samba, BIND and Libreswan affect IBM Netezza Host Management ***
http://www.ibm.com/support/docview.wss?uid=swg21994231
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Open Source Apache Tomcat , Commons FileUpload affect IBM Enterprise Content Management System Monitor (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995043
---------------------------------------------
*** IBM Security Bulletin: Multiple security issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On ***
http://www.ibm.com/support/docview.wss?uid=swg21994534
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL and PHP affect IBM Tealeaf Customer Experience (CVE-2016-2107, CVE-2016-6290, CVE-2016-7125) ***
http://www.ibm.com/support/docview.wss?uid=swg21992307
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and IBM Java Runtime affect IBM Tealeaf Customer Experience (CVE-2016-0378, CVE-2016-3485, CVE-2016-5986) ***
http://www.ibm.com/support/docview.wss?uid=swg21994537
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 09-12-2016 18:00 − Montag 12-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Windows 10: protection, detection, and response against recent Depriz malware attacks ***
---------------------------------------------
A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-d…
*** Microsoft Edges malware alerts can be faked, researcher says ***
---------------------------------------------
Fiddle with a URL and you can pop up and tell users to do anything Technical support scammers have new bait with the discovery that Microsofts Edge browser can be abused to display native and legitimate-looking warning messages.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/12/microsoft_e…
*** New Ransomware Offers The Decryption Keys If You Infect Your Friends ***
---------------------------------------------
MalwareHunterTeam has discovered "Popcorn Time," a new in-development ransomware with a twist. Gumbercules!! writes: "With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key," writes Bleeping Computer. Infected victims are given a "referral code" and, if two people are infected by that code and pay up -- the original victim is given their...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/BAJPIfARkR0/new-ransomware-…
*** Escaping a restricted shell ***
---------------------------------------------
help command outputs this list of available commands we can use, It's almost basically the web interface disguised as a shell session; Well not really but i'm sure you guys got the point. So let's begin with command substitution (a.k.a command injection) technique:...
---------------------------------------------
https://humblesec.wordpress.com/2016/12/08/escaping-a-restricted-shell/
*** Zcash, or the return of malicious miners ***
---------------------------------------------
Despite this dramatic drop from the initial values (which was anticipated), Zcash mining remains among the most profitable compared to other cryptocurrencies. This has led to the revival of a particular type of cybercriminal activity - the creation of botnets for mining. A few years ago, botnets were created for bitcoin mining, but the business all but died out after it became only marginally profitable.
---------------------------------------------
https://securelist.com/blog/research/76862/zcash-or-the-return-of-malicious…
*** 5 Questions to Ask your IoT Vendors; But Do Not Expect an Answer. ***
---------------------------------------------
1 - For how long, after I purchase a device, should I expect security updates?
2 - How will I learn about security updates?
3 - Can you share a pentest report for your device?
4 - How can I report vulnerabilities?
5 - If you use encryption, then disclose what algorithms you use and how it is implemented
---------------------------------------------
https://isc.sans.edu/diary/5+Questions+to+Ask+your+IoT+Vendors%3B+But+Do+No…
*** VB2016 paper: Modern attacks on Russian financial institutions ***
---------------------------------------------
Today, we publish the VB2016 paper and presentation (recording) by ESET researchers Jean-Ian Boutin and Anton Cherepanov, in which they look at sophisticated attacks against Russian financial institutions.
---------------------------------------------
https://www.virusbulletin.com/blog/2016/december/vb2016-paper-modern-attack…
*** Pentesting ICS Systems ***
---------------------------------------------
Security of ICS systems is one of the most critical issues of this last year. In this article, we will have a brief introduction to ICS systems, risks, and finally, methodology and tools to pentest ICS based systems Introduction Industrial control system (ICS) is a term that includes many types of control systems and instrumentation...
---------------------------------------------
http://resources.infosecinstitute.com/pentesting-ics-systems/
*** Ongoing Windows update bug woes affecting all ISPs ***
---------------------------------------------
Virgin also advising customers knocked offline An ongoing software update bug on Windows 8 and 10 appears affecting users of several UK ISPs, with Virgin Media the latest provider to admit the problem is knocking a number of its customers offline.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/12/ongoing_win…
*** Netgear-Router trivial angreifbar, noch kein Patch in Sicht ***
---------------------------------------------
Im Web-Interface einiger Netgear-Router klafft offenbar eine kritische Sicherheitslücke, die Angreifer leicht ausnutzen können, um Code mit Root-Rechten auszuführen. Schutz verspricht bisher nur ein unorthodoxer Weg: Man soll die Lücke selbst ausnutzen.
---------------------------------------------
https://heise.de/-3568679
*** DDoS tool encourages users to compete against each other for points ***
---------------------------------------------
Sledgehammer tool encourages hackers to launch DDoS attacks - but theres a sting in the tail
---------------------------------------------
https://nakedsecurity.sophos.com/2016/12/12/ddos-tool-encourages-users-to-c…
*** VU#582384: Multiple Netgear routers are vulnerable to arbitrary command injection ***
---------------------------------------------
Vulnerability Note VU#582384 Multiple Netgear routers are vulnerable to arbitrary command injection Original Release date: 09 Dec 2016 | Last revised: 09 Dec 2016 Overview Netgear R7000 and R6400 routers and possibly other models are vulnerable to arbitrary command injection. Description CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection) Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and...
---------------------------------------------
http://www.kb.cert.org/vuls/id/582384
*** DSA-3730 icedove - security update ***
---------------------------------------------
Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,same-origin policy bypass issues, integer overflows, buffer overflowsand use-after-frees may lead to the execution of arbitrary code ordenial of service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3730
*** Vuln: McAfee VirusScan Enterprise Multiple Security Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/94823
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: One vulnerability in IBM Java SDK affects IBM Application Delivery Intelligence v1.0.1 and v1.0.1.1 (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995653
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK for Node.js ***
http://www.ibm.com/support/docview.wss?uid=swg21993007
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache Tomcat Commons FileUpload Vulnerabilities affects Atlas Policy Suite (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995382
---------------------------------------------
*** IBM Security Bulletin: Potential Information Disclosure vulnerability in IBM MessageSight (CVE-2016-5986) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995246
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager appliances are affected by vulnerabilities in OpenSSH (CVE-2015-5352, CVE-2015-6563, CVE-2015-6564) ***
http://www.ibm.com/support/docview.wss?uid=swg21992610
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web version 7 software (CVE-2016-3550, CVE-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21993132
---------------------------------------------
*** IBM Security Bulletin: Open Redirect vulnerability in IBM MessageSight (CVE-2016-3040) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995247
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU affect for IBM Connections (CVE-2016-0264 ) ***
https://www-01.ibm.com/support/docview.wss?uid=swg21988365
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU affect Content Collector for Email (CVE-2016-0264) ***
https://www-01.ibm.com/support/docview.wss?uid=swg21988357
---------------------------------------------
*** IBM Security Bulletin: Information Disclosure in IBM MessageSight (CVE-2016-0378) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995238
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 07-12-2016 18:00 − Freitag 09-12-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Produktwarnung für Joomla! ***
---------------------------------------------
[...] In den Joomla! Versionen 3.4.4 bis einschließlich 3.6.4 wurde eine Sicherheitslücke entdeckt, die es einem Angreifer aus dem Internet ermöglicht, beliebigen Programmcode auszuführen und dadurch erheblichen Schaden auf einem betroffenen...
---------------------------------------------
https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_…
*** Root-Rechte durch Linux-Lücke ***
---------------------------------------------
Seit fünf Jahren klafft eine Lücke im Linux-Kernel, durch die sich lokale Nutzer erhöhte Rechte verschaffen können. Auch Android ist betroffen.
---------------------------------------------
https://heise.de/-3565365
*** Mobile Ransomware: Pocket-Sized Badness ***
---------------------------------------------
A few weeks ago, I spoke at Black Hat Europe 2016 on Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. While watching mobile ransomware from April 2015 to April 2016, I noticed a big spike in the number of Android ransomware samples. During that year, the number of Android ransomware increased by 140%. In certain areas, mobile ransomware accounts for up to 22 percent of mobile malware overall! (These numbers were obtained from the Trend Micro Mobile App...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/hPA6z0gnzFE/
*** Managed-Exchange-Dienst: Telekom-Cloud-Kunde konnte fremde Adressbücher einsehen ***
---------------------------------------------
Durch einen Konfigurationsfehler konnte ein Nutzer der Telekom-Cloud-Dienste kurzzeitig auf fremde Adressbücher zugreifen, darunter sollen auch Strafverfolgungsbehörden gewesen sein. Schuld war wohl ein Berechtigungsfehler im Exchange-Dienst. (Telekom, Datenschutz)
---------------------------------------------
http://www.golem.de/news/managed-exchange-dienst-telekom-cloud-kunde-konnte…
*** Crooks Start Deploying New "August" Infostealer ***
---------------------------------------------
During the month of November 2016, a cyber-crime group has started deploying a new malware family nicknamed "August," used mainly for information gathering and reconnaissance on the infected targets computer. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/crooks-start-deploying-new-a…
*** PowerShell threats surge: 95.4 percent of analyzed scripts were malicious ***
---------------------------------------------
Symantec analyzed 111 threat families that use PowerShell, finding that they leverage the framework to download payloads and traverse through networks.
---------------------------------------------
https://www.symantec.com/connect/blogs/powershell-threats-surge-954-percent…
*** Kaspersky Security Bulletin 2016. The ransomware revolution ***
---------------------------------------------
Between January and September 2016 ransomware attacks on business increased three-fold - to the equivalent of an attack every 40 seconds. With the ransomware-as-a-service economy booming, and the launch of the NoMoreRansom project, Kaspersky Lab has named ransomware its key topic for 2016.
---------------------------------------------
http://securelist.com/analysis/kaspersky-security-bulletin/76757/kaspersky-…
*** Banking Trojan Uses Gmail Popup to Extend Infection to Victims Android Phone ***
---------------------------------------------
A group of malware authors has come up with a new method of transcending an infection from the users computer to his Android smartphone. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/banking-trojan-uses-gmail-po…
*** Industriespionage: Wie Thyssenkrupp seine Angreifer fand ***
---------------------------------------------
Wie schützt man sein Netzwerk, wenn man 150.000 Mitarbeiter und 500 Tochterunternehmen hat? Thyssenkrupp lernte nach einem Angriff, dass es zwei Dinge braucht: Ausreichend Ressourcen und Freiheit für das Team.
---------------------------------------------
http://www.golem.de/news/industriespionage-wie-thyssenkrupp-seine-angreifer…
*** Now Mirai Has DGA Feature Built in ***
---------------------------------------------
Nearly 2 weeks ago, 2 new infection vectors (aka TCP ports of 7547 and 5555) were found being used to spread MIRAI malwares . My colleague Gensheng quickly set up some honeypots for that sort of vectors and soon had his harvests: 11 samples were captured on Nov 28th. Till now 53 unique samples have been captured by our honeypots from 6 hosting servers.
---------------------------------------------
http://blog.netlab.360.com/new-mirai-variant-with-dga/
*** Krypto-Trojaner: Lockys gieriger Bruder verlangt über 2000 Euro Lösegeld ***
---------------------------------------------
Nicht nur der Erpressungs-Trojaner GoldenEye ist derzeit ein Ärgernis, auch die Verwandschaft des berüchtigten Locky-Trojaners geht weiter auf Raubzug. Eine Osiris genannte Variante schlägt derzeit vermehrt zu und verlangt ein saftiges Lösegeld.
---------------------------------------------
https://heise.de/-3564812
*** Bugtraq: AST-2016-009: ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539888
*** Bugtraq: AST-2016-008: Crash on SDP offer or answer from endpoint using Opus ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539887
*** DFN-CERT-2016-2010: Sophos UTM: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-2010/
*** DFN-CERT-2016-1991: FreeBSD: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1991/
*** DSA-3729 xen - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in the Xen hypervisor. TheCommon Vulnerabilities and Exposures project identifies the followingproblems:...
---------------------------------------------
https://www.debian.org/security/2016/dsa-3729
*** Cisco Email Security Appliance Content Filter Bypass Vulnerability ***
---------------------------------------------
A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass user filters that are configured for an affected device.The vulnerability is due to improper filtering of certain TAR format files that are attached to email messages. An attacker could exploit this vulnerability by sending an email message that has a crafted TAR file attachment through an affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: libxml2 vulnerabilities CVE-2016-4447 and CVE-2016-4449 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/24/sol24322529.html?…
---------------------------------------------
*** Security Advisory: PHP vulnerability CVE-2016-6290 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15850913.html?…
---------------------------------------------
*** Security Advisory: libarchive vulnerability CVE-2016-5844 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/24/sol24036027.html?…
---------------------------------------------
*** Security Advisory: PHP vulnerability CVE-2016-7126 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40564589.html?…
---------------------------------------------
*** Security Advisory: OpenSSL vulnerability CVE-2016-6302 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/70/sol70844615.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1836 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/48/sol48220300.html?…
---------------------------------------------
*** Security Advisory: libarchive vulnerability CVE-2015-8932 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/90/sol90412202.html?…
---------------------------------------------
*** Security Advisory: libarchive vulnerability CVE-2016-5418 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35246595.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1835 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43314223.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1837 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05937379.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1833 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/62/sol62030064.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1762 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14338030.html?…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix (CVE-2016-5573, CVE-2016-5597, CVE-2016-5983) ***
http://www.ibm.com/support/docview.wss?uid=swg21994945
---------------------------------------------
*** IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities (CVE-2016-2775, CVE-2016-2776, CVE-2016-8864 and CVE-2016-6170) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021750
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-2180, CVE-2016-2182, CVE-2016-6306) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021733
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Tivoli Network Manager IP Edition 3.9 Fix Pack 4 HTTPS support for Perl Collector ***
http://www.ibm.com/support/docview.wss?uid=swg21990532
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in DHCP affect Power Hardware Management Console (‪CVE-2015-8605 and CVE-2016-2774‬‬) ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021703
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities affect IBM Security AppScan Enterprise ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995118
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache Tomcat , Commons FileUpload Vulnerabilities affecting IBM Algo Audit and Compliance (CVE-2016-3092) ***
http://www.ibm.com/support/docview.wss?uid=swg21993305
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) Storage Manager Install Anywhere (SMIA) configuration tool ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024507
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Network Advisor (CVE-2016-3425, CVE-2016-3427, CVE-2016-0695). ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009640
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors and IBM Network Advisor (CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0704, CVE-2016-0704, CVE-2016-2842). ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009631
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in pConsole impacts AIX (CVE-2016-0266) ***
http://aix.software.ibm.com/aix/efixes/security/pconsole_advisory2.asc
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Fabric Manager (CVE-2016-2183) ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099504
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2016-4003) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994399
---------------------------------------------
*** IBM Security Bulletin: Apache Commons FileUpload Vulnerability affects IBM Rational ClearQuest (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993816
---------------------------------------------
*** IBM Security Bulletin:Vulnerabilities in OpenSSL affect IBM SONAS ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009648
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2016-2177, CVE-2016-2178, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306) ***
http://www.ibm.com/support/docview.wss?uid=swg21993514
---------------------------------------------
*** IBM Security Bulletin: Tivoli Storage Manager (IBM Spectrum Protect) AIX Client Buffer Overflow (CVE-2016-5985) ***
http://www.ibm.com/support/docview.wss?uid=swg21993695
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Websphere affects IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-5983) ***
http://www.ibm.com/support/docview.wss?uid=swg21992640
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder and Data Collection Component that are shipped with Jazz Reporting Service (CVE-2016-5898, CVE-2016-5899, CVE-2016-6054, CVE-2016-6047) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991154
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2016-5897, CVE-2016-6039) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991153
---------------------------------------------
*** IBM Security Bulletin:Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2119) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009567
---------------------------------------------
*** IBM Security Bulletin:Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2016-3092) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009566
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL, OpenVPN and GNU glibc affect IBM Security Virtual Server Protection for VMware ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995039
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 06-12-2016 18:00 − Mittwoch 07-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Onlinewerbung: Forscher stoppen monatelange Malvertising-Kampagne ***
---------------------------------------------
Über eine Malvertising-Kampagne ist in den vergangenen Monaten Schadcode verteilt worden. Die Macher des Stegano-Exploit-Kits versteckten dabei unsichtbare Pixel in Werbeanzeigen und nutzen Exploits in Flash und dem Internet Explorer.
---------------------------------------------
http://www.golem.de/news/onlinewerbung-forscher-stoppen-monatelange-malvert…
*** Petya-Variante: Goldeneye-Ransomware verschickt überzeugende Bewerbungen ***
---------------------------------------------
Kurz vor dem Jahresende gibt es erneut eine größere Ransomware-Kampagne in Deutschland. Kriminelle verschicken mit Goldeneye professionell aussehende Bewerbungen an Personalabteilungen - und nutzen möglicherweise Informationen des Arbeitsamtes.
---------------------------------------------
http://www.golem.de/news/petya-variante-goldeneye-ransomware-verschickt-ueb…
*** Kriminelle könnten Daten von Visa-Kreditkarten vergleichsweise einfach erraten ***
---------------------------------------------
In einer Studie zeigen Sicherheitsforscher, wie sie CVV-Nummern und andere Kreditkarten-Daten in wenigen Sekunden erraten und damit anschließend Geld überweisen.
---------------------------------------------
https://heise.de/-3564898
*** Flash Exploit Found in Seven Exploit Kits ***
---------------------------------------------
An Adobe Flash Player vulnerability used by the Sofacy APT gang was also found in seven of the top exploit kits, according to an analysis by Recorded Future.
---------------------------------------------
http://threatpost.com/flash-exploit-found-in-seven-exploit-kits/122284/
*** Explained: Domain Generating Algorithm ***
---------------------------------------------
Domain Generating Algorithms are in use by cyber criminals to prevent their servers from being blacklisted or taken down. The algorithm produces random looking domain names. The idea is that two machines using the same algorithm will contact the same domain at a given time.Categories: Security world TechnologyTags: algorithmdgadomainDomain Generating AlgorithmgeneratinggenerationPieter Arntz(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/security-world/2016/12/explained-domain-gener…
*** Attacking NoSQL applications, (Tue, Dec 6th) ***
---------------------------------------------
In last couple of years, the MEAN stack (MongoDB, Express.js, Angular.js and Node.js) became the stack of choice for many web application developers. The main reason for this popularity is the fact that the stack supports both client and server side programs written in JavaScript, allowing easy development. The core database used by the MEAN stack, MongoDB, is a NoSQL database program that uses JSON-like documents with dynamic schemas allowing huge flexibility. Although NoSQL databases are not...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21787&rss
*** MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking ***
---------------------------------------------
In this month's Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need. BrowserModifier:Win32/Clodaconas, for instance, displays ads when you're browsing the internet. It modifies search results pages so that you see unsolicited ads related to your...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/12/06/msrt-december-2016-addr…
*** Unrestricted Backend Login Method Seen in OpenCart ***
---------------------------------------------
>From the attacker's perspective, creating ways to maintain access to a compromised website is desirable. This allows them to further distribute malware and perform different kinds of malicious activities. One of the ways attackers try to secure their access is by adding admin users, or pieces of malicious code throughout the site. This allows them to regain access easily, if needed. However, we recently found a unique way to achieve this kind of breach.
---------------------------------------------
https://blog.sucuri.net/2016/12/unrestricted-backend-login.html
*** Crims using anti-virus exclusion lists to send malware to where it can do most damage ***
---------------------------------------------
When vendors tell you what to whitelist, crims are reading too Advanced malware writers are using anti-virus exclusion lists to better target victims, researchers say.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/07/clever_crim…
*** Deep Analysis of the Online Banking Botnet TrickBot ***
---------------------------------------------
TrickBot aims at stealing online banking information from browsers when victims are visiting online banks. The targeted banks are from Australia, New Zealand, Germany, United Kingdom, Canada, United States, Israel, and Ireland, to name a few.
---------------------------------------------
http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-bot…
*** Debugging war story: the mystery of NXDOMAIN ***
---------------------------------------------
The following blog post describes a debugging adventure on Cloudflares Mesos-based cluster. This internal cluster is primarily used to process log file information so that Cloudflare customers have analytics, and for our systems that detect and respond to attacks.The problem encountered didnt have any effect on our customers,
---------------------------------------------
https://blog.cloudflare.com/debugging-war-story-the-mystery-of-nxdomain/
*** Popular smart toys violate children's privacy rights? ***
---------------------------------------------
My Friend Cayla and i-Que, two extremely popular "smart" toys manufactured by Los Angeles-based Genesis Toys, do not safeguard basic consumer (and children's) rights to security and privacy, researchers have found. The toys come with companion apps, and the latter use services by Nuance Communications, a company headquartered in Massachussetts that specializes in voice-and speech-recognition services for a variety of industries.
---------------------------------------------
https://www.helpnetsecurity.com/2016/12/07/smart-toys-privacy-rights/
*** Bugtraq: [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539883
*** Security Advisory - Privilege Escalation Vulnerability in Some Huawei Storage Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-…
*** Security Advisory - Dirty COW Vulnerability in Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-…
*** Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-…
*** Tesla Gateway ECU Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a Gateway ECU vulnerability in Teslas Model S automobile.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-341-01
*** Locus Energy LGate Command Injection Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a command injection vulnerability in Locus Energy's LGate application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-231-01-0
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: Python urllib and urllib2 library vulnerability CVE-2016-5699 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/10/sol10420455.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1839 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/26/sol26422113.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1840 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14614344.html?…
---------------------------------------------
*** Security Advisory: PHP vulnerability CVE-2016-7127 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/89/sol89002224.html?…
---------------------------------------------
*** Security Advisory: PHP vulnerabilities CVE-2016-6288 and CVE-2016-6289 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/34/sol34985231.html?…
---------------------------------------------
*** Security Advisory: libxml2 vulnerability CVE-2016-1838 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71926235.html?…
---------------------------------------------
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco AnyConnect Secure Mobility Client Local Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Web Security Appliance Drop Decrypt Policy Bypass Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Web Security Appliance HTTP URL Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower Management Center Information Disclosure Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Communications Manager IM and Presence Service Information Disclosure Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Identity Services Engine Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Identity Services Engine Active Directory Integration Component Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS XR Software Default Credentials Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco IOS and Cisco IOS XE Software Zone-Based Firewall Feature Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS XR Software HTTP 2.0 Request Handling Event Service Daemon Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco IOS and IOS XE Software SSH X.509 Authentication Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS Frame Forwarding Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Intercloud Fabric Director Static Credentials Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Hybrid Media Service Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FirePOWER Malware Protection Bypass Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Firepower Management Center and Cisco FireSIGHT System Software Malicious Software Detection Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FireAMP Connector Endpoint Software Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Expressway Series Software Security Bypass Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Email Security Appliance SMTP Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Email Security Appliance and Web Security Appliance Content Filter Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Unified Communications Manager Unified Reporting Upload Tool Directory Traversal Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Unified Communications Manager Administration Page Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco ONS 15454 Series Multiservice Provisioning Platforms TCP Port Management Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Emergency Responder Directory Traversal Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Emergency Responder Cross-Site Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOx Application-Hosting Framework Directory Traversal Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Security Appliances AsyncOS Software Update Server Certificate Validation Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco ASR 5000 Series IKEv2 Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco ASR 5000 Series IPv6 Packet Processing Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
Next End-of-Shift report: 2016-12-09
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 05-12-2016 18:00 − Dienstag 06-12-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Dirty Cow Vulnerability Patched in Android Security Bulletin ***
---------------------------------------------
Todays Android Security Bulletin included a patch for the Dirty Cow vulnerability, a seven-year-old Linux bug that had yet to be patched by Google.
---------------------------------------------
http://threatpost.com/dirty-cow-vulnerability-patched-in-android-security-b…
*** BlackBerry powered by Android Security Bulletin - December 2016 ***
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?articleNumber=000038813
*** Arista CloudVision Portal bug revealed, plus evidence its been used ***
---------------------------------------------
You know the drill: face-palm, download, patch, grumble about state of security, relax Arista customers: if youre running a version of CloudVision Portal (CVP) older than 2016.1.2.1, get an update or risk getting p0wned.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/06/arista_clou…
*** Printer security is so bad HP Inc will sell you services to fix it ***
---------------------------------------------
Finally, FINALLY, someone is turning off Telnet and FTP Printer security is so awful HP Inc is willing to shut off shiny features and throw its own dedicated bodies at the perennial problem.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/06/printer_sec…
*** GNU Netcat 0.7.1 Out-Of-Bounds Write ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016120029
*** In the three years since IETF said pervasive monitoring is an attack, whats changed? ***
---------------------------------------------
IETF Security director Stephen Farrell offers a report card on evolving defences
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/06/ietf_report…
*** [2016-12-06] Backdoor vulnerability in Sony IPELA ENGINE IP Cameras ***
---------------------------------------------
Sony IPELA Engine IP Cameras contain multiple backdoors. Those backdoor accounts allow an attacker to run arbitrary code on the affected IP cameras. An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or spy on people.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** DailyMotion anscheinend gehackt: 87,6 Millionen Nutzer betroffen ***
---------------------------------------------
Unbekannte Hacker sollen in das Server-System die Videoportals eingestiegen sein und neben E-Mail-Adressen auch geschützte Passwörter kopiert haben.
---------------------------------------------
https://heise.de/-3559563
*** Vuln: Joomla! Core CVE-2016-9836 Arbitrary File Upload Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94663
*** International Phone Fraud Tactics ***
---------------------------------------------
This article outlines two different types of international phone fraud.
---------------------------------------------
https://www.schneier.com/blog/archives/2016/12/international_p.html
*** Aufgepasst: Neuer Verschlüsselungstrojaner Goldeneye verbreitet sich rasant ***
---------------------------------------------
Ein bisher unbekannter Verschlüsselungstrojaner tarnt sich als Bewerbungs-E-Mail und versucht, Systeme in ganz Deutschland zu verschlüsseln. Momentan wird er von vielen Virenscannern noch nicht erkannt.
---------------------------------------------
https://heise.de/-3561396
*** Roundcube 1.2.2: Command Execution via Email ***
---------------------------------------------
In this post, we show how a malicious user can execute arbitrary commands on the underlying operating system remotely, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected. We urge all administrators to update the Roundcube installation to the latest version 1.2.3 as soon as possible.
---------------------------------------------
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
*** Xen Security Advisory 199 (CVE-2016-9637) - qemu ioport array overflow ***
---------------------------------------------
hen qemu is used as a device model within Xen, io requests are generated by the hypervisor and read by qemu from a shared ring. The entries in this ring use a common structure, including a 64-bit address field, for various accesses, including ioport addresses. Xen will write only 16-bit address ioport accesses. However, depending on the Xen and qemu version, the ring may be writeable by the guest. If so, the guest can generate out-of-range ioport accesses, resulting in wild pointer accesses
---------------------------------------------
https://lists.xen.org/archives/html/xen-announce/2016-12/msg00001.html
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager. ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099503
---------------------------------------------
*** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Open Source Linux Kernel Vulnerabilities (CVE-2016-5195) ***
http://www.ibm.com/support/docview.wss?uid=swg21994535
---------------------------------------------
*** IBM Security Bulletin: A busybox vulnerability affects IBM DataPower Gateways (CVE-2014-4607) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993006
---------------------------------------------
*** IBM Security Bulletin: Apache POI as used in IBM QRadar SIEM is vulnerable to various CVEs. ***
http://www.ibm.com/support/docview.wss?uid=swg21994719
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities in Expat affect IBM Netezza Analytics ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994401
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to various CGI vulnerabilities. (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388) ***
http://www.ibm.com/support/docview.wss?uid=swg21994725
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache Xerces-C XML parser vulnerabilities affect IBM Integration Bus and WebSphere Message Broker (CVE-2016-4463, CVE-2016-0729) ***
http://www.ibm.com/support/docview.wss?uid=swg21985691
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM Streams (CVE-2016-3705) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991065
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in NTP and OpenSSL affect IBM Netezza Firmware Diagnostics Tools ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994484
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 02-12-2016 18:00 − Montag 05-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Bug des Tages: Forwarding issues related to MACs starting with a 4 or a 6 ***
---------------------------------------------
OK aber wieso sollte denn ausgerechnet 4 oder 6 am Anfang ein Problem sein? Weil bei IPv4 und IPv6 die Header mit der "Version" anfangen, die ersten vier Bits sind bei IPv4 immer 4 und bei IPv6 immer 6. Nun kommt der IP-Header nach dem Ethernet-Header, d.h. da gibt es an sich keine Verwechslungsgefahr. Du weißt ja, worauf du gerade guckst. Aber anscheinend haben da einige Hersteller versucht, "selbstdenkende" Geräte zu bauen, die sich die ersten 4 Bits angucken,...
---------------------------------------------
https://blog.fefe.de/?ts=a6bc62fc
*** Studie: Herzschrittmacher lassen sich leicht hacken ***
---------------------------------------------
Sicherheitsforscher aus Belgien und Großbritannien konnten mehrere verschiedene Modelle von Implantaten für Patienten mit Herzrhythmusstörungen aus der Ferne hacken.
---------------------------------------------
https://futurezone.at/digital-life/studie-herzschrittmacher-lassen-sich-lei…
*** Anti-Schnüffler-Tool SAMRi10 soll Windows-Netzwerke schützen ***
---------------------------------------------
Mit dem kostenlosen PowerShell-Skript sollen Admins Schnüfflern den Zutritt zum Security Account Manager effektiver versperren können.
---------------------------------------------
https://heise.de/-3550115
*** The Kings in Your Castle, Pt #4 ***
---------------------------------------------
Oftentimes, there is talk about a "sophisticated" malware-based attack against an individual or an organization. The prevalent assumption is that a great deal of development work has gone into the attack tools. In the 4th part of the article series, Marion Marschalek and Raphael Vinot will demonstrate what sophistication means and what it actually looks like.
---------------------------------------------
https://blog.gdatasoftware.com/2016/12/29343-the-kings-in-your-castle-pt-4
*** Identitätsdiebstahl mit gefälschter PayPal-Nachricht ***
---------------------------------------------
Mit einer gefälschten PayPal-Nachricht wollen Kriminelle die Identität von Empfänger/innen stehlen. Damit sie ihr Ziel erreichen, behaupten sie, dass das Unternehmen das fremde PayPal-Konto deaktiviert habe. Es könne dieses nur reaktiveren, wenn es eine Personalausweis-Kopie der Kund/innen erhalte. Das ist falsch.
---------------------------------------------
https://www.watchlist-internet.at/sonstiges/identitaetsdiebstahl-mit-gefael…
*** Putting security risks on simmer with Chef ***
---------------------------------------------
To remain PCI-compliant, I conduct quarterly security assessments of our infrastructure. This means external testing of our internet-facing PCI resources, using an approved scanning vendor (ASV), and what I call internal PCI full-population scans.Trouble TicketAt issue: Too many servers with too many different configurations make it tough to stay in compliance.Action plan: Use Chef and the CIS guidelines to ensure that servers are properly configured.We do the external scanning every month,...
---------------------------------------------
http://www.cio.com/article/3147055/security/putting-security-risks-on-simme…
*** Vuln: Alcatel-Lucent OmniVista 8770 CVE-2016-9796 Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94649
*** FortiOS Local Admin Password Hash Leak Vulnerability ***
---------------------------------------------
http://fortiguard.com/advisory/FG-IR-16-050
*** Bugtraq: CVE-2016-8740, Server memory can be exhausted and service denied when HTTP/2 is used ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539873
*** IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM InfoSphere Information Server (CVE-2016-3092) ***
---------------------------------------------
An Apache Commons FileUpload vulnerability while processing file upload requests was addressed by IBM InfoSphere Information Server. CVE(s): CVE-2016-3092 Affected product(s) and affected version(s): The following product, running on all supported platforms, is affected: IBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3, and 11.5 IBM InfoSphere Metadata Asset Manager: versions 8.7, 9.1, 11.3, and...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21988564
*** IBM Security Bulletin: Vulnerability has been identified in IBM Cloud Orchestrator teamwork API (CVE-2016-0206 ) ***
---------------------------------------------
A potential denial of service vulnerability has been identified in IBM Cloud Orchestrator teamwork executeServiceByName API if an invalid URL is provided by local authenticated user. IBM Cloud Orchestrator, formerly known as IBM SmartCloud Orchestrator has addressed the issue. CVE(s): CVE-2016-0206 Affected product(s) and affected version(s): IBM Cloud Orchestrator V2.3, V2.3.0.1 V2.4, V2.4.0.1, V2.4.0.2 Refer...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000141
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 01-12-2016 18:00 − Freitag 02-12-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** BitUnmap: Attacking Android Ashmem ***
---------------------------------------------
Posted by Gal Beniamini, Project ZeroThe law of leaky abstractions states that "all non-trivial abstractions, to some degree, are leaky". In this blog post we'll explore the ashmem shared memory interface provided by Android and see how false assumptions about its internal operation can result in security vulnerabilities affecting core system code.
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-as…
*** Exploited Script in WordPress Theme Sends Spam ***
---------------------------------------------
As WordPress continues to grow in popularity, so does its library. New and experienced developers are creating themes and plugins - which creates diverse directories. While this is useful to the WordPress community, the nature of mass creation can account for coding errors and vulnerabilities. Even premium themes have security issues. We often find code that is developed with good intentions but without taking security measures into consideration.
---------------------------------------------
https://blog.sucuri.net/2016/12/exploited-script-wordpress-themes-send-spam…
*** Blockchain Technology Explained - An Executive Summary ***
---------------------------------------------
This article provides an executive summary on the Blockchain technology, what it is, how it works, and why everyone is excited about it.
---------------------------------------------
https://www.whitehatsec.com/blog/blockchain-technology/
*** [0day] Bypassing Apples System Integrity Protection ***
---------------------------------------------
Read how an attacker can bypass Apples SIP, via the local OS upgrade process
---------------------------------------------
https://objective-see.com/blog/blog_0x14.html
*** One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild ***
---------------------------------------------
Recently, Google researchers discovered a local privilege escalation vulnerability in Windows which was being used in zero-day attacks, including those carried out by the Pawn Storm espionage group. This is an easily exploitable vulnerability which can be found in all supported versions of Windows, from Windows 7 to Windows 10. By changing one bit, the attacker can elevate the privileges of a thread, giving administrator access to a process that would not have it under normal circumstances.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/bcdzgHcT2VE/
*** Protecting Powershell Credentials (NOT), (Fri, Dec 2nd) ***
---------------------------------------------
If youre like me, youve worked through at least one Powershell tutorial, class or even a how-to blog. And youve likely been advised to use the PSCredential construct to store credentials. The discussion usually covers that this a secure way to collect credentials, then store them in a variable for later use. You can even store them in a file and read them back later. Awesome - this solves a real problem you thought - or does it? For instance, to collect credentials for a VMware vSphere...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21779&rss
*** Remote management app exposes millions of Android users to hacking ***
---------------------------------------------
Poor implementation of encryption in a popular Android remote management application exposes millions of users to data theft and remote code execution attacks.According to researchers from mobile security firm Zimperium, the AirDroid screen sharing and remote control application sends authentication information encrypted with a hard-coded key. This information could allow man-in-the-middle attackers to push out malicious AirDroid add-on updates, which would then gain the permissions of the app...
---------------------------------------------
http://www.cio.com/article/3146916/security/remote-management-app-exposes-m…
*** DFN-CERT-2016-1971: Google Chrome: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1971/
*** ZDI-16-617: Dell SonicWALL Universal Management Suite ImagePreviewServlet SQL Injection Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL Universal Management Suite. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-617/
*** F5 Security Advisory: Apache Tomcat vulnerability CVE-2016-6816 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/50/sol50116122.html?…
*** F5 Security Advisory: Apache Tomcat vulnerability CVE-2016-8735 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/49/sol49820145.html?…
*** USN-3148-1: Ghostscript vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-3148-11st December, 2016ghostscript vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryGhostscript could be made to crash, run programs, or disclose sensitiveinformation if it processed a specially crafted file.Software description ghostscript - PostScript and PDF interpreter DetailsTavis Ormandy discovered multiple vulnerabilities in the way that
---------------------------------------------
http://www.ubuntu.com/usn/usn-3148-1/
*** ICS-CERT Advisories ***
---------------------------------------------
*** Siemens SICAM PAS Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-01
---------------------------------------------
*** Moxa NPort Device Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02
---------------------------------------------
*** Mitsubishi Electric MELSEC-Q Series Ethernet Interface Module Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-03
---------------------------------------------
*** Advantech SUSIAccess Server Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04
---------------------------------------------
*** Smiths-Medical CADD-Solis Medication Safety Software Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSMA-16-306-01
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in PHP affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024545
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024478
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2016 CPU (CVE-2016-5573, CVE-2016-5597) that is bundled with IBM WebSphere Application Server Patterns. ***
http://www.ibm.com/support/docview.wss?uid=swg21993759
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in redis affect PowerKVM (CVE-2015-4335, CVE-2013-7458) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024538
---------------------------------------------
*** IBM Security Bulletin: Authentication vulnerability affects IBM Integration Bus V10.0.0.4 onwards (CVE-2016-8918 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21995079
---------------------------------------------
*** IBM Security Bulletin: The WebAdmin context for WebSphere Message Broker Version 8 allows directory listings (CVE-2016-6080) ***
http://www.ibm.com/support/docview.wss?uid=swg21995004
---------------------------------------------
*** IBM Security Bulletin: IBM Mobile Connect is vulnerable to the Sweet32: Birthday Attacks (CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg21994927
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-5573, CVE-2016-5597, CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994297
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009581
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSource libxml2 affect IBM Security Guardium (CVE-2016-2073) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21984606
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 30-11-2016 18:00 − Donnerstag 01-12-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** 0-Day: Tor und Firefox patchen ausgenutzten Javascript-Exploit ***
---------------------------------------------
Tor und Mozilla haben schnell reagiert und veröffentlichen einen außerplanmäßigen Patch für eine kritische Sicherheitslücke. Der Fehler lag in einer Animationsfunktion für Vektorgrafiken.
---------------------------------------------
http://www.golem.de/news/0-day-tor-und-firefox-patchen-kritische-schwachste…
*** Avalanche Takedown ***
---------------------------------------------
Am 30. November 2016 wurde durch ein breit angelegte Kooperation von Polizei (Europol, Eurojust, FBI, ...), Staatsanwälten und IT Sicherheitsorganisationen (BSI, Shadowserver, CERTs) das Avalanche Botnet übernommen. Die Zahlen von Shadowserver sind eindrucksvoll:...
---------------------------------------------
http://www.cert.at/services/blog/20161201172722-1851.html
*** IBM warns of rising VoIP cyberattacks ***
---------------------------------------------
Cyber-attacks using the VoIP protocol Session Initiation Protocol (SIP) have been growing this year accounting for over 51% of the security event activity analyzed in the last 12 months, according to a report from IBM's Security Intelligence group this week."SIP is one of the most commonly used application layer protocols in VoIP technology... we found that there has been an upward trend in attacks targeting the SIP protocol, with the most notable uptick occurring in the second...
---------------------------------------------
http://www.cio.com/article/3146209/security/ibm-warns-of-rising-voip-cybera…
*** Shamoon 2: Return of the Disttrack Wiper ***
---------------------------------------------
In August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a malware called Disttrack. Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The attack four years ago resulted in 30,000 or more systems being damaged. Last week, Unit 42...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-…
*** Fatal flaws in ten pacemakers make for Denial of Life attacks ***
---------------------------------------------
Brit/Belgian research team decipher signals and devise wounding wireless attacks A global research team has hacked 10 different types of implantable medical devices and pacemakers finding exploits that could allow wireless remote attackers to kill victims.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/01/denial_of_l…
*** New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer ***
---------------------------------------------
In January of 2016, we found various "SmsSecurity" mobile apps that claimed to be from various banks. Since then, weve found some new variants of this attack that add new malicious capabilities. These capabilities include: anti-analysis measures, automatic rooting, language detection, and remote access via TeamViewer. In addition, SmsSecurity now cleverly uses the accessibility features of Android to help carry out its routines in a stealthy manner, without interaction from the...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ckweihUN7n8/
*** SAMRi10: Windows 10 hardening tool for thwarting network recon ***
---------------------------------------------
Microsoft researchers Itay Grady and Tal Be'ery have released another tool to help admins harden their environment against reconnaissance attacks: SAMRi10 (pronounced "Samaritan"). User2 (non-admin) gets access denied by SAMRi10 when calling Net User remotely to a hardened Domain Controller Both the Net Cease tool they released in October and SAMRi10 are simple PowerShell scripts and are aimed at preventing attackers that are already inside a corporate network from mapping it...
---------------------------------------------
https://www.helpnetsecurity.com/2016/12/01/samri10-windows-10-hardening/
*** Security Notice - Statement on Newsmth.net Forum Revealing Security Issue in Huawei P9 Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20161130-01-…
*** USN-3141-1: Thunderbird vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-3141-130th November, 2016thunderbird vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummarySeveral security issues were fixed in Thunderbird.Software description thunderbird - Mozilla Open Source mail and newsgroup client DetailsChristian Holler, Jon Coppeard, Olli Pettay, Ehsan Akhgari, Gary Kwong,Tooru Fujisawa, and Randell Jesup discovered multiple memory safety...
---------------------------------------------
http://www.ubuntu.com/usn/usn-3141-1/
*** Security Advisories Relating to Symantec Products - Norton App Lock Bypass ***
---------------------------------------------
Symantec has addressed an issue where on some Android devices, Norton App Lock could have been bypassed, which could have allowed locked applications to be opened.
---------------------------------------------
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s…
*** OpenAFS Security Advisory 2016-003 ***
---------------------------------------------
Due to incomplete initialization or clearing of reused memory, OpenAFS directory objects are likely to contain "dead" directory entry information. This extraneous information is not active - that is, it is logically invisible to the fileserver and client. However, the leaked information is physically visible on the fileserver vice partition,...
---------------------------------------------
https://www.openafs.org/pages/security/OPENAFS-SA-2016-003.txt
*** Bugtraq: [security bulletin] HPSBHF03682 rev.1 - HPE Comware 7 Network Products using SSL/TLS, Local Gain Privileged Access ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539855
*** Bugtraq: [security bulletin] HPSBGN03677 rev.1 - HPE Network Automation using RPCServlet and Java Deserialization, Remote Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539857
*** Bugtraq: [security bulletin] HPSBGN03680 rev.1 - HPE Propel, Local Denial of Service (DoS), Escalation of Privilege ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539863
*** Bugtraq: [security bulletin] HPSBUX03665 rev.3 - HP-UX Tomcat-based Servlet Engine, Remote Denial of Service (DoS), URL Redirection ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539864
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in wget affects PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024556
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in DHCP affects PowerKVM (CVE-2016-5410) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024551
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in krb5 affect PowerKVM (CVE-2016-3119, CVE-2016-3120) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024550
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in util-linux affects PowerKVM (CVE-2016-5011) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024543
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in powerpc-utils-python affects PowerKVM (CVE-2014-8165) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024540
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in fontconfig affects PowerKVM (CVE-2016-5384) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024533
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in sudo affects PowerKVM (CVE-2016-7091) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024532
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Python-RSA affects PowerKVM (CVE-2016-1494) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024409
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in bind affect PowerKVM (CVE-2016-2776, CVE-2016-8864) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024402
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024401
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 29-11-2016 18:00 − Mittwoch 30-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Kritische Sicherheitslücke in Mozilla Firefox - aktiv ausgenützt - keine Patches verfügbar ***
---------------------------------------------
Wie in diversen Medien berichtet wird, gibt es eine kritische Sicherheitslücke in aktuellen Versionen des Mozilla Firefox Browsers, für die noch kein Patch zur Verfügung steht. Diese wird auch bereits aktiv ausgenützt.
---------------------------------------------
https://cert.at/warnings/all/20161130.html
*** Port 7547 in Österreich ***
---------------------------------------------
seit meinem letzten Blogpost zu Mirai/TR-069 sind ein paar neue Informationen dazugekommen
---------------------------------------------
https://cert.at/services/blog/20161130165710-1834.html
*** Ask Sucuri: Can Your cPanel Page Be Maliciously Redirected? ***
---------------------------------------------
Many webmasters may not be aware that hackers are able to maliciously redirect cPanel pages. The specific tactic we describe in this article is unique. Included are recommendations to prevent it, along with other suspicious issues, through logs kept on cPanel servers.
---------------------------------------------
https://blog.sucuri.net/2016/11/ask-sucuri-can-cpanel-page-maliciously-redi…
*** Vuln: Dell iDRAC7 and iDRAC8 Devices CVE-2016-5685 Code Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94585
*** Emerson Liebert SiteScan XML External Entity Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an XML External Entity vulnerability affecting Emerson's Liebert SiteScan application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-334-01
*** Emerson DeltaV Easy Security Management Application Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a vulnerability that affects Emerson's DeltaV Easy Security Management application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-334-02
*** Emerson DeltaV Wireless I/O Card Open SSH Port Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a vulnerability in the Emerson DeltaV Wireless I/O Card.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-334-03
*** Security Advisory: BIG-IP FastL4 profile vulnerability ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/36/sol36300805.html?…
*** Security Advisory - XSS Vulnerability in Huawei eSpace IAD ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161130-…
*** Security Advisory - DoS Vulnerability in Huawei Switches ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161130-…
*** DFN-CERT-2016-1960/">Apache Subversion: Eine Schwachstelle ermöglicht Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1960/
*** Security Advisory - Command Injection Vulnerability in Huawei FusionAccess ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161130-…
*** GCHQ presents CyberChef, an Open Source Data Analysis Tool ***
---------------------------------------------
The GCHQ has released the code of a new open source web tool dubbed CyberChef, specifically designed for analyzing and decoding data.
---------------------------------------------
http://securityaffairs.co/wordpress/53908/intelligence/gchq-cyberchef.html
*** Multiple I-O DATA network camera products multiple vulnerabilities ***
---------------------------------------------
Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities.
---------------------------------------------
http://jvn.jp/en/jp/JVN25059363/
*** New Cerber Variant Leverages Tor2Web Proxies, Google Redirects ***
---------------------------------------------
Researchers have discovered that criminals behind the latest Cerber ransomware variant are leveraging Google redirects and Tor2Web proxies in a new and novel way to evade detection.
---------------------------------------------
http://threatpost.com/new-cerber-variant-leverages-tor2web-proxies-google-r…
*** An overview of the Payment Card Industry (PCI) ***
---------------------------------------------
The payment card industry consists of all the organizations which store, process and transmit cardholder data and carry transactions through debit and credit cards. Many standards are developed to conduct these types of services in a secure way. The well-known standard for this purpose is Payment Card Industry Data Security Standards.
---------------------------------------------
http://resources.infosecinstitute.com/an-overview-of-the-payment-card-indus…
*** Großstörung bei der Telekom: Was wirklich geschah ***
---------------------------------------------
Ein Sicherheitsexperte hat die Reaktion eines der anfälligen Speedport-Modelle analysiert und kommt zu einer überraschenden Erkenntnis: Die Geräte waren gar nicht anfällig für die TR-069-Sicherheitslücke.
---------------------------------------------
https://heise.de/-3520212
*** GET pwned: Web CCTV cams can be hijacked by single HTTP request ***
---------------------------------------------
An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves countless devices wide open to hijacking, it is claimed.
---------------------------------------------
http://www.theregister.co.uk/2016/11/30/iot_cameras_compromised_by_long_url/
*** Vuln: OpenJPEG CVE-2016-9675 Incomplete Fix Multiple Remote Heap Based Buffer Overflow Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/94589
*** Cobalt Malware Threatens ATM Security ***
---------------------------------------------
The hackers typically initiated the malware infection through phishing and spearphishing attacks. They sent malware laced emails to employees working at the banks. If some how a cyber security naive-employee clicked on a malicious link in an email or opened an attachment then their system would get infected.
---------------------------------------------
https://blog.comodo.com/malware/cobalt-malware-threatens-atm-security/
*** Android-Malware Gooligan soll über 1 Million Google-Konten gekapert haben ***
---------------------------------------------
Der Tojaner soll Smartphones rooten und Authentifizierungs-Tokens von Google-Accounts kopieren. Über einen Online-Service kann man prüfen, ob das eigene Konto betroffen ist.
---------------------------------------------
https://heise.de/-3520778
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM i (CVE-2016-8858) ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021734
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways ***
http://www-01.ibm.com/support/docview.wss?uid=swg21992996
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation ***
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000213
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities affect IBM Domino & IBM iNotes ***
http://www.ibm.com/support/docview.wss?uid=swg21992835
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2016-0785) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994386
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 28-11-2016 18:00 − Dienstag 29-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Bruce Schneier zur Netz-Sicherheit: "Die Ära von Spaß und Spielen ist vorbei" ***
---------------------------------------------
Der renommierte Sicherheits-Experte warnte auf dem Security-Kongress der Telekom vor einer grenzenlosen Vernetzung. Staatliche Regulierung sei unausweichlich.
---------------------------------------------
https://www.heise.de/newsticker/meldung/Bruce-Schneier-zur-Netz-Sicherheit-…
*** PayPal Fixes OAuth Token Leaking Vulnerability ***
---------------------------------------------
PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application. The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client.
---------------------------------------------
http://threatpost.com/paypal-fixes-oauth-token-leaking-vulnerability/122136/
*** Vuln: WordPress Image Gallery Plugin HTML Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/94565
*** A Rowhammer ban-hammer for all, and its all in software ***
---------------------------------------------
Sorry to go all MC Hammer on you, but boffins tell bit-flippers you cant touch this A group of German researchers reckon theyve cracked a pretty hard nut indeed: how to protect all x86 architectures from the 'Rowhammer' memory bug.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/11/29/a_rowhammer…
*** Tenda / D-Link / TP-Link DHCP Cross Site Scripting ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110233
*** Every Windows 10 in-place Upgrade is a SEVERE Security risk ***
---------------------------------------------
[...] There is a small but CRAZY bug in the way the "Feature Update" (previously known as "Upgrade") is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment).
---------------------------------------------
http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html
*** F-Secure: QUICK TIP: How To Make Your Passwords Uncrackable ***
---------------------------------------------
TL;DR: 'The trick is to use a really long random password for each online account,' he tells us. 'The password length should be at least 20 symbols and numbers, but preferably 32.'
---------------------------------------------
https://safeandsavvy.f-secure.com/2016/09/14/quick-tip-how-to-make-your-pas…
*** Azure Security Best Practices ***
---------------------------------------------
Moving applications and workloads to the cloud is a big draw for organizations, primarily due to the favorable economics, ease of deployment, and the flexibility and scale that the cloud provides. Microsoft Azure is one cloud platform seeing rising adoption in the past year. You may be contemplating moving workloads to Azure, particularly if you are a Microsoft shop. But like most organizations moving to the cloud, you are probably concerned about the security of your Azure environment.
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/azure-security-best-pr…
*** TYPO3 CMS 7.6.14 released ***
---------------------------------------------
This version is a regression fix release for TYPO3 CMS 7.6.13 concerning the usage of the Composer mode with additional third party PHP libraries. This version contains bugfixes concerning Composer only.
---------------------------------------------
https://typo3.org/news/article/typo3-cms-7614-released/
*** Kontonummern und E-Mail: Daten von Mitfahrgelegenheit.de gestohlen ***
---------------------------------------------
Kontonummern und E-Mail-Adressen von ehemaligen Nutzern betroffen - Wenige Österreicher betroffen
---------------------------------------------
http://derstandard.at/2000048456695
*** TR-069 NewNTPServer Exploits: What we know so far, (Tue, Nov 29th) ***
---------------------------------------------
[This is a cleaned up version to summarize yesterdays diary about the attacks against DSL Routers] What is TR-069 TR-069 (or its earlier version TR-064) is a standard published by the Broadband Forum. The Broadband Forum is an industry organization defining standards used to manage broadband networks. It focuses heavily on DSL type modems and more recently included fiber optic connections. TR stands for Technical Report. TR-069 is considered the Broadband Forums Flagship Standard.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21763&rss
*** Security Advisory: BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/01/sol01587042.html?…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994185
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect WebSphere Dashboard Framework (CVE-2016-5573, CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994184
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Web Experience Factory (CVE-2016-5573, CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994181
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition ***
https://www-01.ibm.com/support/docview.wss?uid=swg21985393
---------------------------------------------
*** IBM Security Bulletin: Multiple OpenSource Expat XML Vulnerabilities affect IBM DB2 Net Search Extender for Linux, Unix and Windows ***
http://www.ibm.com/support/docview.wss?uid=swg21992933
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Extreme Scale (CVEs-2016-3485) ***
http://www.ibm.com/support/docview.wss?uid=swg21993946
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus ( CVE-2016-2107,CVE-2016-2176) ***
http://www.ibm.com/support/docview.wss?uid=swg21992894
---------------------------------------------
*** IBM Security Bulletin: IBM Integration Bus and WebSphere Message Broker, upon installation, set incorrect permissions for an object ( CVE-2016-0394 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21985013
---------------------------------------------
*** IBM Security Bulletin: Vulnerability has been identified in View All User Domain Tasks of IBM Cloud Orchestrator (CVE-2016-0202 ) ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000134
---------------------------------------------
*** IBM Security Bulletin: FileNet Workplace XT can be affected by the File Extension validation vulnerability (CVE-2016-8921) ***
http://www.ibm.com/support/docview.wss?uid=swg21994018
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009589
---------------------------------------------
*** IBM Security Bulletin: GPFS security vulnerabilities in IBM Storwize V7000 Unified (CVE-2016-2985 and CVE-2016-2984) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009324
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 25-11-2016 18:00 − Montag 28-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Mirai goes TR-069 ***
---------------------------------------------
Zu Mirai hab ich hier schon viel geschrieben. Bis jetzt hat sich dieses Botnet rein über das Erraten von Passwörtern auf Telnet-Interfaces weiterverbreitet. Das hat sich jetzt geändert: Am 7. November hat jemand einen Proof-of-concept exploit für ein CPE (Customer premise equipment -- also DSL-Modem, Kabelmodem & co) veröffentlicht, der zeigt, wie man per TR-069 dem Gerät Schadsoftware unterschieben kann.
---------------------------------------------
http://www.cert.at/services/blog/20161128173929-1823.html
*** DSA-3725 icu - security update ***
---------------------------------------------
Several vulnerabilities were discovered in the International Componentsfor Unicode (ICU) library.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3725
*** [2016-11-28] Denial of service & heap-based buffer overflow in Guidance Software EnCase Forensic ***
---------------------------------------------
EnCase Forensic Imager and the EnCase Forensic suite are widely used by computer forensic experts to analyze hard disks. Due to flaws in these products an attacker could manipulate a hard disk to keep an investigator from fully analyzing it (denial of service). Potentially, an attacker could execute malicious code on the investigators machine.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** DFN-CERT-2016-1949/">ImageMagick: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ***
---------------------------------------------
Mehrere Schwachstellen in ImageMagick ermöglichen einem entfernten, nicht authentisierten Angreifer die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe sowie das Ausspähen von Informationen.
Debian stellt für die Distribution Debian Jessie (stable) ein Sicherheitsupdate bereit.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1949/
*** Erpressungs-Trojaner: Locky setzt auf .zzzzz-Endung, Cerber geht in Version 5.0.1 um ***
---------------------------------------------
Kriminelle sollen Berichten nach aktuell neue Versionen von Cerber und Locky verbreiten. Vorsicht: Viele Viren-Wächter springen offensichtlich noch nicht auf Cerber an.
---------------------------------------------
https://heise.de/-3506049
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 24-11-2016 18:00 − Freitag 25-11-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Kriminelle bieten Mirai-Botnetz mit 400.000 IoT-Geräten zur Miete an ***
---------------------------------------------
Was macht das Mirai-Botnetz gerade? Die beiden Sicherheitsforscher mit den Pseudonymen 2sec4u und MalwareTech überwachen das Mirai-Botnetz und teilen aktuelle Aktivitäten via Twitter und eine Webseite. Aus der Live Map der Webseite geht hervor, dass bislang über die ganze Welt verteilt insgesamt mehr als 3 Millionen Geräte im Mirai-Botnetz gefangen waren. In den letzten 24 Stunden waren es knapp unter 100.000.
---------------------------------------------
https://www.heise.de/security/meldung/Kriminelle-bieten-Mirai-Botnetz-mit-4…
*** Gehackte Zugänge: Kriminelle versenden Malware mit Mailchimp-Accounts ***
---------------------------------------------
Kriminelle nutzen offenbar übernommene Mailchimp-Accounts, um Malware zu verbreiten. Das geschieht vor allem über Mails mit angeblichen Rechnungen. Alle 2.000 betroffenen Accounts wurden vorläufig stillgelegt.
---------------------------------------------
http://www.golem.de/news/gehackte-zugaenge-kriminelle-versenden-malware-mit…
*** Locky hidden in image file hitting Facebook, LinkedIn users ***
---------------------------------------------
Malware masquerading as an image file is still spreading on Facebook, LinkedIn, and other social networks. Check Point researchers have apparently discovered how cyber crooks are embedding malware in graphic and image files, and how they are executing the malicious code within these images to infect social media users with Locky ransomware variants. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file.
---------------------------------------------
https://www.helpnetsecurity.com/2016/11/25/locky-image-file-facebook-linked…
*** The Week in Ransomware - November 25th 2016 - Locky, Decryptors, Cerber, Open Source Ransomware sucks, and More ***
---------------------------------------------
Lots of ransomware stories this week. We have two new decryptors, quite a few new ransomware infections, PadCrypt being hidden inside a fake credit card generator, and a few new variants. The biggest news is two new variants of the Locky ransomware that append the .zzzzz and .aesir extensions for encrypted files. [...]
---------------------------------------------
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-novemb…
*** Free Software Quick Security Checklist, (Fri, Nov 25th) ***
---------------------------------------------
Free software (open source or not) is interesting for many reasons. It can be adapted to your own needs, it can be easily integrated within complex architectures but the most important remains, of course, the price. Even if they are many hidden costs related to free software. In case of issues, a lot of time may be spent in searching for a solution or diving into the source code (and everybody knows that time is money!). Today, more and more organisationsare not afraid anymore to deployfree...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21751&rss
*** DFN-CERT-2016-1945: phpMyAdmin: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebiger SQL-Befehle ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1945/
*** Security Advisory - Buffer Overflow Vulnerability in Huawei Firewall Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161125-…
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer that may allow malicious code running within a guest VM to compromise the host. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix XenServer 7.0. CVE-2016-9379, CVE-2016-9380, CVE-2016-9381, CVE-2016-9382, CVE-2016-9383, CVE-2016-9385, CVE-2016-9386
---------------------------------------------
https://support.citrix.com/article/CTX218775
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 23-11-2016 18:00 − Donnerstag 24-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Don't let this Black Friday/Cyber Monday spam deliver Locky ransomware to you ***
---------------------------------------------
We see it every year: social engineering attacks that take advantage of the online shopping activities around Black Friday and Cyber Monday, targeting customers of online retailers. This year, we're seeing a spam campaign that Amazon customers need to be wary of.
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/11/23/dont-let-this-black-fri…
*** LXC CVE-2016-8649 Directory Traversal Vulnerability ***
---------------------------------------------
An attacker can exploit this issue using directory-traversal characters (../) to access or read arbitrary files that contain sensitive information or to access files outside of the restricted directory to obtain sensitive information and perform other attacks.
---------------------------------------------
http://www.securityfocus.com/bid/94498/info
*** Multiple Samsung Galaxy Product CVE-2016-9567 Security Bypass Vulnerability ***
---------------------------------------------
Multiple Samsung Galaxy products are prone to a security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Samsung Galaxy devices with Marshmallow 6.0 are vulnerable.
---------------------------------------------
http://www.securityfocus.com/bid/94494/info
*** w3m Multiple Security Vulnerabilities ***
---------------------------------------------
Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Versions prior to w3m 0.5.3-33 are vulnerable.
---------------------------------------------
http://www.securityfocus.com/bid/94464/discuss
*** Research on unsecured Wi-Fi networks across the world ***
---------------------------------------------
We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us
---------------------------------------------
https://securelist.com/blog/research/76733/research-on-unsecured-wi-fi-netw…
*** DFN-CERT-2016-1942/">RealNetworks RealPlayer: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ***
---------------------------------------------
Ein entfernter, nicht authentisierter Angreifer kann eine Schwachstelle im RealPlayer ausnutzen, mit Hilfe einer schädlichen präparierten QCP-Mediendatei, zu deren Wiedergabe er einen Benutzer verleitet, um einen Denial-of-Service (DoS)-Angriff durchzuführen.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1942/
*** Windows-Update für Secure-Boot-Fehler macht BIOS-Updates erforderlich ***
---------------------------------------------
Mit dem Patch 3193479 beziehungsweise 3200970 für aktuelle Windows-(Server-)Versionen korrigiert Microsoft einen Bug in UEFI Secure Boot, doch einige Server starten danach nicht mehr.
---------------------------------------------
https://heise.de/-3503589
*** Diagnosing cyber threats for smart hospitals ***
---------------------------------------------
ENISA presents a study that sets the scene on information security for the adoption of IoT in Hospitals. The study which engaged information security officers from more than ten hospitals across the EU, depicts the smart hospital ICT ecosystem; and through a risk based approach focuses on relevant threats and vulnerabilities, analyses attack scenarios, and maps common good practices.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/diagnosing-cyber-threats-for-sm…
*** Security Advisory: PHP vulnerability CVE-2016-6288 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71814571.html?…
*** Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016 ***
---------------------------------------------
Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 22-11-2016 18:00 − Mittwoch 23-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** The November 2016 issue of our SWITCH Security Report is available! ***
---------------------------------------------
The topics covered in this report are:
* IT security researchers reveal vulnerabilities in photoTAN procedure for mobile banking
* DDoS attack via IoT botnet shuts down parts of Internet
* Triple record: Yahoo loses half a billion customers’ details, more trust than ever and USD 1 billion from its acquisition price
---------------------------------------------
https://securityblog.switch.ch/2016/11/23/the-november-2016-issue-of-our-sw…
*** Securing Drupal with ModSecurity and the Core Rule Set (CRS3) ***
---------------------------------------------
Here is a guide aimed at the Drupal community to learn how to work with ModSecurity. OWASP ModSecurity Core Rule Set is a horrible name for a project, that's why we speak of CRS3. This is a security project and for those not familiar with the CRS, I will first give a brief intro first.
---------------------------------------------
https://www.netnea.com/cms/2016/11/22/securing-drupal-with-modsecurity-and-…
*** DomainTools 101: How to Spot Phishy Domains on Cyber Monday ***
---------------------------------------------
Just as the Grumeti River in Tanzania harbors dangerous crocodiles just below its surface, a Phishing email usually contains malicious domains waiting for you to click. I read a great article by Bleeping Computer about finding some Google domains that were spoofed using what is known as small caps. This piqued my curiosity ...
---------------------------------------------
https://blog.domaintools.com/2016/11/domaintools-101-how-to-spot-phishy-dom…
*** [DSA 3722-1] vim security update ***
---------------------------------------------
CVE ID : CVE-2016-1248 Florian Larysch and Bram Moolenaar discovered that vim, an enhanced vi editor, does not properly validate values for the the filetype, syntax and keymap options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.
---------------------------------------------
https://lists.debian.org/debian-security-announce/2016/msg00305.html
*** Mapping Attack Methodology to Controls, (Wed, Nov 23rd) ***
---------------------------------------------
Recently weve seen lots of malicious documents make it through our first protection layers. (https://www.virustotal.com/en/file/79ff976c5ca6025f3bb90ddfa7298286217c2130…) . In the last week, these emails have a word document that spawns a command shell that kicks off a PowerShell script. When working incidents, it is important to map out the attacker lifecycle to determine where to improve your defenses.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21749&rss
*** Telegram API ransomware wrecked three weeks after launch ***
---------------------------------------------
Crypto so bad that getting around it is shooting fish in a barrel Ransomware scum abusing the protocol of the popular Telegram encrypted chat app have been wrecked and their malware ransom system decrypted.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/11/23/owned_teleg…
*** Vuln: TP-LINK TL-WA5210G Buffer Overflow and Information Disclosure Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/94481
*** Pentest-Report cURL 08.2016 [PDF] ***
---------------------------------------------
This report documents findings of a source code audit dedicated to assessing the cURL software. The assessment of the tool was performed by Cure53 as part of the Mozilla's Secure Open Source track program. The results of the project encompass twenty-three security-relevant discoveries.
---------------------------------------------
https://wiki.mozilla.org/images/a/aa/Curl-report.pdf
*** Acunetix 10.0 DLL Hijacking ***
---------------------------------------------
Topic: Acunetix 10.0 DLL Hijacking Risk: Medium Text:Title: Acunetix 10 Multi DLL Hajacking Application: Acunetix Versions Affected: 10.0 Vendor URL: http://www.acunetix.com Di...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016110196
*** Schneider Electric Magelis HMI Resource Consumption Vulnerabilities (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-16-308-02 Schneider Electric Magelis HMI Resource Consumption Vulnerabilities that was published November 3, 2016, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for resource consumption vulnerabilities affecting Schneider Electric's Magelis human-machine interface products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-308-02
*** Security updates available in Foxit Reader 8.1.1 and Foxit PhantomPDF 8.1.1 ***
---------------------------------------------
Foxit has released Foxit Reader 8.1.1 and Foxit PhantomPDF 8.1.1, which address potential security and stability issues
---------------------------------------------
https://www.foxitsoftware.com/support/security-bulletins.php
*** Security Advisory: PHP vulnerability - CVE-2016-6288 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71814571.html?…
*** Siemens ***
---------------------------------------------
*** Siemens SIMATIC CP 1543-1 Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-327-01
---------------------------------------------
*** Siemens SIMATIC CP 343-1/CP 443-1 Modules and SIMATIC S7-300/S7-400 CPUs Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-327-02
---------------------------------------------
*** Siemens Industrial Products Local Privilege Escalation Vulnerability (Update A) ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-313-02
*** Huawei ***
---------------------------------------------
*** Security Advisory - Multiple Security Vulnerabilities in Huawei Smart Phone Products ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-…
---------------------------------------------
*** Security Advisory - Privilege Escalation Vulnerability in the FusionStorage ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-…
---------------------------------------------
*** Security Advisory - Buffer Overflow Vulnerability in TP Driver of Huawei Smart Phone ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-…
---------------------------------------------
*** Security Advisory - Integer Overflow Vulnerability in Some Huawei Devices ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-…
---------------------------------------------
*** Security Advisory - Buffer Overflow Vulnerability in HIFI Driver of Huawei Smart Phone ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-…
*** VMware ***
---------------------------------------------
*** VMSA-2016-0022 ***
https://www.vmware.com/security/advisories/VMSA-2016-0022.html
---------------------------------------------
*** VMSA-2016-0021 ***
https://www.vmware.com/security/advisories/VMSA-2016-0021.html
---------------------------------------------
*** VMSA-2016-0018.3 ***
https://www.vmware.com/security/advisories/VMSA-2016-0018.html
*** Novell ***
---------------------------------------------
*** eDirectory 9.0.2 (non-root) for Linux ***
https://download.novell.com/Download?buildid=dgSdIXwk2Cc~
---------------------------------------------
*** iManager 2.7 Support Pack 7 - Patch 8 for Linux ***
https://download.novell.com/Download?buildid=OFnb6Ew8wPM~
---------------------------------------------
*** iManager 2.7 Support Pack 7 - Patch 8 for Windows ***
https://download.novell.com/Download?buildid=wPIC5t8Drqo~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 9 for Linux ***
https://download.novell.com/Download?buildid=zJBqj6SjCzg~
---------------------------------------------
*** iManager 3.0.2 for Linux ***
https://download.novell.com/Download?buildid=rIhWBDnLYU8~
---------------------------------------------
*** iManager 3.0.2 for Windows ***
https://download.novell.com/Download?buildid=iMupD_KbGcA~
---------------------------------------------
*** eDirectory 9.0.2 for Linux ***
https://download.novell.com/Download?buildid=TLXIiZ6uoho~
---------------------------------------------
*** eDirectory 9.0.2 for Windows ***
https://download.novell.com/Download?buildid=_N2FUsWAalg~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 9 (non-root) for Linux ***
https://download.novell.com/Download?buildid=Y9WDuLNbJxE~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 9 for Windows ***
https://download.novell.com/Download?buildid=aDcgeiAEaYc~
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 21-11-2016 18:00 − Dienstag 22-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Windows 10 Cannot Protect Insecure Applications Like EMET Can ***
---------------------------------------------
Recently, Microsoft published a blog post called Moving Beyond EMET that appears to make two main points: (1) Microsoft will no longer support EMET after July 31, 2018, and (2) Windows 10 provides protections that make EMET unnecessary. In this blog post, I explain why Windows 10 does not provide the additional protections that EMET does and why EMET is still an important tool to help prevent exploitation of vulnerabilities.
---------------------------------------------
https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecur…
*** SSA-603476 (Last Update 2016-11-21): Web Vulnerabilities in SIMATIC CP 343-1/CP 443-1 Modules and SIMATIC S7-300/S7-400 CPUs ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476…
*** Facebook Messenger: Malware via SVG ***
---------------------------------------------
Vorsicht bei Dateianhängen in Facebooks Chat: Gekaperte Accounts versenden Schadsoftware - neuerdings in Form einer SVG-Grafik.
---------------------------------------------
https://www.heise.de/newsticker/meldung/Facebook-Messenger-Malware-via-SVG-…
*** Moodle Vulns ***
---------------------------------------------
*** Vuln: Moodle MSA-16-0026 Information Disclosure Vulnerability ***
http://www.securityfocus.com/bid/94456
---------------------------------------------
*** Vuln: Moodle CVE-2016-8643 Security Bypass Vulnerability ***
http://www.securityfocus.com/bid/94457
---------------------------------------------
*** Vuln: Moodle CVE-2016-8644 Information Disclosure Vulnerability ***
http://www.securityfocus.com/bid/94458
*** Exploit Code Released for NTP Vulnerability ***
---------------------------------------------
NTP 4.2.8p9 includes a patch for a vulnerability that could crash ntpd with a single malformed packet.
---------------------------------------------
http://threatpost.com/exploit-code-released-for-ntp-vulnerability/122104/
*** The Kings in Your Castle, Pt. #3 ***
---------------------------------------------
In the third episode of Marion Marschaleks and Raphael Vinots series of articles on modern APTs, they will shine some light on the prevalence of Zero-Day vulnerabilities. In reality, the use of Zero-Days is far less common than expected. In fact, APT groups in some cases exploit vulnerabilities which are a couple of years old. On the side of the analysts, they will explain that identical hashes are by no means a reliable indicator for dealing with identical files.
---------------------------------------------
https://blog.gdatasoftware.com/2016/11/29302-kings-in-your-castle-pt-3
*** TYPO3 ***
---------------------------------------------
*** Path Traversal in TYPO3 Core ***
https://typo3.org/news/article/path-traversal-in-typo3-core/
---------------------------------------------
*** Insecure Unserialize in TYPO3 Backend ***
https://typo3.org/news/article/insecure-unserialize-in-typo3-backend/
*** Businesses as Ransomware's Goldmine: How Cerber Encrypts Database Files ***
---------------------------------------------
Possibly to maximize the earning potential of Cerber's developers and their affiliates, the ransomware incorporated a routine with heavier impact to businesses: encrypting database files.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/KntWjaKLssw/
*** Android-Trojaner GT!tr.spy soll vor allem deutsche Bank-Kunden ins Visier nehmen ***
---------------------------------------------
Fortinet ist nach eigenen Angaben auf einen aktuellen Android-Trojaner mit der Bezeichnung GT!tr.spy gestoßen, der es in erster Linie auf Kreditkarten- und Log-in-Daten von deutschen und österreichischen Bank-Kunden abgesehen hat. Davon sollen Kunden von nicht näher beschriebenen 15 deutschen und fünf österreichischen Banken bedroht sein ...
---------------------------------------------
https://heise.de/-3494472
*** Exploit Code Released for NTP Vulnerability ***
---------------------------------------------
NTP 4.2.8p9 includes a patch for a vulnerability that could crash ntpd with a single malformed packet.
---------------------------------------------
http://threatpost.com/exploit-code-released-for-ntp-vulnerability/122104/
*** FortiOS flow-mode detection bypass under certain conditions ***
---------------------------------------------
A FortiGate configured to use flow-based protection will stop monitoring network sessions that are active when a scanning engine is reloaded after an update (nearly instantaneous process).This tends to impact long lived network sessions...
---------------------------------------------
http://fortiguard.com/advisory/fortios-flow-mode-detection-bypass-under-cer…
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: OpenSSL vulnerability CVE-2016-8610 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/11/sol11307303.html?…
---------------------------------------------
*** Security Advisory: ImageMagick vulnerabilities CVE-2015-8895 and CVE-2015-8896 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/30/sol30403302.html?…
---------------------------------------------
*** Security Advisory: ImageMagick vulnerability CVE-2015-8898 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/68/sol68785753.html?…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Security Network Protection ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991724
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Storage Manager FastBack for Bare Machine Recovery Stack-Based Buffer Overflow Elevation of Privilege Vulnerability (CVE-2016-6091) ***
http://www.ibm.com/support/docview.wss?uid=swg21993925
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Storage Manager FastBack Stack-Based Buffer Overflow Elevation of Privilege Vulnerability (CVE-2016-6091) ***
http://www.ibm.com/support/docview.wss?uid=swg21993916
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in busybox affect IBM Security Network Protection (CVE-2014-4607, and CVE-2014-9645 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990083
---------------------------------------------
*** IBM Security Bulletin: Multiple Denial of Service vulnerabilities with Expat might affect IBM HTTP Server used with IBM Security Network Protection ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989336
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993565
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-0377 ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993522
---------------------------------------------
*** IBM Vulnerabilities in BIND impact AIX (CVE-2016-2776, CVE-2016-2775) ***
http://aix.software.ibm.com/aix/efixes/security/bind_advisory13.asc
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect AIX ***
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory21.asc
---------------------------------------------