=======================
= End-of-Shift report =
=======================
Timeframe: Montag 23-05-2016 18:00 − Dienstag 24-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** DMA Locker 4.0 - Known Ransomware Preparing For A Massive Distribution ***
---------------------------------------------
We take a look at the step towards maturity of DMA Locker how this will be spreading on a bigger scale.Categories: Malware Threat analysisTags: DMA Lockerransomware(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/threat-analysis/2016/05/dma-locker-4-0-known-…
*** Beware of keystroke loggers disguised as USB phone chargers, FBI warns ***
---------------------------------------------
Private industry notification comes 15 months after debut of KeySweeper.
---------------------------------------------
http://arstechnica.com/security/2016/05/beware-of-keystroke-loggers-disguis…
*** SWIFT to unveil new security plan after hackers heists ***
---------------------------------------------
The SWIFT secure messaging service that underpins international banking said it plans to launch a new security program as it fights to rebuild its reputation in the wake of the Bangladesh Bank heist. [...] Users frequently do not inform SWIFT of breaches of their SWIFT systems and even now, the co-operative has not proposed any sanctions for clients who fail to pass on information, which SWIFT itself says is key to stopping future attacks.
---------------------------------------------
http://www.reuters.com/article/us-cyber-banks-swift-idUSKCN0YE2S6
*** Kommentar: Allo, Google? Gehts noch? ***
---------------------------------------------
Googles WhatsApp-Alternative Allo verschlüsselt nicht konsequent, sondern liest stattdessen aktiv mit. Was soll das?
---------------------------------------------
http://heise.de/-3215729
*** WPAD name collision bug opens door for MitM attackers ***
---------------------------------------------
A vulnerability in Web Proxy Auto-Discovery (WPAD), a protocol used to ensure all systems in an organization utilize the same web proxy configuration, can be exploited to mount MitM attacks from anywhere on the Internet, US-CERT warns. "With the New gTLD program, previously undelegated gTLD strings are now being delegated for public domain name registration. These strings may be used by private or enterprise networks, and in certain circumstances, such as when a work computer...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/24/wpad-name-collision-bug/
*** Hacker finds flaw in teleconference tool used by US Army, NASA and CERN ***
---------------------------------------------
Like we need another reason to hate videoconferences Sydney security tester Jamieson OReilly has reported a since-patched vulnerability in popular video platform Vidyo - used by the likes of the US Army, NASA and CERN - that could see videos leaked and systems compromised.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/05/19/popular_tel…
*** Pastejacking im Browser: Codeausführung per Copy and Paste ***
---------------------------------------------
Browser können den Inhalt der Zwischenablage selbstständig verändern. In einem Proof-of-Concept wird gezeigt, wie diese Funktion für Angriffe genutzt werden kann - und Nutzer sich recht einfach schützen können.
---------------------------------------------
http://www.golem.de/news/pastejacking-im-browser-codeausfuehrung-per-copy-a…
*** Bösartige Apps stellen heimlich teure Telefonverbindungen her ***
---------------------------------------------
Warnung der Regulierungsbehörde
---------------------------------------------
http://derstandard.at/2000037564561
*** Neben Erpressung nun auch DDoS: Verschlüsselungs-Trojaner Cerber lernt dazu ***
---------------------------------------------
Mit einer neuen Version von Cerber wollen die Drahtzieher hinter der Ransomware noch mehr Profit generieren: Der Schädling nimmt persönliche Daten als Geisel und die Kriminellen können infizierte Computer für DDoS-Attacken missbrauchen.
---------------------------------------------
http://heise.de/-3217254
*** The Anti-Ransomware Protection Plan You Need to Follow Today ***
---------------------------------------------
Technology has made our lives both easier and more complicated - there's no denying that. Fast Internet access opened up a world of wisdom and all the distractions we can image. But the door is also open for cyber criminals with little to no scruples and a big appetite for money. And there's no better...
---------------------------------------------
https://heimdalsecurity.com/blog/anti-ransomware-protection-plan/
*** Xen Security Advisory CVE-2014-3672 / XSA-180 ***
---------------------------------------------
When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large.
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-180.html
*** Pulse Connect Secure Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1035932
*** Missing Access Check in TYPO3 CMS ***
---------------------------------------------
It has been discovered, that TYPO3 CMS lacks an access check for Extbase actions.
---------------------------------------------
https://typo3.org/news/article/missing-access-check-in-typo3-cms/
*** Missing Access Check in extension "Frontend User Registration" (sf_register) ***
---------------------------------------------
It has been discovered that the extension "Frontend User Registration" (sf_register) lacks a proper access check.
---------------------------------------------
https://typo3.org/news/article/missing-access-check-in-extension-frontend-u…
*** Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager JSON Privilege Escalation Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco UCS Invicta Software Default GPG Key Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: GNU C Library (glibc) vulnerability CVE-2016-3075 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15439022.html?…
---------------------------------------------
*** Security Advisory: OpenSSH vulnerability CVE-2016-1907 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35424631.html?…
---------------------------------------------
*** Security Advisory: glibc vulnerability CVE-2016-3075 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15439022.html?…
---------------------------------------------
*** Security Advisory: Java vulnerabilities CVE-2013-5782 and CVE-2013-5803 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14340611.html?…
---------------------------------------------
*** Security Advisory: PHP Vulnerability CVE-2016-4539 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35240323.html?…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Host On-Demand (CVE-2016-0264 ,CVE-2016-3449) ***
http://www.ibm.com/support/docview.wss?uid=swg21983578
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005812
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Security Update (CVE-2016-0322) ***
http://www.ibm.com/support/docview.wss?uid=swg21982611
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Tomcat may affect IBM WebSphere Application Server Community Edition (CVE-2015-5174) ***
http://www.ibm.com/support/docview.wss?uid=swg21983128
---------------------------------------------
*** IBM Applicable countries and regions ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099367
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities have been identified in the versions of IBM WebSphere Application Server Community Edition bundled with Web Experience Factory 7.0.x and 8.0.x (CVE-2015-5345) (CVE-2016-0706) (CVE-2016-0714) ***
http://www.ibm.com/support/docview.wss?uid=swg21981775
---------------------------------------------
*** IBM Security Bulletin: HTTP response splitting has been identified in IBM WebSphere Application Server Liberty Profile shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-2017) ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000121
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 20-05-2016 18:00 − Montag 23-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Backdoor in Fake Joomla! Core Files ***
---------------------------------------------
We usually write a lot about obfuscation methods on Sucuri Labs and here on the blog. Sometimes we write about free tools to obfuscate your code that aren't that free and we also have an online tool to help decoding the malware you find. But sometimes the malware is not clearly encoded using base64, gzinflate, hex concatenation,... The post Backdoor in Fake Joomla! Core Files appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2016/05/unexpected-backdoor-fake-core-files.html
*** 60 percent of enterprise Android phones prone to QSEE vulnerability ***
---------------------------------------------
Duo Labs researchers found that 60 percent of enterprise Android phones are affected by a critical QSEE vulnerability.
---------------------------------------------
http://www.scmagazine.com/majority-of-enterprise-android-phones-vulnerable-…
*** The strange case of WinZip MRU Registry key, (Sun, May 22nd) ***
---------------------------------------------
When we want to know if a document (.doc, .pdf, whatever) has been opened by the user, in a Windows environment our information goldmine place is the Registry and particularly its MRUs keys. However, it seems this is not always the case. During the analysis of the Retefe case I wrote about in my previous diary, I came across a Registry behavior I did not expect, or at least I was not aware of, about how to verify if the file contained within the zip archive had been opened or not. Regarding...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21087&rss
*** ENISA- Europol issue joint statement ***
---------------------------------------------
ENISA and Europol issue joint statement on lawful criminal investigation that respects 21st Century data protection.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/enisa-europol-issue-joint-state…
*** Geldautomaten: Kriminelle erbeuten Millionen in zwei Stunden ***
---------------------------------------------
Kriminelle Kartenfälscher agieren global: Mit Hilfe von Kreditkarteninformationen einer südafrikanischen Bank erbeutete eine Bande in Japan in nur 2,5 Stunden Bargeld im Wert von mehr als 12 Millionen Euro.
---------------------------------------------
http://www.golem.de/news/geldautomaten-kriminelle-erbeuten-millionen-in-zwe…
*** National coordinators meet to prepare for ECSM launch ***
---------------------------------------------
National coordinators from across Europe gathered in Brussels earlier this month in preparation for the launch of this year's European Cyber Security Month.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/national-coordinators-meet-to-p…
*** Organizations unprepared for employee-caused security incidents ***
---------------------------------------------
While employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior, according to a new Ponemon Institute study. The study, Managing Insider Risk Through Training & Culture, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/23/employee-caused-security-inciden…
*** When Hashing isn't Hashing ***
---------------------------------------------
Anyone working in application security has found themselves saying something like this a thousand times: "always hash passwords with a secure password hashing function." I've said this phrase at nearly all of the developer events I've spoken at, it's become a mantra of sorts for many of us that try to improve the security of applications. We tell developers to hash passwords, then we have to qualify it to explain that it isn't normal hashing.
---------------------------------------------
https://adamcaudill.com/2016/05/23/when-hashing-isnt-hashing/
*** Technical Report about the RUAG espionage case ***
---------------------------------------------
After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in...
---------------------------------------------
https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espion…
*** Hack von Rüstungskonzern: Schweizer Cert gibt Security-Tipps für Unternehmen ***
---------------------------------------------
Daran könnten sich andere Sicherheitsfirmen ein Beispiel nehmen: Das Schweizer Cert hat detailliert die Angriffsmethoden einer APT-Gruppe auf den Technikkonzern Ruag analysiert und gibt Unternehmen Tipps zum Schutz.
---------------------------------------------
http://www.golem.de/news/hack-von-ruestungskonzern-schweizer-cert-gibt-secu…
*** After trio of hacks, SWIFT addresses information sharing concerns ***
---------------------------------------------
Following reports of a cyberattack last year in which hackers stole $9 million from an Ecuadorean bank, SWIFT stated it is taking steps to create more information sharing practices.
---------------------------------------------
http://www.scmagazine.com/after-trio-of-hacks-swift-addresses-information-s…
*** Student convicted after finding encryption flaws in government network ***
---------------------------------------------
He found that the encrypted network often wasnt... but he lost patience when it looked as though nothing was being done about it.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/05/23/student-convicted-after-finding…
*** A recently patched Flash Player exploit is being used in widespread attacks ***
---------------------------------------------
It took hackers less than two weeks to integrate a recently patched Flash Player exploit into widely used Web-based attack tools that are being used to infect computers with malware.The vulnerability, known as CVE-2016-4117, was discovered earlier this month by security researchers FireEye. It was exploited in targeted attacks through malicious Flash content embedded in Microsoft Office documents.When the targeted exploit was discovered, the vulnerability was unpatched, which prompted a...
---------------------------------------------
http://www.cio.com/article/3073558/a-recently-patched-flash-player-exploit-…
*** Security Update Available for Adobe Connect (APSB16-17) ***
---------------------------------------------
A Security Bulletin (APSB16-17) has been published regarding a security update for Adobe Connect. Adobe recommends users update their product installations to the latest version using the instructions referenced in the security bulletin.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1355
*** TA16-144A: WPAD Name Collision Vulnerability ***
---------------------------------------------
Original release date: May 23, 2016 Systems Affected Windows, OS X, Linux systems, and web browsers with WPAD enabled Overview Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers [1]. In combination with the New generic Top Level Domain (gTLD) program's incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA16-144A
*** Bugzilla 4.4.11 and 5.0.2 Security Advisory ***
---------------------------------------------
A specially crafted bug summary could trigger XSS in dependency graphs.
---------------------------------------------
https://www.bugzilla.org/security/4.4.11/
*** DSA-3585 wireshark - security update ***
---------------------------------------------
Multiple vulnerabilities were discovered in the dissectors/parsers forPKTC, IAX2, GSM CBCH and NCP which could result in denial of service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3585
*** SECURITY BULLETIN: Trend Micro InterScan Web Security Virtual Appliance (IWSVA) Multiple Remote Code Execution Vulnerabilities ***
---------------------------------------------
Trend Micro has released new builds of the Trend Micro InterScan Web Security Virtual Appliance. These updates resolve vulnerabilities in the product that could potentially allow a remote attacker to execute arbitrary code on vulnerable installations.
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114185.aspx
*** SECURITY BULLETIN: Trend Micro OfficeScan Path Traversal Vulnerability ***
---------------------------------------------
Trend Micro has released an update for OfficeScan (OSCE) 11.0 Service Pack (SP) 1 which resolves a vulnerability in the product that when certain conditions are met could be exploited to access files and directories located outside of the core product web root folder.
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114097.aspx
*** ZDI-16-353: BitTorrent API Cross Site Scripting Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of BitTorrent and uTorrent. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-353/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-0283, CVE-2015-7417). ***
http://www.ibm.com/support/docview.wss?uid=swg21981914
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7484, CVE-2015-7474, CVE-2015-7485, CVE-2015-7486, CVE-2016-0219) ***
http://www.ibm.com/support/docview.wss?uid=swg21983720
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3193, CVE-2015-3195, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=swg21982608
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Marketing Platform (CVE-2016-0224, CVE-2016-0229, CVE-2016-0233) ***
http://www.ibm.com/support/docview.wss?uid=swg21980989
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways ***
http://www.ibm.com/support/docview.wss?uid=swg21982607
---------------------------------------------
*** IBM Security Bulletin: Vulnerability identified in IBM Domino Java Console (CVE-2016-0304) ***
http://www.ibm.com/support/docview.wss?uid=swg21983328
---------------------------------------------
*** IBM Security Bulletin: OpenSSL vulnerabilities in Node.js found on May 03, 2016 affect Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2016-2107, CVE-2016-2105) ***
http://www.ibm.com/support/docview.wss?uid=swg21983555
---------------------------------------------
*** IBM Security Bulletin: Multiple OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software ***
http://www.ibm.com/support/docview.wss?uid=swg21982949
---------------------------------------------
*** IBM Security Bulletin: One vulnerability in IBM Java SDK affect Application Delivery Intelligence 1.0.0 (CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023804
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: WebSphere Dashboard Framework (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21982528
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: Web Experience Factory (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21982527
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=swg21983002
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems, IBM OS Images for AIX, and Windows. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21983647
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Image Construction and Composition Tool. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21983644
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects Tivoli Provisioning Manager for OS Deployment, Tivoli Provisioning Manager for Images (CVE-2016-2842) ***
http://www.ibm.com/support/docview.wss?uid=swg21982159
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ***
http://www.ibm.com/support/docview.wss?uid=swg21981545
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in ApacheTomcat affect IBM Security SiteProtector System (CVE-2015-5174, CVE-2015-5345, CVE-2016-0706 and CVE-2016-0714) ***
http://www.ibm.com/support/docview.wss?uid=swg21983242
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3197 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21982697
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenStack affect IBM Spectrum Scale V4.2 and V4.1.1 (CVE-2015-8466 and CVE-2016-0738) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005833
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 19-05-2016 18:00 − Freitag 20-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3584 librsvg - security update ***
---------------------------------------------
Gustavo Grieco discovered several flaws in the way librsvg, a SAX-basedrenderer library for SVG files, parses SVG files with circulardefinitions. A remote attacker can take advantage of these flaws tocause an application using the librsvg library to crash.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3584
*** Petya and Mischa - Ransomware Duet (part 1) ***
---------------------------------------------
After being defeated about a month ago, Petya comes back with new tricks. Now, not as a single ransomware, but in a bundle with another malicious payload - Mischa. Both are named after the satellites from the GoldenEye movie. They deploy attacks on ..
---------------------------------------------
https://blog.malwarebytes.org/threat-analysis/2016/05/petya-and-mischa-rans…
*** EITest campaign still going strong, (Fri, May 20th) ***
---------------------------------------------
Originally reported by Malwarebytes in October 2014 [1], the EITest campaign has been going strong ever since. Earlier this year, I documented how the campaign has evolved over time [2]. During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21081
*** TLS/GCM: Gefahr durch doppelte Nonces ***
---------------------------------------------
Moderne TLS-Verbindungen nutzen üblicherweise das AES-GCM-Verschlüsselungsverfahren. Das benötigt einen sogenannten Nonce-Wert, der sich nicht wiederholen darf. Ansonsten ist die Sicherheit dahin.
---------------------------------------------
http://www.golem.de/news/tls-gcm-gefahr-durch-doppelte-nonces-1605-121005.h…
*** Important Security-Bulletin Pre-Announcement ***
---------------------------------------------
https://typo3.org/news/article/important-security-bulletin-pre-announcement…
*** Resource Data Management Intuitive 650 TDB Controller Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for a privilege escalation vulnerability and a cross-site request forgery vulnerability in Resource Data Management's Intuitive 650 TDB Controller.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-140-01
*** Siemens SIPROTEC Information Disclosure Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for information disclosure vulnerabilities in the Siemens SIPROTEC 4 and SIPROTEC Compact.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-140-02
*** Hacked in a public space? Thanks, HTTPS ***
---------------------------------------------
Kali Linux, laptop, coffee - hack on! Have you ever bothered to look at who your browser trusts? The padlock of a HTTPS connection doesnt mean anything if you cant trust the other end of the connection and its upstream signatories. Do you ..
---------------------------------------------
www.theregister.co.uk/2016/05/20/https_wifi_trust_in_a_public_place/
*** Wichtiger Sicherheits-Patch für Typo3 voraus ***
---------------------------------------------
In vielen Typo3-Versionen klafft offensichtlich eine schwerwiegende Sicherheitslücke. Ein Patch soll Anfang nächster Woche erscheinen.
---------------------------------------------
http://heise.de/-3212058
*** l+f: Erpressung für den guten Zweck ***
---------------------------------------------
Ein Verschlüsselungs-Trojaner fordert ein horrende Summe und will damit Gutes tun. Wer's glaubt ...
---------------------------------------------
http://heise.de/-3212111
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 18-05-2016 18:00 − Donnerstag 19-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Website Hacked Trend Report - 2016/Q1 ***
---------------------------------------------
Our Remediation group is comprised of two distinct teams, the Incident Response Team (IRT) and Malware Research Team (MRT). These teams work closely with our customers in an effort to identify and remove website infections to include ..
---------------------------------------------
https://blog.sucuri.net/2016/05/sucuri-hacked-report-2016q1.html
*** Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028 ***
---------------------------------------------
https://www.drupal.org/node/2728711
*** Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027 ***
---------------------------------------------
https://www.drupal.org/node/2728693
*** Web Mailing List vulnerable to cross-site scripting ***
---------------------------------------------
http://jvn.jp/en/jp/JVN43076390/
*** The 5Ws and 1H of Ransomware ***
---------------------------------------------
For the past three months, we have seen ransomware hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada. The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a joint statement about ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ranso…
*** Hackerangriff auf Linkedin: 100 Millionen Nutzer betroffen ***
---------------------------------------------
Attacke fand bereits 2012 statt - Ausmass wurde jedoch erst jetzt in vollem Umfang bekannt
---------------------------------------------
http://derstandard.at/2000037231582
*** Erpressungstrojaner: Teslacrypt-Entwickler geben auf ***
---------------------------------------------
Master-Key veröffentlicht, Entschlüsselungssoftware verfügbar.
---------------------------------------------
http://derstandard.at/2000037236758
*** Ransomware Awareness Tag ***
---------------------------------------------
Unsere Kollegen von der Schweizer Melde- und Analysestelle Informationssicherung MELANI veranstalten heute, am 19. Mai 2016, einen Aktionstag zum Thema Ransomware. Das Ziel ist es, die Informationen zu der Bedrohung ..
---------------------------------------------
http://www.cert.at/services/blog/20160519095712-1737.html
*** Kernel Waiter Exploit from the Hacking Team Leak Still Being Used ***
---------------------------------------------
Although the Hacking Team leak took place several months ago, the impact of this data breach - where exploit codes were made public and spurred a chain of attacks - can still be felt until today. We recently spotted malicious Android apps that appear to use an exploit found in the Hacking Team data ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/kernel-waiter-ex…
*** FBI muss Mozilla keine Informationen über Sicherheitslücke übergeben ***
---------------------------------------------
Der Richter in einem Verfahren gegen einen Nutzer einer Kinderpornographie-Plattform hat es abgelehnt, dass Mozilla sich einmischt, um an Informationen über eine Sicherheitslücke im Tor-Browser zu kommen.
---------------------------------------------
http://heise.de/-3211120
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 17-05-2016 18:00 − Mittwoch 18-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** That Insane, $81M Bangladesh Bank Heist? Here's What We Know ***
---------------------------------------------
Someone stole $81 million from Bangladesh Bank in a matter of hours, and appears to have targeted other banks that use ..
---------------------------------------------
http://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/
*** Academics Make Theoretical Breakthrough in Random Number Generation ***
---------------------------------------------
Two University of Texas academics have made what some experts believe is a breakthrough in random number generation that could have longstanding implications for cryptography and computer security.
---------------------------------------------
http://threatpost.com/academics-make-theoretical-breakthrough-in-random-num…
*** XSA-176 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-176.html
*** First ATM malware is back and badder than ever ***
---------------------------------------------
Original gangster Skimer goes global Cybercriminals have retrofitted a strain of ATM malware first discovered in 2009 to create an even more potent threat.
---------------------------------------------
www.theregister.co.uk/2016/05/17/skimer_atm_malware/
*** Cisco Adaptive Security Appliance XML Parser Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Unified Computing System Central Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Identity Services Engine Active Directory Integration Component Remote Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Malicious macro using a sneaky new trick ***
---------------------------------------------
We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a…
*** Hacker weiden Untergrund-Forum Nulled.IO aus ***
---------------------------------------------
Im Hacker-Forum Nulled.IO treffen sich Gleichgesinnte und handeln etwa mit erbeuteten Nutzer-Konten. Ironischerweise wurde Nulled.IO nun selbst Opfer einer verheerenden Hacker-Attacke.
---------------------------------------------
http://heise.de/-3209682
*** Windows 10 Device Guard and Credential Guard Demystified ***
---------------------------------------------
While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I've observed there's still a lot of confusion regarding the security features of the operating system. This is a shame since some ..
---------------------------------------------
https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-…
*** Scammers target cybersecurity brands ***
---------------------------------------------
Cybersquatting, typosquatting and phishing now target the largest cybersecurity brands.
---------------------------------------------
https://www.htbridge.com/blog/scammers-target-cybersecurity-companies-brand…
*** Google to shutter SSLv3, RC4 from SMTP servers, Gmail ***
---------------------------------------------
Mark your calendars: Google will disable support for the RC4 stream cipher and the SSLv3 protocol on its SMTP servers and Gmail servers on June 16.After the deadline, Googles SMTP servers will no longer exchange mail with servers ..
---------------------------------------------
http://www.cio.com/article/3071866/security/google-to-shutter-sslv3-rc4-fro…
*** Magento 2.0.6 Security Update ***
---------------------------------------------
Magento Enterprise Edition and Community Edition 2.0.6 contain multiple security and functional enhancements. You can find more details about the vulnerabilities addressed below.
---------------------------------------------
https://magento.com/security/patches/magento-206-security-update
*** Magento - Unauthenticated Remote Code Execution ***
---------------------------------------------
The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.
---------------------------------------------
http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-executi…
*** Sicherheitsrichtlinie: EU-Rat billigt Meldepflicht bei Cyberangriffen ***
---------------------------------------------
Die EU-Mitgliedsstaaten haben den Kompromiss zur geplanten Richtlinie über Netz- und Informationssicherheit angenommen, den Verhandlungsführer zuvor mit dem EU-Parlament ausgehandelt hatten. Es geht um Sicherheitsauflagen für Online-Anbieter.
---------------------------------------------
http://heise.de/-3210189
*** Ransomware Activity Spikes in March, Steadily increasing throughout 2016 ***
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2016/05/ransomware_activity.ht…
*** The Ultimate Guide to Angler Exploit Kit for Non-Technical People ***
---------------------------------------------
There's been a lot of talk about the Angler exploit kit lately, but, for most people, the warnings don't strike a chord. And they're definitely not to blame. Not everyone ..
---------------------------------------------
https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-tech…
*** Die Crypto Wars und die Folgen: Wie uns alte Hintertüren weiter verfolgen ***
---------------------------------------------
Erneut fordern Politiker, Geheimdienste und Strafverfolger, Krypto-Software absichtlich zu schwächen. Das war schon einmal vorgeschrieben und die Konsequenzen verfolgen uns noch heute: Verheerende Sicherheitslücken haben genau darin ihren Ursprung.
---------------------------------------------
http://heise.de/-3210209
*** Bitly partners with Let's Encrypt for HTTPS links ***
---------------------------------------------
Bitly processes data associated with more than 12 billion clicks per month, leading to massive troves of intelligence. Now, they're partnering with Let's Encrypt to generate SSL certificates for more than 40,000 Bitly ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/18/bitly-https-links/
*** IRZ RUH2 3G Firmware Overwrite Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a firmware overwrite vulnerability in iRZ's RUH2 device.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-138-01
*** Moxa EDR-G903 Secure Router Vulnerabilities ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on February 11, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for Moxa's ECR G903 secure routers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-042-01
*** Fixing `marked` XSS vulnerability ***
---------------------------------------------
A few weeks ago we added to our DB a Cross-Site Scripting (XSS) vulnerability in the popular marked package. This post explains the vulnerability, shows how to exploit it on a sample app, and explains how to fix the issue in your application.
---------------------------------------------
https://snyk.io/blog/marked-xss-vulnerability/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 13-05-2016 18:00 − Dienstag 17-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Panama Papers: the result of neglected IT security ***
---------------------------------------------
The financial, legal and political world have been turned upside down by the Panama Papers. But how on earth was it possible to steal 2.6 terabytes of data from Mossack Fonseca?
---------------------------------------------
https://blog.gdatasoftware.com/2016/05/28239-panama-papers-the-result-of-ne…
*** Yahoo-owned Tumblr announces email credential compromise ***
---------------------------------------------
Tumblr announced Thursday that a third party accessed a set of Tumblr user email addresses with salted and hashed passwords.
---------------------------------------------
http://www.scmagazine.com/tumblr-announces-email-credentials-compromised/ar…
*** CVE-2016-4117: Flash Zero-Day Exploited in the Wild ***
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-ze…
*** "Bösartiges Design": Wie Webseiten Nutzer reinlegen und betrügen ***
---------------------------------------------
Skrupellose Abzock-Praktiken stehen immer mehr unter Kritik, etwa das automatische Anklicken von Abonnements
---------------------------------------------
http://derstandard.at/2000037009828
*** Unethische Forschung: Wissenschaftler veröffentlichen 70.000 OKCupid-Profile ***
---------------------------------------------
Wissenschaftler aus Dänemark haben Profile von rund 70.000 OKCupid-Nutzern analysiert und veröffentlicht. Den beteiligten Herren ist ein Ethik-Seminar dringend zu empfehlen.
---------------------------------------------
http://www.golem.de/news/unethische-forschung-wissenschaftler-veroeffentlic…
*** Gatecoin: Mehr als zwei Millionen US-Dollar in Kryptowährungen gestohlen ***
---------------------------------------------
Wer seine Bitcoin oder Ether bei dem Anbieter Gatecoin aufbewahrt, sollte seine Accounts checken - rund 15 Prozent der Einlagen wurden gestohlen. Auszahlungen sollen erst ab dem 28. Mai wieder möglich sein, es wird aber an Entschädigungsregeln gearbeitet.
---------------------------------------------
http://www.golem.de/news/gatecoin-ueber-zwei-millionen-us-dollar-in-kryptow…
*** Swift-Attacke abgewehrt: Millionen-Transaktion im Visier von Cyberdieben ***
---------------------------------------------
Ziel der Hacker bei der Tien Phong Bank war eine Transaktion von umgerechnet mehr als einer Million Euro gewesen
---------------------------------------------
http://derstandard.at/2000037024022-1231152558333
*** Carding Sites Turn to the 'Dark Cloud' ***
---------------------------------------------
Crooks who peddle stolen credit cards on the Internet face a constant challenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes. In this ..
---------------------------------------------
http://krebsonsecurity.com/2016/05/carding-sites-turn-to-the-dark-cloud/
*** Chrome könnte Flash noch dieses Jahr standardmässig blockieren ***
---------------------------------------------
Google plant anscheinend, HTML5 noch stringenter als Standard in seinem Webbrowser Chrome einzusetzen. Flash-Inhalte sollen im Zuge dessen entweder gar nicht mehr oder nur in Ausnahmefällen wiedergegeben werden.
---------------------------------------------
http://heise.de/-3208837
*** Android Hacking: Dumping and Analyzing Application's Memory ***
---------------------------------------------
In this article, we will discuss how to dump the memory of a specific application using Android Studio's heap dump feature. We will also explore EclipseMemoryAnalyzer(MAT) to analyze the heap dump we acquire. It is possible to create heap dumps of an application�s heap in Android. We can dump ..
---------------------------------------------
http://resources.infosecinstitute.com/android-hacking-dumping-and-analyzing…
*** Cisco Video Communication Server Session Initiation Protocol Packet Processing Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** OS X El Capitan v10.11.5 and Security Update 2016-003 ***
---------------------------------------------
https://support.apple.com/kb/HT206567
*** DSA-3580 imagemagick - security update ***
---------------------------------------------
Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discoveredseveral vulnerabilities in ImageMagick, a program suite for imagemanipulation. These vulnerabilities, collectively known as ImageTragick,are the consequence of lack of sanitization of untrusted input. Anattacker with control ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3580
*** Secure Coding: How to Account for Input Sanitization ***
---------------------------------------------
On average, a website leverages around 18-20 different plugins in its structure. These plugins enhance the website's functionality and in some instances extend the applications core capabilities. It's great for website owners because they can pick and ..
---------------------------------------------
https://blog.sucuri.net/2016/05/secure-coding-account-input-sanitization.ht…
*** Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Zombie crypto still rules smart grids: OSGP vendors need to kill RC4 ***
---------------------------------------------
Deprecated almost everywhere, researchers crack open smart grid ancient crypto suite AGAIN The Open Smart Grid Protocols custom RC4 encryption has been cracked - again.
---------------------------------------------
www.theregister.co.uk/2016/05/17/zombie_crypto_still_rules_smart_grids/
*** Malicious Android apps slip into Google Play, top third party charts ***
---------------------------------------------
Enlist phones in ad fraud, premium SMS, loser DDoS Malicious Android applications have bypassed Googles Play store security checks to enslave infected devices into distributed denial of service attack, advertising fraud, and spam botnets.
---------------------------------------------
www.theregister.co.uk/2016/05/17/viking_horde_android_app_malware/
*** VMSA-2016-0005 ***
---------------------------------------------
VMware product updates address critical and important security issues
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2016-0005.html
*** Kritische Lücke gefährdet Antiviren-Produkte von Symantec und Norton ***
---------------------------------------------
Ein gefährlicher Bug in der Scan Engine von Symantect zieht weite Kreise und bedroht alle Symantec- und Norton-Produkte auf allen Plattformen, warnt ein Sicherheitsforscher.
---------------------------------------------
http://heise.de/-3208967
*** Security Principles in iOS Architecture ***
---------------------------------------------
I strongly suggest readers checkout my two prior blogs on Cryptography, Principle of Least Privilege, and Biometrics. All of these will be explored in depth throughout this blog.
---------------------------------------------
https://woumn.wordpress.com/2016/05/02/security-principles-in-ios-architect…
*** Killing XSS and CSRF on web server layer ***
---------------------------------------------
Existing and new web security technologies based on actively developed RFCs propose new approaches to common web vulnerabilities remediation.
---------------------------------------------
https://www.htbridge.com/blog/killing-xss-and-csrf-on-web-server-layer.html
*** "Cryptohitman": Erpressungstrojaner ersetzt Sperrbildschirm mit Pornos ***
---------------------------------------------
Verschlüsselt Dateien mit Endung ".porno" - kostenloses Tool rettet Userdaten
---------------------------------------------
http://derstandard.at/2000037097552
*** Finanzministerium warnt vor falschen BMF-Mails ***
---------------------------------------------
Phishing-Attacke - Löschen, löschen, löschen!
---------------------------------------------
http://derstandard.at/2000037101098
*** The Sleepy User Agent ***
---------------------------------------------
>From time to time a customer writes in and asks about certain requests that have been blocked by the CloudFlare WAF. Recently, a customer couldn't understand why it appeared that some simple GET requests for their homepage were ..
---------------------------------------------
https://blog.cloudflare.com/the-sleepy-user-agent/
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 12-05-2016 18:00 − Freitag 13-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Cyber Heist Attribution ***
---------------------------------------------
Written by Sergei Shevchenko and Adrian Nish | BACKGROUND | Attributing a single cyber-attack is a hard task and often impossible. However, when multiple attacks are conducted over long periods of time, they leave a trail of digital evidence. Piecing this together into a campaign can help investigators to see the bigger picture, and even hint at who may be behind the attacks. Our research into malware used on SWIFT based systems running in banks has turned up multiple bespoke tools used by a set of...
---------------------------------------------
http://baesystemsai.blogspot.com/2016/05/cyber-heist-attribution.html
*** Neuer Angriff auf Swift-Netzwerk: Angreifer nutzen manipulierten PDF-Reader ***
---------------------------------------------
Eine Bank setzte zur Überprüfung von Transaktionen offenbar keine Hashwerte der einzelnen Vorgänge ein - sondern nimmt eine Sichtprüfung von PDFs vor. Aus diesem Grund konnten Angreifer erneut illegale Transaktionen im Swift-Netzwerk vornehmen.
---------------------------------------------
http://www.golem.de/news/neuer-angriff-auf-swift-netzwerk-angreifer-nutzen-…
*** EZB plant Meldestelle für Cyber-Angriffe auf Banken ***
---------------------------------------------
Auch die Bankenaufseher der Europäischen Zentralbank reagieren auf die wachsende Zahl von Angriffen mit einer Meldepflicht bei schwerwiegenden Bedrohungen.
---------------------------------------------
http://heise.de/-3207934
*** MISP - Malware Information Sharing Platform, (Fri, May 13th) ***
---------------------------------------------
In a previous diary (Unity Makes Strength), I briefly mentioned MISP(which means Malware Information Sharing Platform). Since this tool is becomingmore and more popular, Id like to give more details about it.Sharing is key could be the slogan of MISP. The ideais to allow different organizations to share IOCs (Indicators of Compromize) like IP addresses, domains, hashes, URLs, filenames, ... Thegoal is to increase their ability to protect themselves against malicious activities. With millions of...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21053&rss
*** Open sourcing our NGINX HTTP/2 + SPDY code ***
---------------------------------------------
In December, we released HTTP/2 support for all customers and last week we released HTTP/2 Server Push support as well. The release of HTTP/2 by CloudFlare had a huge impact on the number of sites supporting and using the protocol. Today, 50% of sites that use HTTP/...
---------------------------------------------
https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code/
*** Meteocontrol WEBlog Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for one authentication and two information exposure vulnerabilities in Meteocontrol's WEB'log application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01
*** TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe ***
---------------------------------------------
Topic: TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe Risk: Medium Text:Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=775 The main component of Trend Micro Antivirus is CoreSe...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016050051
*** Symantec Messaging Gateway 10.6.x ACE Library Static Link to Vulnerable SSL Version ***
---------------------------------------------
Revisions None Severity Severity (CVSS version 2 and CVSS Version 3) CVSS2 ...
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Bugtraq: May 2016 - HipChat Server - Critical Security Advisory ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538378
*** Bugtraq: [security bulletin] HPSBGN03597 rev.1 - HPE Cloud Optimizer (Virtualization Performance Viewer) using glibc Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538371
*** Bugtraq: [security bulletin] HPSBMU03589 rev.1 - HPE Version Control Repository Manager (VCRM), Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538377
*** Bugtraq: [security bulletin] HPSBMU03591 rev.1 - HPE Server Migration Pack, Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538376
*** Bugtraq: [security bulletin] HPSBMU03590 rev.1 - HPE Systems Insight Manager (SIM) on Windows and Linux, Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538379
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server for Bluemix April 2016 CPU (CVE-2016-3426, CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=swg21983039
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Content Manager Enterprise Edition 8.5.0 (CVE-2016-3449, CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21982262
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Sterling Connect:Express for Unix (CVE-2016-2842). ***
http://www.ibm.com/support/docview.wss?uid=swg21982374
---------------------------------------------
*** IBM Security Bulletin: A Security Vulnerability exist in IBM Cognos TM1 ***
http://www.ibm.com/support/docview.wss?uid=swg21981936
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) (Multiple CVEs) ***
http://www.ibm.com/support/docview.wss?uid=swg21973066
---------------------------------------------
Next End-of-Shift Report: 2016-05-17
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 11-05-2016 18:00 − Donnerstag 12-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Security Updates Available for Adobe Flash Player (APSB16-15) ***
---------------------------------------------
A Security Bulletin (APSB16-15) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. Adobe...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1352
*** Tips to Prevent Ransomware in Healthcare Environments ***
---------------------------------------------
If 2015 was the year of the healthcare breach, 2016 is shaping up to be the year of ransomware. By this time last year, 105 healthcare breaches had been reported to the U.S. Department of...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/05/tips-to-prevent-ransomwa…
*** Entpacker 7-Zip kann zum Ausführen von Schadcode missbraucht werden ***
---------------------------------------------
Über eine Lücke im Kompressions-Tool 7-Zip können Angreifer Schadcode ausführen und eventuell auch den Rechner des Opfers kapern. Besonders brisant: Der Open-Source-Code des Tools steckt auch in Sicherheitssoftware.
---------------------------------------------
http://heise.de/-3206787
*** US-CERT warnt Betreiber von SAP-Systemen ***
---------------------------------------------
Anlass der Sicherheitswarnung des Computer-Notfall-Teams der USA ist ein Bericht, demzufolge mindestens 36 Organisationen in der ganzen Welt über eine SAP-Lücke angegriffen und kompromittiert wurden.
---------------------------------------------
http://heise.de/-3207245
*** New Wave of the Test0.com/Test5.xyz Redirect Hack ***
---------------------------------------------
Last week we described the hack that randomly redirected site visitors either to a parked test0 .com domain or to malicious sites via the default7 .com domain. This week the default7 .com domain went down but the attackers returned with a new wave of site infections and the new redirecting domain - test5 .xyz (registered just a few...
---------------------------------------------
https://blog.sucuri.net/2016/05/test0test5-com-redirect-hack-new-wave.html
*** Popular cache Squid skids as hacker pops lid ***
---------------------------------------------
Yet another mess we can blame on the combination of Flash and advertising Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/05/12/telco_fave_…
*** Giving up Your Roots: A Root Remedy Checklist ***
---------------------------------------------
As an IT organization, should you be concerned that your sysAdmins login as root, su to root, or sudo su to root?The post Giving up Your Roots: A Root Remedy Checklist appeared first on BeyondTrust.
---------------------------------------------
https://www.beyondtrust.com/blog/root-remedy-checklist/
*** Facebook CTF platform is now open source ***
---------------------------------------------
Capture the Flag competitions are a good - not to mention legal - way for hackers to build and hone their skills. But, quality CTF environments are difficult and expensive to build and run. This is a burden that Facebook aims to lighten by open sourcing the Facebook CTF platform, devised for the training of their own employees and used around the world by various organizations looking to interest kids in computer security. The now-free...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/12/facebook-ctf-platform-open-sourc…
*** From the Netherlands Presidency of the EU Council: Coordinated vulnerability disclosure Manifesto signed ***
---------------------------------------------
Approximately 30 organisations have signed the Coordinated Vulnerability Disclosure Manifesto today, in which they declare to support the principle of having a point of contact to report IT vulnerabilities to and already have this set up in their own organisations, or they plan to do so soon. By signing the manifesto, the participating...
---------------------------------------------
https://www.enisa.europa.eu/news/member-states/from-the-netherlands-preside…
*** DFN-CERT-2016-0770: Jenkins: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0770/
*** DFN-CERT-2016-0739: OpenVPN: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0739/
*** Security Notice - Statement on Bogner Florian Revealing Privilege Escalation Vulnerability in Huawei E5373 LTE Mobile Wi-Fi Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160512-01-…
*** F5 Security Advisory: Nginx vulnerabilities CVE-2016-0742, CVE-2016-0746, and CVE-2016-0747 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23073482.html?…
*** BulletProof Security <= .53.3 - Multiple XSS Vulnerabilities ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8492
*** Bugtraq: [security bulletin] HPSBHF03592 rev.1 - HPE VAN SDN Controller OVA using OpenSSL, Multiple Remote Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538359
*** Bugtraq: [security bulletin] HPSBNS03581 rev.2 - HPE NonStop Servers running Samba (NS-Samba), Multiple Remote Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538360
*** Bugtraq: [security bulletin] HPSBST03598 rev.1 - HPE 3PAR OS using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538365
*** Bugtraq: [security bulletin] HPSBST03586 rev.1 - HPE 3PAR OS, Remote Unauthorized Modification ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538364
*** Bugtraq: [security bulletin] HPSBST03599 rev.1 - HPE 3PAR OS running OpenSSH, Remote Denial of Service (DoS), Access Restriction Bypass ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538366
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin:Vulnerability in IBM Java Runtime affect IBM Host On-Demand (CVE-2016-0363) ***
http://www.ibm.com/support/docview.wss?uid=swg21982489
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Web Browser XSS Protection affects IBM Algorithmics Algo Risk Application - CVE-2016-0390 ***
http://www.ibm.com/support/docview.wss?uid=swg21981321
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect WebSphere Application Server shipped with SmartCloud Provisioning ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000105
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Image Construction and Composition Tool. (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=swg21982883
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Workload Deployer. (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=swg21982877
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus ***
http://www.ibm.com/support/docview.wss?uid=swg21982172
---------------------------------------------
*** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7488) ***
http://www.ibm.com/support/docview.wss?uid=swg21982874
---------------------------------------------
*** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7456) ***
http://www.ibm.com/support/docview.wss?uid=swg21982873
---------------------------------------------
*** IBM Security Bulletin: A potential vulnerability in IBM Java SDK affect InfoSphere Streams (CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21973403
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 10-05-2016 18:00 − Mittwoch 11-05-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Security Advisory posted for Adobe Flash Player (APSA16-02) ***
---------------------------------------------
A Security Advisory (APSA16-02) has been published regarding a critical vulnerability (CVE-2016-4117) in Adobe Flash Player. Adobe is aware of a report that an exploit ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1346
*** Security Updates for Adobe Acrobat and Reader and Hotfixes for ColdFusion Available ***
---------------------------------------------
Security Bulletins for Adobe Acrobat and Reader (APSB16-14) as well as ColdFusion (APSB16-16) have been published. Adobe recommends users update their product installations to the latest versions using the instructions in the relevant security ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1350
*** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by vulnerabilities in IBM Spectrum Scale (CVE-2016-0263, CVE2016-0361) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1023767
*** MS16-MAY - Microsoft Security Bulletin Summary for May 2016 - Version: 1.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-MAY
*** May 2016 security update release ***
---------------------------------------------
Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security ..
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2016/05/10/may-2016-security-updat…
*** 5 security experts share their best tips for 'fringe' devices ***
---------------------------------------------
What is a 'fringe' device in IT?For some, it's a gadget everyone has forgotten about - a printer in a corner office, an Android tablet in a public area used to schedule conference rooms. A fringe device can also be one that's common enough to be used ..
---------------------------------------------
http://www.cio.com/article/3068406/security/5-security-experts-share-their-…
*** Panasonic FPWIN Pro Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details concerning buffer overflow vulnerabilities in Panasonic FPWIN Pro software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-131-01
*** DSA-3574 libarchive - security update ***
---------------------------------------------
Rock Stevens, Andrew Ruef and Marcin Icewall Noga discovered aheap-based buffer overflow vulnerability in the zip_read_mac_metadatafunction in libarchive, a multi-format archive and compression library,which may ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3574
*** It's time to get serious about ICS cybersecurity ***
---------------------------------------------
As recently reported by The Register, a proof-of-concept PLC worm could spell disaster for the critical infrastructure by making attacks exponentially more difficult to detect and stop. Unfortunately, the proof of concept of a PLC worm is a viable scenario which could cause immeasurable ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/11/time-get-serious-ics-cybersecuri…
*** Patchday: Microsoft schliesst Zero-Day-Lücke im Internet Explorer ***
---------------------------------------------
Wie jeden Monat heißt es auch im Mai für Windows-Nutzer wieder einmal: Jetzt schnell Patches einspielen! Diesmal ist es besonders dringend, denn eine im Patchday geschlossene Lücke wurde bereits vor ihrer Veröffentlichung aktiv für Angriffe missbraucht.
---------------------------------------------
http://heise.de/-3202816
*** Multiple JVC HDRs and Net Cameras - Multiple Vulnerabilities ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016050040
*** The Art of Searching for Open Source Intelligence ***
---------------------------------------------
The Internet is a big ocean, and it carries loads of information you might be interested in or looking for, but where and how to find that information? Thanks to search engines like Google that make the searches using a query possible, ..
---------------------------------------------
http://resources.infosecinstitute.com/the-art-of-searching-for-open-source-…
*** CryptXXX 2.0 foils decryption tool, locks PCs ***
---------------------------------------------
CryptXXX ransomware, first spotted in mid-April, has reached version 2.0, and a new level of nastiness. It's also on its way to become one of the top ransomware families in the wild. The malware's first version would encrypt files but leave ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/11/cryptxxx-2-0-foils-decryption/
*** Adobe lässt sich Zeit mit Patch für ausgenutzte Lücke ***
---------------------------------------------
Mit dem Sicherheitsupdate für den Flash-Player lässt Adobe sich mehr Zeit, als Nutzer zum Deinstallieren der Software benötigen.
---------------------------------------------
http://www.golem.de/news/kritische-flash-luecke-adobe-laesst-sich-zeit-mit-…
*** Hintergrund: Dridex analysiert ***
---------------------------------------------
Eine kleine Artikelreihe zeigt, wie man einen Bot-Netz-Client mit dem Debugger auseinander nimmt.
---------------------------------------------
http://heise.de/-3204362
*** TA16-132A: Exploitation of SAP Business Applications ***
---------------------------------------------
Original release date: May 11, 2016 Systems Affected Outdated or misconfigured SAP systems Overview At least 36 organizations worldwide are affected by an SAP vulnerability [1]. Security researchers from Onapsis discovered ..
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA16-132A
*** Updated factsheets security of ICS/SCADA systems ***
---------------------------------------------
Malicious persons and security researchers show interest in the (lack of) security of industrial control systems. This relates not only to 'traditional' ICS/SCADA systems, but also to building management systems (incl. HVAC and CCTV).
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/updated-factsheets-security…
*** IBM Security Bulletin: Multiple vulnerabilities in Samba affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg2C1000130
*** IBM Security Bulletin: IBM Emptoris Sourcing is affected by open redirect vulnerability (CVE-2016-0329). ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21982629
*** IBM Security Bulletin: Multiple vulnerabilities in Libxml2 affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg2C1000110
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 09-05-2016 18:00 − Dienstag 10-05-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** [Xen-announce] Xen Security Advisory 179 (CVE-2016-3710, CVE-2016-3712) - QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks ***
---------------------------------------------
Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. But an attacker can easily change access modes after setting the bank ..
---------------------------------------------
http://lists.xen.org/archives/html/xen-announce/2016-05/msg00001.html
*** Finding Conditional SEO Spam in Drupal ***
---------------------------------------------
Nobody likes spam. It's never fun (unless you're watching Monty Python). For us it comes with the territory; removing SEO spam has been at the core of ..
---------------------------------------------
https://blog.sucuri.net/2016/05/seo-spam-in-drupal-database.html
*** DSA-3572 websvn - security update ***
---------------------------------------------
Nitin Venkatesh discovered that websvn, a web viewer for Subversion repositories, is susceptible to cross-site scripting attacks viaspecially crafted file and directory names in repositories.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3572
*** Gamarue, Nemucod, and JavaScript ***
---------------------------------------------
JavaScript is now being used largely to download malware because it's easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod. This ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/05/09/gamarue-nemucod-and-jav…
*** Don�t Put Off Till Tomorrow What You Should Start Today (Part 1) ***
---------------------------------------------
For some, the upcoming EU legislative changes (the General Data Protection Regulation, referred to as GDPR, and the Network and Information Security Directive, referred to as the NIS Directive) may have seemed like they ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/05/cso-dont-put-off-till-to…
*** Performing network forensics with Dshell. Part 1: Basic usage, (Mon, May 9th) ***
---------------------------------------------
I found out recently there is a very interesting tool that enables some interesting capabilities to perform network forensics from a PCAP capture file. It"> in the command prompt. There is a major keyword that launches ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21035
*** This is what a root debug backdoor in the Linux kernel looks like ***
---------------------------------------------
Allwinners all-loser code makes it into shipped firmware A root backdoor for debugging Android gadgets managed to end up in shipped firmware - and were surprised this sort of colossal blunder doesnt happen more often.
---------------------------------------------
www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_na…
*** DSA-3573 qemu - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3573
*** SS7 spookery on the cheap allows hackers to impersonate mobile chat subscribers ***
---------------------------------------------
Flaws in the mobile signalling protocols can be abused to read messaging apps such as WhatsApp and Telegram.
---------------------------------------------
www.theregister.co.uk/2016/05/10/ss7_mobile_chat_hack/
*** Security Advisory: ImageMagick vulnerability CVE-2016-3714 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/03/sol03151140.html
*** Let's stop talking password flaws and instead discuss access management ***
---------------------------------------------
A good bit of attention has been given to a new report that suggests that there are organizations that don't change their administrative passwords at all, ever. While it may be a bit eye opening that many IT professionals said they did not ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/10/password-flaws-access-management/
*** xt:Commerce: Dringende Patches ohne Details ***
---------------------------------------------
Der Anbieter des Online-Shop-Systems xt:Commerce verteilt aktuell einen Sicherheitspatch. Betroffene Admins sollten die abgesicherten Versionen mit "sehr hoher ..
---------------------------------------------
http://heise.de/-3200152
*** Hacker Challenges ***
---------------------------------------------
Want to get started hacking things but don't want to do anything illegal? Here are some challenges others have made to help you practice some hacking skills. By participating in the challenges you could learn the following ..
---------------------------------------------
https://www.tunnelsup.com/hacker-challenges/
*** Ransomware Is Not a 'Malware Problem' - It's a Criminal Business Model ***
---------------------------------------------
Today Unit 42 published our latest paper on ransomware, which has quickly become one of the greatest cyberthreats facing organizations around the world. As a business model, ransomware has proven to be highly effective ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/05/unit-42-ransomware-trend…
*** Lateral Movement: Do You Have Enough Eyes? ***
---------------------------------------------
Sophisticated attackers can find their way into a corporate network in many ways. An attack could come from an external source, through the exploitation of a service, or by being brought in by a user whose laptop has been infected while ..
---------------------------------------------
http://resources.infosecinstitute.com/lateral-movement-do-you-have-enough-e…
*** Böse Bilder: Akute Angriffe auf Webseiten über ImageMagick ***
---------------------------------------------
Die Gnadenfrist ist abgelaufen. Wer ein ungepatchtes ImageMagick auf seinem Server einsetzt, sollte schnellstens handeln, denn nun sind Exploits im Umlauf.
---------------------------------------------
http://heise.de/-3200773
*** Xen Security Advisory CVE-2016-3710,CVE-2016-3712 / XSA-179 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-179.txt
*** IBM Security Bulletin: Vulnerabilities in OpenSource PHP Affect IBM Lotus Protector For Mail Security (CVE-2016-3142 ) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21981983
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg2C1000128
*** Hackers paradise: Outdated Internet Explorer, Flash installs in enterprises ***
---------------------------------------------
Two in five Flash users DO update. Surprised? A quarter of all Windows devices are running outdated and unsupported versions of Internet Explorer, exposing users to more ..
---------------------------------------------
www.theregister.co.uk/2016/05/10/ie_flash_vulns_rife/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 06-05-2016 18:00 − Montag 09-05-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Symantec Endpoint Encryption Unquoted Service Path Local Elevation of Privilege ***
---------------------------------------------
CVSS2 Base Score: 6.8
Symantec Endpoint Encryption (SEE) has an unquoted search path in EEDService. This could provide a non-privileged local user the ability to successfully insert arbitrary code in the root path.
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** WordPress 4.5.2 Security Release ***
---------------------------------------------
WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.
---------------------------------------------
https://wordpress.org/news/2016/05/wordpress-4-5-2/
*** Lenovo Patches Serious Flaw In Pre-Installed Support Tool ***
---------------------------------------------
Reader itwbennett writes: Lenovo has made available a patch for the vulnerability in its Lenovo Solution Center, a support tool which comes pre-installed on many Lenovo laptops and desktops. The vulnerability could allow attackers to execute code with system privileges and take over computers. Users should automatically be prompted to update LSC when they open the application, but in case they arent, they should download the latest version (3.3.002) manually from Lenovos website.
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/8xQvMt43Nw8/lenovo-patches-…
*** The massive password breach that wasn't: Google says data is 98% 'bogus' ***
---------------------------------------------
When a script kiddie sells 272 million accounts for $1, be very, very skeptical.
---------------------------------------------
http://arstechnica.com/security/2016/05/the-massive-password-breach-that-wa…
*** Security Advisory: OpenSSL vulnerability CVE-2016-2109 ***
---------------------------------------------
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23230229.html?…
*** Analyzing ImageTragick Exploits in the Wild ***
---------------------------------------------
Three days ago the ImageMagic (ImageTragick) vulnerability was released to the world. We've been actively monitoring as promised, and have started to see a few different attacks targeting the vulnerability. Interestingly enough, the attacks themselves seem to be targeted against specific customers and not mass blanket attacks, which is what you'd expect ...
---------------------------------------------
https://blog.sucuri.net/2016/05/analyzing-imagetragick-exploits-in-the-wild…
*** "Detecting the Siemens S7 Worm and Similar Capabilities" ***
---------------------------------------------
An article came out on May 5th titled "Daisy-chained research spells malware worm hell for power plants and other utilities" with the subtitle of "Worlds first PLC worm spreads like cancer". Having been on the receiving end of sensationalized headlines before I empathize with the authors of the research...
---------------------------------------------
http://ics.sans.org/blog/2016/05/08/detecting-the-siemens-s7-worm-and-simil…
*** World Password Day--Dont be an easy target ***
---------------------------------------------
Thursday, May 5th, marks the 'celebration' of the fourth annual World Password Day.
..
* Have you updated the passwords on all of your accounts within the last three months?
* Have you enabled two-factor authentication on accounts that allow it?
*Are you using the strongest possible combinations of numbers, letters and symbols allowed by the site?
*Are you using different passwords for every account (no duplicates or very similar variations)?
---------------------------------------------
http://community.hpe.com/t5/Protect-Your-Assets/World-Password-Day-Don-t-be…
*** AlphaLocker Is the Most Professional Ransomware Kit to Date ... but security researchers already cracked it ***
---------------------------------------------
Luckily for us, other security experts have already cracked its secrets over the past weekend, and a decrypter was published that helps any of the infected victims recover their files for free, without paying the ransom. Nevertheless, heres a small intro into how crooks are creating, advertising, and then selling ransomware on the underground market.
---------------------------------------------
http://news.softpedia.com/news/alphalocker-is-the-most-professional-ransomw…
*** ImageMagick Vulnerability Information ***
---------------------------------------------
A few days ago an ImageMagick vulnerability was disclosed dubbed 'ImageTragick' that affects WordPress websites whose host has ImageMagick installed. If you control your own hosting for your WordPress site, you should look to implement the following fix(es) immediately.
---------------------------------------------
https://make.wordpress.org/core/2016/05/06/imagemagick-vulnerability-inform…
*** Wordpress-Plugin bleibt ungefixt ***
---------------------------------------------
Ein Sicherheitsforscher deckte zwei Lücken in der Wordpress-Erweiterung Event-Registration auf; die Hersteller reagieren jedoch nicht.
---------------------------------------------
http://heise.de/-3198956
*** Penetration Testing of a Citrix Server ***
---------------------------------------------
Here I'll discuss how I did a pentest of a Citrix server in a lab network. First, let us understand about Windows terminal service. Microsoft Windows Terminal Services, otherwise known as Remote Desktop Services, is one of the components of Windows 2003-08 Server, which allows multiple sessions to run the application over it.
---------------------------------------------
http://resources.infosecinstitute.com/penetration-testing-of-a-citrix-serve…
*** Security Advisory - XSS Vulnerability in the Email App of Huawei Smartphone ***
---------------------------------------------
There is a vulnerability due to the lack of output encoding for some particular characters in the email APP built in the affected Smart Phones. A successful exploitation of the vulnerability could allow an unauthenticated remote attacker to perform a cross-site scripting (XSS) attack and lead to obtain the user information.
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160507-…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: The vulnerability in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions(CVE-2016-0363 and CVE-2016-0376) ***
http://www.ibm.com/support/docview.wss?uid=swg21982634
---------------------------------------------
*** IBM Security Bulletin: Security Bulletin: Vulnerability in OpenSSL affects IBM InfoSphere Master Data Management (CVE-2016-2842) ***
http://www.ibm.com/support/docview.wss?uid=swg21982353
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilitiy in OpenSSL affect IBM Storwize V7000 Unified - CVE-2016-0800 ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005717
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM SONAS - CVE-2016-0800 ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005716
---------------------------------------------
*** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM SONAS (CVE-2015-5345) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005712
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager HSM for Windows (CVE-2016-2542) ***
http://www.ibm.com/support/docview.wss?uid=swg21982741
---------------------------------------------
*** IBM Security Bulletin: IBM Forms Viewer Installation could allow a remote attacker to execute arbitrary code on the system (CVE-2016-2542) ***
http://www.ibm.com/support/docview.wss?uid=swg21982440
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM SONAS (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005681
---------------------------------------------
*** IBM Security Bulletin: Potential vulnerabilities in IBM OpenPages GRC Platform with Database ***
http://www.ibm.com/support/docview.wss?uid=swg21982461
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in TLS affects IBM SONAS (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005722
---------------------------------------------
*** IBM Security Bulletin: Samba vulnerability issues on IBM SONAS (CVE-2015-5252, CVE-2015-5296, and CVE-2015-5299) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005693
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Cordova Android may affect IBM WebSphere Portal (CVE-2015-5256) ***
http://www.ibm.com/support/knowledgecenter/SSHRKX_8.5.0/mp/integrate/wl_int…
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM SONAS (CVE-2015-1794, CVE-2015-3194, CVE-2015-3195, and CVE-2015-3196) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005694
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in GSKit affect Tivoli Workload Scheduler (CVE-2015-7421, CVE-2015-7420) ***
http://www.ibm.com/support/docview.wss?uid=swg21982432
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Liberty for Java for IBM Bluemix April 2016 CPU (CVE-2016-3426, CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=swg21982850
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 04-05-2016 18:00 − Freitag 06-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Microsoft to retire support for SHA1 certificates in the next 4 months ***
---------------------------------------------
The lock icon will be gone by summer; sites using SHA1 to be blocked come January.
---------------------------------------------
http://arstechnica.com/security/2016/05/microsoft-to-retire-support-for-sha…
*** Österreich auf der Suche nach Nachwuchs-Hackern ***
---------------------------------------------
Bei der Cyber Security Challenge 2016 werden vom Abwehramt und dem Verein Cyber Security Austria zum fünften Mal junge Hacker-Talente gesucht.
---------------------------------------------
http://futurezone.at/digital-life/oesterreich-auf-der-suche-nach-nachwuchs-…
*** ImageTragick: Another Vulnerability, Another Nickname, (Thu, May 5th) ***
---------------------------------------------
Introduction On Tuesday 2016-05-03, we started seeing reports about a vulnerability for a cross-platform suite named ImageMagick [1, 2, 3]. This new vulnerability has been nicknamed ImageTragick and has its own website. Apparently, the vulnerability will be assigned to CVE-2016-3714. It wasnt yet on mitre.orgs CVE site when I wrote this diary. Johannes Ullrich already discussed this vulnerability in yesterdays ISC StormCast for 2016-05-04, but theres been more press about it. Should...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21023&rss
*** Jaku botnet hides targeted attacks within generic botnet noise ***
---------------------------------------------
Botnets are usually created by cyber criminals that use them to launch DDoS attacks, deliver spam, effect click fraud. The recently discovered Jaku botnet can effectively do all those things, if its botmaster(s) choose to do so, but it seems that they have other things in mind. The botnet which, according to Forcepoint researchers, numbered as many as 17,000 victims at different points in time, consists of several botnets "answering to" different C&C servers. The...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/05/jaku-botnet-targeted-attacks/
*** Juniper patches OpenSSHs roaming bug in Junos OS ***
---------------------------------------------
Screen OS not affected The next vendor to kill off the OpenSSH roaming bug announced in January is Juniper Networks.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/05/05/juniper_pat…
*** Criminals Peddling Affordable AlphaLocker Ransomware ***
---------------------------------------------
A relatively affordable and difficult to detect ransomware-as-a-service named AlphaLocker has begun making the rounds, researchers warn.
---------------------------------------------
http://threatpost.com/criminals-peddling-affordable-alphalocker-ransomware/…
*** Microsoft BITS Used to Download Payloads, (Thu, May 5th) ***
---------------------------------------------
A few day ago,I found an interesting malicious Word document. First of all, the file has a very low score on VT:2/56 (analysis is available here). The document is a classic one:Once opened, it asks the victim to enable macro execution if not yet enabled. The document targets" />">">The OLE document contains"> $ oledump.py b2a9d203bb135b54319a9e5cafc43824 1: 113 \x01CompObj 2: 4096 \x05DocumentSummaryInformation 3: 4096 \x05SummaryInformation 4: 9398 1Table 5:
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21027&rss
*** On The Monetization Of Crypto-Ransomware ***
---------------------------------------------
Over the last few years, technologies and infrastructure, in the form of crypto-currencies, the dark web and well-organized criminal affiliate programs have aligned to create the perfect storm. And from that storm, the crypto-ransomware beast has arisen. There's a reason why crypto-ransomware is making the news almost daily - it's unique compared to every other...
---------------------------------------------
https://labsblog.f-secure.com/2016/05/06/on-the-monetization-of-crypto-rans…
*** Studie: TLS-Proxies bringen Sicherheitsprobleme ***
---------------------------------------------
Unter 14 Antivirus- und Kinderschutzprodukten, die Inhalte in gesicherten TLS-Verbindungen filtern, fand sich kein einziges, das dabei keine zusätzlichen Sicherheitsprobleme verursachte.
---------------------------------------------
http://heise.de/-3197932
*** Qualcomm flaw puts millions of Android devices at risk ***
---------------------------------------------
A vulnerability in an Android component shipped with phones that use Qualcomm chips puts users text messages and call history at risk of theft.The flaw was found by security researchers from FireEye and was patched by Qualcomm in March. However, because the vulnerability was introduced five years ago, many affected devices are unlikely to ever receive the fix because theyre no longer supported by their manufacturers.The vulnerability, which is tracked as CVE-2016-2060, is located on an Android...
---------------------------------------------
http://www.cio.com/article/3066827/qualcomm-flaw-puts-millions-of-android-d…
*** Security Alert: New Ransomware Promises to Donate Earnings to Charity ***
---------------------------------------------
Psychological manipulation is heavily used in cyber attacks, especially in phishing and ransomware compromise attempts. As with all online scams, the attackers' main objective is simple: to make as much money and steal as much data as possible. So, in their malicious pursuit, they'll come up with new tactics to force their victims into complying with their conditions. Encrypting ransomware, such as CryptoWall or TeslaCrypt, is proof.
---------------------------------------------
https://heimdalsecurity.com/blog/security-alert-new-ransomware-donate-earni…
*** New Security Flaw Found in Lenovo Solution Center Software ***
---------------------------------------------
Security researchers at Trustwave SpiderLabs have discovered a new vulnerability in Lenovo's much maligned Lenovo Solution Center software. The vulnerability allows attackers with local network access to a PC to execute arbitrary code.
---------------------------------------------
http://threatpost.com/new-security-flaw-found-in-lenovo-solution-center-sof…
*** Public Key Infrastructure (PKI) ***
---------------------------------------------
Executive Summary This article is a detailed theoretical and hands-on with Public Key Infrastructure (PKI) and OpenSSL based Certificate Authority. In the first section, PKI and its associated concepts will be discussed. A test bed or lab environment on Ubuntu 14 will be prepared to apply PKI knowledge. Generation of CA, server and user keys/certificates...
---------------------------------------------
http://resources.infosecinstitute.com/public-key-infrastructure-pki-2/
*** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-14) ***
---------------------------------------------
A prenotification Security Advisory (APSB16-14) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, May 10, 2016. We will continue to provide updates on the upcoming releases via the Security Advisory as well as the...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1344
*** Squid HTTP caching proxy Multiple Vulns ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016050024
*** [R1] PHP < 5.6.21 Vulnerabilities Affect Tenable SecurityCenter ***
---------------------------------------------
http://www.tenable.com/security/tns-2016-09
*** HPE Network Node Manager i Multiple Flaws Let Remote Users Bypass Authentication, Obtain Data and Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1035767
*** Bugtraq: ESA-2016-051: Patch 14 for RSA Authentication Manager 8.1 SP1 to Address Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538287
*** DSA-3567 libpam-sshauth - security update ***
---------------------------------------------
It was discovered that libpam-sshauth, a PAM module to authenticateusing an SSH server, does not correctly handle system users. In certainconfigurations an attacker can take advantage of this flaw to gain rootprivileges.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3567
*** USN-2963-1: OpenJDK 8 vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-2963-14th May, 2016openjdk-8 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTSSummarySeveral security issues were fixed in OpenJDK 8.Software description openjdk-8 - Open Source Java implementation DetailsMultiple vulnerabilities were discovered in the OpenJDK JRE related toinformation disclosure, data integrity, and availability. An attackercould exploit these to cause a denial of service, expose sensitive...
---------------------------------------------
http://www.ubuntu.com/usn/usn-2963-1/
*** USN-2964-1: OpenJDK 7 vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-2964-14th May, 2016openjdk-7 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTSSummarySeveral security issues were fixed in OpenJDK 7.Software description openjdk-7 - Open Source Java implementation DetailsMultiple vulnerabilities were discovered in the OpenJDK JRE related to informationdisclosure, data integrity, and availability. An attacker could exploitthese to cause a denial of service, expose...
---------------------------------------------
http://www.ubuntu.com/usn/usn-2964-1/
*** Cisco security Advisories ***
---------------------------------------------
*** Cisco Adaptive Security Appliance with FirePOWER Services Kernel Logging Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FirePOWER System Software Packet Processing Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco TelePresence XML Application Programming Interface Authentication Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Finesse HTTP Request Processing Server-Side Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016 ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in bind affect Power Hardware Management Console (CVE-2016-1285, CVE-2016-1286) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021266
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in ntp affect Power Hardware Management Console (CVE-2015-5300, CVE-2015-7704, CVE-2015-8138) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021264
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM XIV Storage System (CVE-2015-7547) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005699
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2015-7575, CVE-2016-0475) ***
http://www.ibm.com/support/docview.wss?uid=swg21982445
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2015-7575, CVE-2016-0475) ***
http://www.ibm.com/support/docview.wss?uid=swg21982446
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Insight (CVE-2015-4872, CVE-2015-4893, CVE-2015-4803, CVE-2015-5006, CVE-2016-0483, CVE-2015-7575, CVE-2016-0448, CVE-2016-0466) ***
http://www.ibm.com/support/docview.wss?uid=swg21972468
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Reporting for Development Intelligence (CVE-2015-4872, CVE-2015-4893, CVE-2015-4803, CVE-2015-5006, CVE-2016-0483, CVE-2015-7575, CVE-2016-0448, CVE-2016-0466) ***
http://www.ibm.com/support/docview.wss?uid=swg21972469
---------------------------------------------
*** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2016Q1 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. ***
http://www.ibm.com/support/docview.wss?uid=swg21979767
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) February 2016 ***
http://www.ibm.com/support/docview.wss?uid=swg21980693
---------------------------------------------
*** IBM Security Bulletin: Current Releases of IBM SDK for Node.js in IBM Bluemix are affected by CVE-2016-3956, CVE-2016-2515 and CVE-2016-2537. ***
http://www.ibm.com/support/docview.wss?uid=swg21981433
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (CVE-2016-2542) ***
http://www.ibm.com/support/docview.wss?uid=swg21982467
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage FlashCopy Manager on Windows (CVE-2016-2542) ***
http://www.ibm.com/support/docview.wss?uid=swg21982448
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in SQLite affects IBM Security Access Manager for Mobile (CVE-2015-3416) ***
http://www.ibm.com/support/docview.wss?uid=swg21981269
---------------------------------------------
*** IBM Security Bulletin: IBM SPSS Statistics ActiveX Control Buffer Overflow (CVE-2015-8530) ***
http://www.ibm.com/support/docview.wss?uid=swg21982035
---------------------------------------------
*** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7403) ***
http://www.ibm.com/support/docview.wss?uid=swg21982660
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 03-05-2016 18:00 − Mittwoch 04-05-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Dev using Libarchive? Patch and push ***
---------------------------------------------
Input validation bug opens code execution vuln The popular Libarchive open source compression library needs an update to cover a code execution vulnerability.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/05/04/dev_using_l…
*** Sicherheitsupdates: PHP anfällig für Remote Code Execution ***
---------------------------------------------
Angreifer können verschiedenen PHP-Versionen aus der Ferne Schadcode unterjubeln. Drei abgesicherte Versionen schließen zwei Sicherheitslücken.
---------------------------------------------
http://heise.de/-3196826
*** Neue Versionen von Apache Struts wehren sich gegen Schad-Code ***
---------------------------------------------
Über eine Sicherheitslücke können Angreifer Server mit Apache Struts unter Umständen aus der Ferne attackieren und Code ausführen.
---------------------------------------------
http://heise.de/-3196868
*** Petya: the two-in-one trojan ***
---------------------------------------------
Petya Trojan is an unusual hybrid of an MBR blocker and data encryptor: it prevents not only the operating system from booting but also blocks normal access to files located on the hard drives of the attacked system.
---------------------------------------------
http://securelist.com/blog/research/74609/petya-the-two-in-one-trojan/
*** Höflicher Erpressungstrojaner entschuldigt sich und bittet um Geschenke ***
---------------------------------------------
Ein neuer Krypto-Trojaner geht um: Die Alpha Ransomware verlangt iTunes-Gutscheine vom Opfer, sonst bleiben die Daten mit AES-256 verschlüsselt. Der Erpresserbrief ist überraschend höflich, verschweigt allerdings wichtige Details.
---------------------------------------------
http://heise.de/-3197135
*** Yet Another Padding Oracle in OpenSSL CBC Ciphersuites ***
---------------------------------------------
Yesterday a new vulnerability has been announced in OpenSSL/LibreSSL. A padding oracle in CBC mode decryption, to be precise. Just like Lucky13. Actually, it's in the code that fixes Lucky13.It was found by Juraj Somorovsky using a tool he developed called TLS-Attacker. Like in the "old days"...
---------------------------------------------
https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphe…
*** Neutrino exploit kit sends Cerber ransomware, (Wed, May 4th) ***
---------------------------------------------
Introduction Seems like were always finding new ransomware. In early March 2016, BleepingComputer announced a new ransomware named Cerber had appeared near the end of February [1]. A few days later, the Malwarebytes blog provided further analysis and more details on subsequent Cerber samples [2]. Cerber is distributed through exploit kits (EKs) and malicious spam (malspam). Ive only seen .rtf attachments that download and install Cerber if opened in Microsoft Word [3]." /> Shown above:...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21017
*** Security Advisory: Stored XSS in bbPress ***
---------------------------------------------
Exploitation Level: Easy/Remote DREAD Score: 6/10 Vulnerability: Stored XSS Patched Version: bbPress 2.5.9 During regular research audits of our Sucuri Firewall, we discovered a Stored XSS vulnerability affecting the bbPress plugin for WordPress which is currently installed on 300,000 live websites - one of them being the popular wordpress.org support forum. Vulnerability Disclosure Timeline: April...
---------------------------------------------
https://blog.sucuri.net/2016/05/security-advisory-stored-xss-bbpress-2.html
*** Xcode 7.3.1 ***
---------------------------------------------
Available for: OS X El Capitan v10.11 and later
Impact: A remote attacker may be able to execute arbitrary code
---------------------------------------------
https://support.apple.com/kb/HT206338
*** Cisco Prime Collaboration Assurance Open Redirect Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** F5 Security Advisory: Multiple OpenSSL vulnerabilities CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/07/sol07538415.html?…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=swg21982223
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2016-0799, CVE-2016-0702). ***
http://www.ibm.com/support/docview.wss?uid=swg21981764
---------------------------------------------
*** IBM Security Bulletin: Potential vulnerabilities in IBM OpenPages GRC Platform with Application Server ***
http://www.ibm.com/support/docview.wss?uid=swg21982462
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager (CVE-2016-0448, CVE-2016-0466) ***
http://www.ibm.com/support/docview.wss?uid=swg21977134
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition affect IBM Tivoli Network Manager IP Edition ***
http://www.ibm.com/support/docview.wss?uid=swg21975424
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM InfoSphere Information Server installer could expose sensitive information (CVE-2015-7493) ***
http://www.ibm.com/support/docview.wss?uid=swg21982034
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2015-3194, CVE-2015-3195). ***
http://www.ibm.com/support/docview.wss?uid=swg21981765
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Cognos Metrics Manager (CVE-2015-2017) ***
http://www.ibm.com/support/docview.wss?uid=swg21976798
---------------------------------------------
*** IBM Security Bulletin: DB2 local escalation of privilege vulnerability affects IBM Tivoli Storage Manager server (CVE-2015-1947) ***
http://www.ibm.com/support/docview.wss?uid=swg21979698
---------------------------------------------
*** IBM Security Bulletin: A security vulnerability has been identified in IBM Tivoli / Security Directory Server ***
http://www.ibm.com/support/docview.wss?uid=swg21980585
---------------------------------------------
Next End-of-Shift report on 2016-05-06
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 02-05-2016 18:00 − Dienstag 03-05-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** GOZNYM MALWARE ***
---------------------------------------------
Antivirus software detects GozNym hybrid as Nymaim variant GozNym samples resolve domains, do not connect to IPs returned. Separate IP used for HTTP comms. C2 channel for GozNym appears to be HTTP POST requests, in line with ..
---------------------------------------------
https://blog.team-cymru.org/2016/05/goznym-malware/
*** JSA10748 - Protect-RE (loopback) Firewall Filter does not discard OSPF packets from non-permitted prefixes ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10748&actp=RSS
*** Acunetix WVS 10 - Remote command execution (SYSTEM privilege) ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016050003
*** 3-in-4 Android phones, slabs, gizmos menaced by fresh hijack flaws ***
---------------------------------------------
Another month, another round of critical vulnerabilities patched by Google Google has today issued a bundle of 40 security patches for its Android operating system.
---------------------------------------------
www.theregister.co.uk/2016/05/02/android_may_patch_batch/
*** Fake Security Conferences ***
---------------------------------------------
Turns out there are two different conferences with the title International Conference on Cyber Security (ICCS 2016), one real and one fake. Richard Clayton has the story ..
---------------------------------------------
https://www.schneier.com/blog/archives/2016/05/fake_security_c.html
*** RSA Data Loss Prevention Bugs Let Remote Users Conduct Cross-Site Scripting and Clickjacking Attacks and Let Remote Authenticated Users Bypass Security Controls and Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1035714
*** SNMP Pentesting ***
---------------------------------------------
In the previous article about SNMP, we have discussed how to set up your own vulnerable lab where we have configured pfSense and VyOS with SNMP misconfigurations. You can find this article here. In this article, we will discuss how to assess the security ..
---------------------------------------------
http://resources.infosecinstitute.com/snmp-pentesting/
*** l+f: Webseite des Ministeriums für digitale Infrastruktur erneut löchrig ***
---------------------------------------------
Nach Heartbleed nun XSS: Der Web-Auftritt des Bundesministeriums für Verkehr und digitale Infrastruktur war abermals unzureichend abgesichert.
---------------------------------------------
http://heise.de/-3196376
*** OpenSSL Security Advisory [3rd May 2016] ***
---------------------------------------------
https://openssl.org/news/secadv/20160503.txt
*** OpenSSL schließt Abkömmling der Lucky-13-Lücke ***
---------------------------------------------
Die vielgenutzte Krypto-Bibliothek erhält Patches für sechs Sicherheitslücken. Zwei davon haben die Priorität ..
---------------------------------------------
http://heise.de/-3196510
*** Ransomware deployments after brute force RDP attack ***
---------------------------------------------
Fox-IT has encountered various ways in which ransomware is being spread and activated. Many infections happen by sending spam e-mails and luring the receiver in opening the infected ..
---------------------------------------------
https://blog.fox-it.com/2016/05/02/ransomware-deployments-after-brute-force…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 29-04-2016 18:00 − Montag 02-05-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** DSA-3561 subversion - security update ***
---------------------------------------------
Several vulnerabilities were discovered in Subversion, a version controlsystem. The Common Vulnerabilities and Exposures project identifies thefollowing problems:
---------------------------------------------
https://www.debian.org/security/2016/dsa-3561
*** Google Patches 9 Security Flaws in New Chrome Browser Build ***
---------------------------------------------
Five Chrome bug bounty hunters split $14,000 in rewards as Google patches nine security flaws in its browser, four are labeled 'high'.
---------------------------------------------
http://threatpost.com/google-patches-9-security-flaws-in-new-chrome-browser…
*** Cloned Websites Stealing Google Rankings ***
---------------------------------------------
We often speak of black hat SEO tactics and content scraping sites are just one example of such tactics. Scraping is the act of copying all content from a website using automated scripts, usually with the intention of stealing ..
---------------------------------------------
https://blog.sucuri.net/2016/04/cloned-website-stealing-google-rankings-seo…
*** Lizard Squad Ransom Threats: New Name, Same Faux Armada Collective M.O. ***
---------------------------------------------
[...] Beginning late Thursday evening (Pacific Standard Time) several CloudFlare customers began to receive threatening emails from a "new" group calling itself the 'Lizard Squad'. These emails have a similar modus operandi to the previous ransom emails. This group was threatenin ..
---------------------------------------------
https://blog.cloudflare.com/lizard-squad-ransom-threats-new-name-same-faux-…
*** Cyber Security Challenge: Wettbewerb für "Nachwuchs-Hacker" startet am 2. Mai ***
---------------------------------------------
Ab sofort sind Schüler und Studenten wieder aufgerufen, sich den Online-Prüfungen der Cyber Security Challenge zu stellen. Die Qualifikationsphase läuft bis zum 1. August, das deutsche Finale findet Ende September in Berlin statt.
---------------------------------------------
http://heise.de/-3194493
*** Crypto-ransomware Gains Footing in Corporate Grounds, Gets Nastier for End Users ***
---------------------------------------------
In the first four months of 2016, we have discovered new families and variants of ransomware, seen their vicious new routines, and witnessed threat actors behind these operations upping the ransomware game to new heights. All these developments further establish crypto-ransomware as a ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/crypto-ransomwar…
*** Schwarzmarkt: Preis für mobile Malware zieht an ***
---------------------------------------------
Sicherheitsforschern zufolge floriert der Handel mit mobiler Malware. Der Anbieter des Android-Trojaners GM Bot zieht indes die Preise auf Malware-Marktplätzen spürbar an.
---------------------------------------------
http://heise.de/-3195382
*** Practical Reverse Engineering Part 2 - Scouting the Firmware ***
---------------------------------------------
In part 1 we found a debug UART port that gave us access to a linux shell. At this point we've got the same access to the router that a developer would use to debug issues, control the system, etc.
---------------------------------------------
http://jcjc-dev.com/2016/04/29/reversing-huawei-router-2-scouting-firmware/
*** Ernste Sicherheitslücke in Ubuntus neuem Paketformat Snap geschlossen ***
---------------------------------------------
Ubuntus neues Paketformat Snap sorgt erneut für Aufsehen: Nun haben die Entwickler einen Schreibfehler im Code entfernt, der Angreifern das Ausführen von beliebigem Schadcode ermöglicht hatte.
---------------------------------------------
http://heise.de/-3195532
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 28-04-2016 18:00 − Freitag 29-04-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** A Dramatic Rise in ATM Skimming Attacks ***
---------------------------------------------
Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers. The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.
---------------------------------------------
http://krebsonsecurity.com/2016/04/a-dramatic-rise-in-atm-skimming-attacks/
*** Security: Der Internetminister hat Heartbleed ***
---------------------------------------------
Die Webseite des Bundesministeriums für Verkehr und digitale Infrastruktur war für eine seit fast zwei Jahren geschlossene, kritische Sicherheitslücke anfällig. Das kompromittierte Zertifikat wird weiterhin verwendet. (Heartbleed, Verschlüsselung)
---------------------------------------------
http://www.golem.de/news/security-der-internetminister-hat-heartbleed-1604-…
*** Zahlreiche Zugangsdaten für den Messaging-Dienst Slack auf GitHub entdeckt ***
---------------------------------------------
Die Sicherheitsfirma Detectify hat über tausend Zugangs-Tokens für Slack in öffentlich zugänglichen GitHub-Repositories gefunden.
---------------------------------------------
http://heise.de/-3194000
*** eBay-Phisher gehen mit persönlichen Details auf Opferfang ***
---------------------------------------------
Derzeit sind besonders perfide Phishing-Mails im Namen von eBay unterwegs. In den Nachrichten werden die Empfänger mit komplettem Namen und vollständiger Anschrift angesprochen.
---------------------------------------------
http://heise.de/-3194026
*** Got ransomware? These tools may help ***
---------------------------------------------
Your computer has been infected by ransomware. All those files -- personal documents, images, videos, and audio files -- are locked up and out of your reach.There may be a way to get those files back without paying a ransom. But first a couple of basic questions:Do you you have complete backups? If so, recovery is simply a matter of wiping the machine -- bye bye, ransomware! -- reinstalling your applications, and restoring the data files. Its a little stressful, but doable.Are they good...
---------------------------------------------
http://www.cio.com/article/3063048/security/got-ransomware-these-tools-may-…
*** Sysinternals Updated today - Updates to Sysmon, Procdump and Sigcheck. (Fri, Apr 29th) ***
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21001https://blogs.technet.microsoft.com/sysinternals/2016/04/28/update-sysmon-v…
*** BIND 9.9.9/9.10.4 released ***
---------------------------------------------
https://lists.isc.org/pipermail/bind-announce/2016-April/000986.htmlhttps://lists.isc.org/pipermail/bind-announce/2016-April/000987.htmlhttps://lists.isc.org/pipermail/bind-announce/2016-April/thread.html
*** DFN-CERT-2016-0686: Jenkins: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0686/
*** [HTB23301]: SQL Injection in GLPI ***
---------------------------------------------
Product: GLPI v0.90.2Vulnerability Type: SQL Injection [CWE-89]Risk level: High Creater: INDEPNET Advisory Publication: April 8, 2016 [without technical details]Public Disclosure: April 29, 2016 CVE Reference: Pending CVSSv2 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L] Vulnerability Details: High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM systems are usually used for...
---------------------------------------------
https://www.htbridge.com/advisory/HTB23301
*** Bugtraq: [security bulletin] HPSBUX03583 SSRT110084 rev.1 - HP-UX BIND Service running Named, Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538219
*** Cisco Information Server XML Parser Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** APPLE-SA-2016-04-28-1 OS X: Flash Player plug-in blocked ***
---------------------------------------------
APPLE-SA-2016-04-28-1 OS X: Flash Player plug-in blockedDue to security and stability issues in older versions, Applehas updated the web plug-in blocking mechanism to disable allversions prior to Flash Player 21.0.0.226 and 18.0.0.343.Information on blocked web plug-ins will be posted to: [...]
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2016/Apr/msg00000.ht…
*** Moxa NPort Device Vulnerabilities (Update B) ***
---------------------------------------------
This alert update is a follow-up to the NCCIC/ICS-CERT updated alert titled ICS-ALERT-16-099-01A Moxa NPort Device Vulnerabilities that was published April 20, 2016, on the ICS-CERT web page. ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. These vulnerabilities were reported by Reid Wightman of Digital Bonds Labs, who coordinated with the vendor but not with ICS-CERT.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01
*** SSA-763427 (Last Update 2016-04-29): Vulnerability in Communication Processor (CP) modules SIMATIC CP 343-1, TIM 3V-IE, TIM 4R-IE, and CP 443-1 ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-763427…
*** SSA-921524 (Last Update 2016-04-29): Incorrect Frame Padding in ROS-based Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-921524…
*** IBM Security Bulletin: Multiple vulnerabilities in current releases of IBM® WebSphere Real Time ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21982198
*** IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM QuickFile (CVE-2015-2017). ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21977561
*** Bugtraq: [SECURITY] [DSA 3561-1] subversion security update ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538223
*** WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8473
*** WordPress <= 4.4.2 - Reflected XSS in Network Settings ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8474
*** WordPress <= 4.4.2 - Script Compression Option CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8475
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 27-04-2016 18:00 − Donnerstag 28-04-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Malware Takes Advantage of Windows "God Mode" ***
---------------------------------------------
Microsoft Windows has hidden an Easter Egg since Windows Vista. It allows users to create a specially named folder that acts as a shortcut to Windows settings and special folders, such as control panels, My Computer, or the printers folder. This "God Mode" can come in handy for admins, but attackers are now using this undocumented feature for evil ends. Files placed within one of these master control panel shortcuts are not easily accessible via Windows Explorer because the folders do...
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/malware-takes-advantage-of-windows-god…
*** VB2016 Call for Papers Deadline ***
---------------------------------------------
You have until the early hours (GMT) of Monday 21 March to submit an abstract for VB2016! The VB2016 programme will be announced in the first week of April.
---------------------------------------------
https://www.virusbulletin.com/blog/2016/03/vb2016-call-papers-deadline/
*** How broken is SHA-1 really? ***
---------------------------------------------
SHA-1 collisions may be found in the next few months, but that doesnt mean that fake SHA-1-based certificates will be created in the near future. Nevertheless, it is time for everyone, and those working in security in particular, to move away from outdated hash functions.
---------------------------------------------
https://www.virusbulletin.com/blog/2016/03/how-broken-sha-1-really/
*** Firefox 46 Patches Critical Memory Vulnerabilities ***
---------------------------------------------
Mozilla released Firefox 46, which includes patches for one critical and four high-severity vulnerabilities, all of which can lead to remote code execution.
---------------------------------------------
http://threatpost.com/firefox-46-patches-critical-memory-vulnerabilities/11…
*** DNS and DHCP Recon using Powershell, (Thu, Apr 28th) ***
---------------------------------------------
I recently had a client pose an interesting problem. They wanted to move all their thin clients to a separate VLAN. In order to do that, I needed to identify which switch port each was on. Since there were several device vendors involved, I couldnt use OUI portion of the MAC. Fortunately, they were using only a few patterns in their thin client hostnames, so that gives me an in. Great you say, use nmap -sn, sweep for the names, get the MAC addresses and map those to switch ports - easy right?
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20995&rss
*** Time for a patch: six vulns fixed in NTP daemon ***
---------------------------------------------
Whats the time? Its time to get ill. Unless you fix these beastly flaws Cisco has turned over a bunch of Network Time Protocol daemon (ntpd) vulnerabilities to the Linux Foundations Core Infrastructure Initiative.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/04/28/time_for_a_…
*** Handling security bugs, vulnerable infrastructure and a range of DDoS attacks: 22nd MELANI semi-annual report ***
---------------------------------------------
In the second half of 2015, there were once again some spectacular cyber-related incidents worldwide. These were primarily DDoS attacks, phishing attacks and attacks on industrial control systems. Published today, the 22nd MELANI semi-annual report features handling security vulnerabilities as its key topic.
---------------------------------------------
https://www.melani.admin.ch/melani/en/home/dokumentation/newsletter/semi-an…
*** Binary Webshell Through OPcache in PHP 7 ***
---------------------------------------------
In this article, we will be looking at a new exploitation technique using the default OPcache engine from PHP 7. Using this attack vector, we can bypass certain hardening techniques that disallow the file write access in the web directory. This could be used by an attacker to execute his own malicious code in a hardened environment.
---------------------------------------------
http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/
*** Kaspersky DDoS Intelligence Report for Q1 2016 ***
---------------------------------------------
In Q1, resources in 74 countries were targeted by DDoS attacks. China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days).
---------------------------------------------
http://securelist.com/analysis/quarterly-malware-reports/74550/kaspersky-dd…
*** Cyber Security Lecture given by Mozilla ***
---------------------------------------------
May 09, 2016 - 4:00 pm - 6:30 pm TU Wien Karlsplatz 13 1040 Wien
Let’s Encrypt (J.C. Jones)
You can’t build a secure website without having a certificate, and getting a certificate is one of the hardest parts of setting up a secure website. Mozilla helped start up Let’s Encrypt to make getting a certificate easier and promote the security of the Web. In 16 months, Let’s Encrypt went from an idea...
Mozilla Security (Richard Barnes)
The Web is arguably the single largest platform for applications in the world. Securing a Web browser requires security expertise from across the field, including low-level program internals, network security, language design, and access controls. In this talk, we will discuss some of the critical Web...
---------------------------------------------
https://www.sba-research.org/events/cyber-security-lecture-given-by-mozilla/
*** PCI DSS 3.2 is out: What's new? ***
---------------------------------------------
The Payment Card Industry Security Standards Council has published the latest version of PCI DSS, the information security standard for organizations that handle customer credit cards. Changes and improvements in PCI DSS 3.2 include: Multi-factor authentication will be required for all administrative access into the cardholder data environment. Previously, use of multi-factor authentication was only a must when it was accessed remotely, by an untrusted user/device. This will not impact...
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/28/pci-dss-3-2-whats-new/
*** Cisco Finds Backdoor Installed on 12 Million PCs ***
---------------------------------------------
UPDATED. Cisco's Talos security intelligence and research group has come across a piece of software that installed backdoors on 12 million computers around the world.
---------------------------------------------
http://www.securityweek.com/cisco-finds-backdoor-installed-12-million-pcs
*** Forthcoming OpenSSL releases ***
---------------------------------------------
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2h, 1.0.1t. These releases will be made available on 3rd May 2016 between approximately 1200-1500 UTC. They will fix several security defects with maximum severity "high".
---------------------------------------------
https://mta.openssl.org/pipermail/openssl-announce/2016-April/000069.html
*** VMSA-2015-0007.4 ***
---------------------------------------------
VMware vCenter and ESXi updates address critical security issues.
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0007.html
*** Bugtraq: CVE-2015-5207 - Bypass of Access Restrictions in Apache Cordova iOS ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538213
*** sol93532943: SSHD session.c vulnerability CVE-2016-3115 ***
---------------------------------------------
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. (CVE-2016-3115)
---------------------------------------------
https://support.f5.com/kb/en-us/solutions/public/k/93/sol93532943.html?ref=…
*** sol52349521: OpenSSL vulnerability CVE-2016-2842 ***
---------------------------------------------
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799. (CVE-2016-2842)
---------------------------------------------
https://support.f5.com/kb/en-us/solutions/public/k/52/sol52349521.html?ref=…
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Application Policy Infrastructure Controller Enterprise Module Unauthorized Access Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco WebEx Meetings Server Open Redirect Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: April 2016 ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Samba - including Badlock - Transformation Extender Hypervisor Edition ***
http://www.ibm.com/support/docview.wss?uid=swg21981057
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Samba including Badlock - affect IBM OS Images for Red Hat Linux Systems. ***
http://www.ibm.com/support/docview.wss?uid=swg21982097
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Samba, including Badlock, affect IBM i ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021296
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in php5 affect IBM Flex System Manager (FSM) (CVE-2015-6836, CVE-2015-6837, CVE-2015-6838) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023641
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in ISC BIND and Samba - including Badlock - affect IBM Netezza Host Management ***
http://www.ibm.com/support/docview.wss?uid=swg21979985
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilitiesin gnutls affect IBM Flex System Manager(FSM) (CVE-2015-2806, CVE-2015-8313) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023642
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in openLDAP affects IBM Flex System Manager(FSM) (CVE-2015-6908) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023640
---------------------------------------------
*** IBM Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server for Bluemix if FIPS 140-2 is enabled (CVE-2016-0306) and multiple vulnerabilities in Samba - including Badlock (CVE-2016-2118) ***
http://www.ibm.com/support/docview.wss?uid=swg21982128
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux ***
http://www.ibm.com/support/docview.wss?uid=swg21981752
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition ***
http://www.ibm.com/support/docview.wss?uid=swg21980826
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities exist with Oracle Outside In Technology (OIT) in IBM FileNet Content Manager and IBM Content Foundation. ***
http://www.ibm.com/support/docview.wss?uid=swg21975822
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - Jan 2016 - Includes Oracle Jan 2016 CPU + 3 IBM CVEs affects IBM Algorithmics One Core, Algo Risk Application, and Counterparty Credit Risk ***
http://www.ibm.com/support/docview.wss?uid=swg21981333
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in SQLite affects IBM Security Access Manager for Web (CVE-2015-3416) ***
http://www.ibm.com/support/docview.wss?uid=swg21981270
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in RSOC_APP_01 Frameable Response Potential Clickjacking (CSRF) affects IBM Algorithmics Algo Risk Application - CVE-2016-0207 ***
http://www.ibm.com/support/docview.wss?uid=swg21981322
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 26-04-2016 18:00 − Mittwoch 27-04-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Nationale Strategie: De Maizière will Wirtschaft besser gegen Cyberspionage schützen ***
---------------------------------------------
Manchmal ist es eine komplexer Hackerangriff, manchmal fängt sich der Chef die Schadsoftware auch direkt von der Speisekarte seines Lieblingsrestaurants ein. Vielen Unternehmen fehlt noch das Bewusstsein der Gefahr. Das soll anders werden.
---------------------------------------------
http://heise.de/-3189372
*** All About Fraud: How Crooks Get the CVV ***
---------------------------------------------
A longtime reader recently asked: "How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The answer: Probably by installing a Web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attackers server.
---------------------------------------------
http://krebsonsecurity.com/2016/04/all-about-fraud-how-crooks-get-the-cvv/
*** A Look Inside Cerber Ransomware ***
---------------------------------------------
The "Cerber" family of ransomware first appeared in open source reporting in March 2016, with victims readily identified by the ".cerber" extension left on encrypted files. Unlike many other ransomware variants, Cerber is designed to encrypt a victim's file system immediately, without receiving "confirmation" or instructions from a command and control (C2) node. After this malicious encryption is complete, HTML and text files are opened on the infected...
---------------------------------------------
https://blog.team-cymru.org/2016/04/a-look-inside-cerber-ransomware/
*** Malvertising On The Pirate Bay Drops Ransomware ***
---------------------------------------------
Magnitude EK strikes again, this time on The Pirate Bay, and drops the Cerber Ransomware. Categories: ExploitsTags: cerbermagnitude EKransomwareThe Pirate BayTPB(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/threat-analysis/exploits-threat-analysis/2016…
*** Next up. A look at Locky Ransomware ***
---------------------------------------------
Weve been examining some of the newer - or, at least, most currently prevalent - strains of ransomware. This time we look at Locky.
---------------------------------------------
http://www.scmagazine.com/next-up-a-look-at-locky-ransomware/article/492355/
*** 7ev3n ransomware alters name, asks for much lower ransom ***
---------------------------------------------
A variant of 7ev3n ransomware has modified its name and begun asking victims for a considerably lower ransom fee than it was seeking just a few months ago. Security researchers originally detected the 7ev3n ransomware back in January of this year.
---------------------------------------------
https://www.grahamcluley.com/2016/04/7ev3n-ransomware-alters-asks-lower-ran…
*** BSI-Umfrage: Ein Drittel der Unternehmen ist von Erpressungs-Trojanern betroffen ***
---------------------------------------------
Den Ergebnissen einer Ransomware-Umfrage des BSI zufolge schützen 60 Prozent der befragten Institutionen aus der deutschen Wirtschaft die Lage als verschärft ein. Auch die Security Bilanz Deutschland vermeldet einen erhöhten Bedrohungsgrad.
---------------------------------------------
http://heise.de/-3189776
*** "Ransomware ist mittlerweile die größte Bedrohung" ***
---------------------------------------------
Trojaner, die Systeme verschlüsseln, bieten Kriminellen einen einfachen Weg, Geld zu verdienen. Die Opferzahlen steigen und auch Smartphones sind nicht mehr sicher.
---------------------------------------------
http://futurezone.at/digital-life/ransomware-ist-mittlerweile-die-groesste-…
*** Digging deep for PLATINUM ***
---------------------------------------------
There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That's what motivated us - the Windows Defender Advanced Threat Hunting team, known...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platin…
*** Boffins believe buggy Binder embiggens Android attack surface ***
---------------------------------------------
Punching holes in problematic private APIs Bugs in Androids Binder inter-process communication (IPC) mechanism open up a mass of security bugs, according to University of Michigan boffins Huan Feng and Kang Shin.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/04/27/boffins_bel…
*** Memory Forensics ***
---------------------------------------------
Introduction This mini-course started with forensic memory basics, in this mini-course, we have explained how you can and what you can find artifacts from memory. As Memory forensics is very vast topic so we have also explained some memory basic such as how memory works what memory architecture and its unit is. Also, what artifacts...
---------------------------------------------
http://resources.infosecinstitute.com/memory-forensics/
*** An Introduction to Mac memory forensics, (Tue, Apr 26th) ***
---------------------------------------------
Unfortunately when its come to the memory forensics Mac in environment doesnt have the luxury that we have in the Windows environment. The first step of the memory forensics is capturing the memory, while in Windows we have many tools to achieve this, in Mac we have very few options. OSXPmem is the only available option for memory capturing that support El Capitan, https://github.com/google/rekall/releases/download/v1.3.2/osxpmem_2.0.1.zip Now let"> cd osxpmem.app/ "> chown
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20989&rss
*** How to Suck at Information Security - A Cheat Sheet ***
---------------------------------------------
This cheat sheet presents common information security mistakes, so you can avoid making them. Yeah, the idea is that you should do the opposite of what it says below. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs.
---------------------------------------------
https://zeltser.com/suck-at-security-cheat-sheet/
*** [DSA 3558-1] openjdk-7 security update ***
---------------------------------------------
CVE ID: CVE-2016-0636 CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3426 CVE-2016-3427 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, denial of service or information disclosure.
---------------------------------------------
https://lists.debian.org/debian-security-announce/2016/msg00134.html
*** VTS16-001: NetBackup Remote Access Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been identified in Veritas (formerly Symantec) NetBackup Master/ Media Servers and clients. An attacker, able to successfully access a vulnerable NetBackup host, could potentially execute arbitrary commands or operations resulting in possible unauthorized, privileged access to the targeted system.
---------------------------------------------
https://www.veritas.com/content/support/en_US/security/VTS16-001.html
*** F5 Security Advisory: glibc calloc vulnerability CVE-2015-5229 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23822215.html?…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21976066
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Editionaffects IBM Algorithmics Algo Risk Application and Algo One Core ( CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803, ***
http://www.ibm.com/support/docview.wss?uid=swg21981349
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Provisioning Manager (CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21981826
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-2601,CVE-2015-4749.CVE-2015-2625,CVE-2015-1931 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21976560
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in HTTP Response Splitting affects IBM Algorithmics Algo Risk Application & AlgoOne Core- CVE-2015-2017 ***
http://www.ibm.com/support/docview.wss?uid=swg21981532
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 25-04-2016 18:00 − Dienstag 26-04-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** "Fourth Sample of ICS Tailored Malware Uncovered and the Potential Impact" ***
---------------------------------------------
I looked at the S4 Europe agenda which was sent out this morning by Dale Peterson and saw an interesting bullet: "Rob Caldwell of Mandiant will unveil some ICS malware in the wild that is doing some new and smarter things to attack ICS. We are working with Mandiant to provide a bit more info … Continue reading Fourth Sample of ICS Tailored Malware Uncovered and the Potential Impact...
---------------------------------------------
http://ics.sans.org/blog/2016/04/25/fourth-sample-of-ics-tailored-malware-u…
*** Juniper patches Logjam, Bar Mitzvah, and various Java vulns ***
---------------------------------------------
In Junos Space, nobody can hear you patch | Juniper Networks sysadmins can add Junos Space network management patches to their to-do list.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/04/26/juniper_plu…
*** Shopware update fixes RCE bug that affects both shop and target system ***
---------------------------------------------
Shopware, an open-source shopping cart system chosen by a number of big European companies to power their online shops, has recently pushed out a critical security update. The update fixes a remote code execution bug that could allow attackers to read files on the target system, create new ones with malicious content, and run arbitrary code on the target system. This is a critical security vulnerability that not only affect the functions of the shop,...
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/26/shopware-update-fixes-rce-bug/
*** Sicherheits-Report: Unternehmen setzen selbst simple Schutzmechanismen nicht um ***
---------------------------------------------
Forensische Analysen von mehr als 3000 nachweislichen Datenlecks zeigen, dass sich Angreifer wenig Neues einfallen lassen - weil Unternehmensnetze immer noch nicht gegen die ewig gleichen Angriffsmuster geschützt sind.
---------------------------------------------
http://heise.de/-3184485
*** Breaking Steam Client Cryptography ***
---------------------------------------------
So as to not bury the lede: Older versions of Steam allow an attacker who observes a client connecting to Steam to read sensitive information sent over the network. This allows the attacker to take over the account, bypass SteamGuard, and sometimes view plain-text passwords. But how?
---------------------------------------------
https://steamdb.info/blog/breaking-steam-client-cryptography/
*** Malware and non-malware ways for ATM jackpotting. Extended cut ***
---------------------------------------------
Millions of people around the world now use ATMs every day to withdraw cash, pay in to their account or make a variety of payments. Unfortunately, ATM manufacturers and their primary customers - banks - don't pay much attention to the security of cash machines.
---------------------------------------------
http://securelist.com/analysis/publications/74533/malware-and-non-malware-w…
*** Two Tips to Keep Your Phone's Encrypted Messages Encrypted ***
---------------------------------------------
WhatsApp and Viber may have turned on "default" end-to-end encryption, but truly securing your messages requires a couple steps of your own.
---------------------------------------------
http://www.wired.com/2016/04/tips-for-encrypted-messages/
*** Yeabests[.]cc: A fileless infection using WMI to hijack your Browser ***
---------------------------------------------
Windows comes with a tool called the Windows Management Instrumentation, or WMI, that can be used by system administrators to receive information and notifications from Windows. ... Unfortunately, this [..] can also be used by malware developers for more nefarious reasons such as creating fileless infectors.
---------------------------------------------
http://www.bleepingcomputer.com/news/security/yeabests-cc-a-fileless-infect…
*** ENISA's Executive Director addresses EP ITRE Committee on key points for cybersecurity for the EU ***
---------------------------------------------
Following the Commission announcement on the path to digitise the EU industry, ENISA participated at the ITRE meeting on 21st April in an exchange of views on cybersecurity in the EU, and ENISA's role in the implementation of the Digital Single Market.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/enisa2019s-executive-director-a…
*** SWIFT banking network warns customers of cyberfraud cases ***
---------------------------------------------
SWIFT, the international banking transactions network, has warned customers of "a number" of recent incidents in which criminals sent fraudulent messages through its system.The warning from SWIFT (Society for Worldwide Interbank Financial Telecommunication) suggests that a February attack on the Bangladesh Bank, in which thieves got away with US $81 million, was not an isolated incident.SWIFT is aware of malware that "aims to reduce financial institutions' abilities"...
---------------------------------------------
http://www.cio.com/article/3061685/swift-banking-network-warns-customers-of…
*** New Decryptor Unlocks CryptXXX Ransomware ***
---------------------------------------------
Researchers at Kaspersky Lab today published a decryptor that recovers files encrypted by the CryptXXX ransomware.
---------------------------------------------
http://threatpost.com/new-decryptor-unlocks-cryptxxx-ransomware/117668/
*** AKW Gundremmingen: Infektion mit Uralt-Schadsoftware ***
---------------------------------------------
Im Atomkraftwerk Gundremmingen wurde mindestens ein Rechner mit Schadsoftware infiziert. Bei genauerer Betrachtung scheint die Situation allerdings weniger dramatisch, als zuerst angenommen.
---------------------------------------------
http://heise.de/-3188599
*** Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC ***
---------------------------------------------
Topic: Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC Risk: Medium Text:# Exploit Title: RATS 2.3 Crash POC # Date: 25th April 2016 # Exploit Author: David Silveiro # Author Contact: twitter.com/d...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016040155
*** Bugtraq: Trend Micro (Account) - Email Spoofing Web Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538197
*** Bugtraq: VoipNow v4.0.1 - (xajax_handler) Persistent Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538198
*** Bugtraq: Sophos XG Firewall (SF01V) - Persistent Web Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538199
*** TYPO3 CMS 6.2.22 and 7.6.6 released ***
---------------------------------------------
The TYPO3 Community announces the versions 6.2.22 LTS and 7.6.6 LTS of the TYPO3 Enterprise Content Management System. We are announcing the release of the following TYPO3 CMS updates: TYPO3 CMS 6.2.22 LTS TYPO3 CMS 7.6.6 LTS All versions are maintenance releases and contain bug fixes only.
---------------------------------------------
https://typo3.org/news/article/typo3-cms-6222-and-766-released/
*** Bugtraq: [security bulletin] HPSBGN03582 rev.1 - HPE Helion CloudSystem using glibc, Remote Code Execution, Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538194
*** IBM Security Bulletin: IBM Vulnerability in BIND affects AIX (CVE-2015-8704) ***
---------------------------------------------
http://www.ibm.com/support/
*** IBM Security Bulletin: IBM Vulnerability in OpenSSL affects AIX (CVE-2016-2842) ***
---------------------------------------------
http://www.ibm.com/support/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 22-04-2016 18:00 − Montag 25-04-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Angler Exploit Kit, Bedep, and CryptXXX, (Sat, Apr 23rd) ***
---------------------------------------------
Introduction On Friday 2016-04-15, Proofpoint researchers spotted CryptXXX [1], a new type of ransomware from the actors behind Reveton. CryptXXX is currently spread through Bedep infections sent by the Angler exploit kit (EK). So far, Ive only seen Bedep send CryptXXX after Angler EK traffic caused by the pseudo-Darkleech campaign." /> CryptXXX infections have their own distinct look." /> Bedep recently improved its evasion capabilities [3]. Its being sent by one of the most...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20981&rss
*** Highlights from the 2016 HPE Annual Cyber Threat Report, (Mon, Apr 25th) ***
---------------------------------------------
HP released their annual report for 2016 that covers a broad range of information (96 pages) in various sectors and industries. The report is divided in 7 themes, those that appear the most interesting to me are Theme #5: The industry didnt learn anything about patching in 2015 and Theme #7: The monetization of malware. Theme #5 According to this report, the bug that was the most exploited in 2014 was still the most exploited last year which is now over five years old. CVE-2010-2568 where a...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20985&rss
*** Top 10 web hacking techniques of 2015 ***
---------------------------------------------
Now in its tenth year, the Top 10 List of Web Hacking Techniques takes a step back from the implications of an attack to understand how they happen. The list is chosen by the security research community, coordinated by WhiteHat Security. After receiving 39 submissions detailing hacking techniques discovered in 2015, the following hacks were voted into the top 10 spaces: FREAK (Factoring Attack on RSA-Export Keys) LogJam Web Timing Attacks Made Practical Evading All...
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/25/top-10-web-hacking-techniques-20…
*** Kritische Lücken: HP Data Protector verzichtet auf Authentifikation ***
---------------------------------------------
Angreifer können den HP Data Protector über verschiedene Schwachstellen in den Mangel nehmen und Code auf Computer schieben. Sicherheits-Updates unterbinden das.
---------------------------------------------
http://heise.de/-3183095
*** Snap: Ubuntus neue Pakete sind auf dem Desktop nicht sicherer ***
---------------------------------------------
Die Ubuntu-Macher Canonical behaupten, mit dem neuen Paketformat Snap werden installierte Apps sicherer. Für Desktop-Anwender stimmt das allerdings nicht.
---------------------------------------------
http://heise.de/-3183128
*** RDP Replay Code Release ***
---------------------------------------------
We took a more in depth look to see what information could be extracted from a PCAP of this [RDP] activity, and this led to a tool being created to replay the RDP session as the attacker would have seen it. We have made this tool available after being asked by a number of our blog readers. This tool requires the private key for decrypting, which can usually be recovered with cooperation from the client.
---------------------------------------------
http://www.contextis.com/resources/blog/rdp-replay-code-release/
*** Apple ID und iCloud: Gezieltes Phishing mit Textnachricht ***
---------------------------------------------
Betrüger versuchen derzeit per SMS, Nutzer auf eine gefälschte Apple-ID-Anmeldeseite zu locken, um persönliche Daten in Erfahrung zu bringen. Die Mitteilung ist persönlich adressiert.
---------------------------------------------
http://heise.de/-3183878
*** A Newer Variant of RawPOS in Depth ***
---------------------------------------------
RawPOS - A History RawPOS (also sometimes referred to as Rdasrv from the original service install name) is a Windows based malware family that targets payment card data. It has been around at least since 2011, if not much earlier. Despite it being very well known and the functions it performs easy to understand, RawPOS continues to prove extremely effective in perpetuating long-term and devastating card breaches to this day. Similar to its cousin, BlackPOS, this malware targets industries...
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/a-newer-variant-of-raw…
*** Empty DDoS Threats: Meet the Armada Collective ***
---------------------------------------------
[...] Our conclusion was a bit of a surprise: weve been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack. In fact, because the extortion emails reuse Bitcoin addresses, theres no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments. [...]
---------------------------------------------
https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/
*** GozNym banking malware spotted now in Europe ***
---------------------------------------------
IBMs X-Force reported today the actors behind the hybrid GozNym banking trojan that stole $4 million from U.S. banks in March have released a new configuration that is targeting European banks.
---------------------------------------------
http://www.scmagazine.com/goznym-banking-malware-spotted-now-in-europe/arti…
*** Angriff auf Zentralbank: Billigrouter und Malware führen zu Millionenverlust ***
---------------------------------------------
Man sollte meinen, dass die Zentralbank eines Landes über eine Firewall verfügt. In Bangladesch war das offenbar nicht der Fall. So konnten Angreifer mit spezialisierter Malware fast 1 Milliarde US-Dollar überweisen - und scheiterten dann an einem Fehler.
---------------------------------------------
http://www.golem.de/news/angriff-auf-zentralbank-billigrouter-und-malware-f…
*** Manipulierte PNG-Datei schießt iOS- und Mac-Apps ab ***
---------------------------------------------
Das Öffnen einer präparierten Bilddatei bringt Apps in iOS wie OS X zum Absturz, darunter den iOS-Homescreen. Die iMessage-App öffnet sich dadurch unter Umständen nicht mehr.
---------------------------------------------
http://heise.de/-3184062
*** Exploit kit targets Android devices, delivers ransomware ***
---------------------------------------------
Ransomware hitting mobile devices is not nearly as widespread as that which targets computers, but Blue Coat researchers have discovered something even less unusual: mobile ransomware delivered via exploit kit. The ransomware in question calls itself Cyber.Police (the researchers have dubbed it Dogspectus), and does not encrypt users' files, just blocks the infected Android device. It purports to be part of an action by the (nonexistent) "American national security agency"...
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/25/exploit-kit-targets-android-devi…
*** VU#229047: Allround Automations PL/SQL Developer v11 performs updates over HTTP ***
---------------------------------------------
Vulnerability Note VU#229047 Allround Automations PL/SQL Developer v11 performs updates over HTTP Original Release date: 25 Apr 2016 | Last revised: 25 Apr 2016 Overview Allround Automations PL/SQL Developer version 11 checks for updates over HTTP and does not verify updates before executing commands, which may allow an attacker to execute arbitrary code. Description CWE-345: Insufficient Verification of Data Authenticity - CVE-2016-2346 According to the researcher, Allround Automations...
---------------------------------------------
http://www.kb.cert.org/vuls/id/229047
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in git affect PowerKVM (CVE-2016-2315, CVE-2016-2324) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023527
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in NetworkManager affect PowerKVM (CVE-2015-0272,CVE-2015-2924) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023498
---------------------------------------------
*** IBM Security Bulletin: A Security Vulnerability was fixed in IBM Security Privileged Identity Manager (CVE-2016-0357) ***
http://www.ibm.com/support/docview.wss?uid=swg21981720
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in libssh2 affects PowerKVM (CVE-2016-0787) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023482
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in ISC Bind affect PowerKVM (CVE-2016-1285, CVE-2016-1286) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023483
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in nss-util affects PowerKVM (CVE-2016-1950) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023484
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in strongSwan affects PowerKVM (CVE-2015-8023) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023447
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects Sterling Connect:Enterprise for UNIX (CVE-2016-0800). ***
http://www.ibm.com/support/docview.wss?uid=swg21980890
---------------------------------------------
*** IBM Security Bulletin: Information disclosure through unauthenticated SOAP request message. (CVE-2016-0299) ***
http://www.ibm.com/support/docview.wss?uid=swg21981155
---------------------------------------------
*** IBM Security Bulletin: ClassLoader Manipulation with Apache Struts affecting IBM WebSphere Portal (CVE-2014-0114) ***
http://www.ibm.com/support/docview.wss?uid=swg21680194
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libssh2 affects SAN Volume Controller and Storwize Family (CVE-2015-1782) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005710
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM SAN Volume Controller and Storwize Family (CVE-2016-0475) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005709
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere MQ (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448) ***
http://www.ibm.com/support/docview.wss?uid=swg21976896
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Control Center (CVE-2015-5254) ***
http://www.ibm.com/support/docview.wss?uid=swg21981352
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM WebSphere MQ (CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21981838
---------------------------------------------
*** IBM Security Bulletin: Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2015-3194) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005657
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem models 840 and 900 (CVE-2015-3194) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005656
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2015-3194) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005657
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 21-04-2016 18:00 − Freitag 22-04-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco Patches Denial-of-Service Flaws Across Three Products ***
---------------------------------------------
Cisco released software updates to address five separate denial of service vulnerabilities, all which the company considers either high or critical severity, across its product line this week.
---------------------------------------------
http://threatpost.com/cisco-patches-denial-of-service-flaws-across-three-pr…
*** New version of TeslaCrypt ups ante for ransomware ***
---------------------------------------------
Two updates in TeslaCrypt illustrate that ransomware is not only spreading wider, but is also evolving with new capabilities.
---------------------------------------------
http://www.scmagazine.com/new-version-of-teslacrypt-ups-ante-for-ransomware…
*** Cybercrime as a business rampant, new study ***
---------------------------------------------
Attacks are getting fiercer and attackers more sophisticated and organized, according to the "2016 Trustwave Global Security Report," released this week.
---------------------------------------------
http://www.scmagazine.com/cybercrime-as-a-business-rampant-new-study/articl…
*** South Korea no 1 origin point for DDoS attacks ***
---------------------------------------------
According to a new report by Imperva, South Korea serves as the most prolific point of origin for global DDoS attacks.
---------------------------------------------
http://www.scmagazine.com/south-korea-no-1-origin-point-for-ddos-attacks/ar…
*** SpyEye duo behind bank-account-emptying malware banged up ***
---------------------------------------------
Billion-dollar Russian Trojan team in the tank for quarter of a century in the US A two-man team responsible for spreading the SpyEye malware that caused more than a billion dollars in financial hardship is now starting extended ..
---------------------------------------------
www.theregister.co.uk/2016/04/21/us_jails_spyeye_malware_duo/
*** DSA-3554 xen - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in the Xen hypervisor. TheCommon Vulnerabilities and Exposures project identifies the followingproblems:
---------------------------------------------
https://www.debian.org/security/2016/dsa-3554
*** Core Windows Utility Can Be Used to Bypass AppLocker ***
---------------------------------------------
A researcher has discovered that Windows' Regsvr32 can be used to download and run JavaScript and VBScript remotely from the Internet, bypassing AppLocker's whitelisting protections.
---------------------------------------------
http://threatpost.com/core-windows-utility-can-be-used-to-bypass-applocker/…
*** TeslaCrypt: New versions and delivery methods, no decryption tool ***
---------------------------------------------
TeslaCrypt ransomware was first spotted and analyzed in early 2015, and soon enough researchers created a decryption tool for it. The malware has since reached versions 4.0 and 4.1 but, unfortunately, there is currently no way to decrypt the ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/22/teslacrypt-new-versions-no-decry…
*** Your credentials at risk with Lansweeper 5 ***
---------------------------------------------
As a penetration testers, we rarely have to find 'zero day' vulnerabilities or perform 'bug hunting' in order to compromise Windows Active Directory Domains. However, in one of these rare cases while performing an internal penetration test for a client, we had to do so. Lansweeper is ..
---------------------------------------------
http://blog.gosecure.ca/2016/04/21/your-credentials-at-risk-with-lansweeper…
*** Red Hat Product Security Risk Report: 2015 ***
---------------------------------------------
This report takes a look at the state of security risk for Red Hat products for calendar year 2015. We look at key metrics, specific vulnerabilities, and the most common ways users of Red Hat products were affected by security issues.
---------------------------------------------
https://access.redhat.com/blogs/766093/posts/2262281
*** Hacking Nagios: The Importance of System Hardening ***
---------------------------------------------
System hardening is important. Keeping systems in a hardened state is equally important. Good hardening should not only including keeping all the patches up-to-date, but also disabling all unnecessary services. The services that are necessary, must to be configured securely. All of this is ..
---------------------------------------------
https://blog.anitian.com/hacking-nagios/
*** Hackerangriff: Drucker an deutschen Unis spuckten Nazi-Botschaften aus ***
---------------------------------------------
Angriff auf vernetzte Kopierer und Drucker offenbar aus den USA - Sicherheitsleck behoben
---------------------------------------------
http://derstandard.at/2000035504034
*** [2016-04-22] Insecure credential storage in my devolo Android app ***
---------------------------------------------
The Android app of devolo Home Control suffers from insecure credential storage. Attackers can be able to recover sensitive information from stolen/lost devices.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** [2016-04-22] Multiple vulnerabilities in Digitalstrom Konfigurator ***
---------------------------------------------
Multiple design and implementation flaws within the smart home system Digitalstrom enable an attacker to control arbitrary devices connected to the system and execute JavaScript code in the users browser.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** SEC Consult Study on Smart Home Security in Germany - a first silver lining on the horizon of IoT? ***
---------------------------------------------
http://blog.sec-consult.com/2016/04/smart-home-security.html
*** 1 Million Menschen nutzen Facebook über Tor ***
---------------------------------------------
Lohnt es sich, einen eigenen Tor-Hidden-Service anzubieten? Facebook schreibt jetzt, dass die Zahl der aktiven Tor-Nutzer sich seit dem letzten Sommer verdoppelt hat.
---------------------------------------------
http://www.golem.de/news/privatsphaere-1-million-menschen-nutzen-facebook-u…
*** Snap: Ubuntus neues Paketformat ist unter X11 unsicher ***
---------------------------------------------
Das neue Snap-Paketformat von Ubuntu soll nicht nur Installationen und Updates vereinfachen, sondern auch Anwendungen besser absichern. Unter X11 sei letzteres aber ein falsches Versprechen, sagt Sicherheitsforscher Matthew Garrett. überraschend ist das nicht.
---------------------------------------------
http://www.golem.de/news/snap-ubuntus-neues-paketformat-ist-unter-x11-unsic…
*** Why Hackers Love Your LinkedIn Profile ***
---------------------------------------------
An employee opens an attachment from someone who claims to be a colleague in a different department. The attachment turns out to be malicious. The company network? Breached. If you follow the constant news about data breaches, you read this stuff all the ..
---------------------------------------------
http://safeandsavvy.f-secure.com/2016/04/22/why-hackers-love-your-linkedin-…
*** Nuclear Exploit-Kit bombardiert hunderttausende Rechner mit Locky ***
---------------------------------------------
Ransomware wird im großen Stil über Exploit-Kits verteilt. Sicherheitsforschern ist es jetzt gelungen, ins Backend einer solchen Schadcode-Schleuder einzudringen und Statistiken über die Verbreitung der Trojaner zu sammeln.
---------------------------------------------
http://heise.de/-3181696
*** JSA10727 - 2016-04 Security Bulletin: Junos Space: Multiple privilege escalation vulnerabilities in Junos Space (CVE-2016-1265) ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10727
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 20-04-2016 18:00 − Donnerstag 21-04-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Angebliche Paket-Verständigung von der "Post" kann Ihre Daten durch Verschlüsselung unbrauchbar machen ***
---------------------------------------------
Modus Operandi Kaum ist die Bedrohung durch angebliche E-Mails von DHL im Abklingen, erreicht uns eine neue Welle von E-Mails mit gefährlichem Inhalt. Nunmehr gibt die Mail vor von der "Post" zu stammen und informiert über eine nicht erfolgreich durchgeführte Zustellung. Die weitere Vorgehensweise bleibt dabei gleich; der Empfänger wird aufgefordert den Versandschein über einen Link in der Mail herunter zu laden.
---------------------------------------------
http://www.bmi.gv.at/cms/BK/betrug/files/Cryptolocker_Ransomware_Post.pdf
*** Decoding Pseudo-Darkleech (#1), (Thu, Apr 21st) ***
---------------------------------------------
Im currently going through a phase of WordPress dPression. Either my users are exceptionally adept at finding hacked and subverted WordPress sites, or there are just so many of these sites out there. This weeks particular fun seems to be happening on restaurant web sites. Inevitably, when checking out the origin of some crud, I discover a dPressing installation that shows signs of being owned since months. The subverted sites currently lead to Angler Exploit Kit (Angler EK), and are using...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20969&rss
*** SpyEye botnet kit developer sentenced to long jail term ***
---------------------------------------------
Aleksandr Andreevich Panin, the Russian developer of the SpyEye botnet creation kit, and an associate were on Wednesday sentenced to prison terms by a court in Atlanta, Georgia, for their role in developing and distributing malware that is said to have caused millions of dollars in losses to the financial sector.Panin, who set out to develop SpyEye as a successor to the Zeus malware that affected financial institutions since 2009, was sentenced by the court to nine and half years in prison,...
---------------------------------------------
http://www.cio.com/article/3059554/spyeye-botnet-kit-developer-sentenced-to…
*** Looking Into a Cyber-Attack Facilitator in the Netherlands ***
---------------------------------------------
A small webhosting provider with servers in the Netherlands and Romania has been a hotbed of targeted attacks and advanced persistent threats (APT) since early 2015. Starting from May 2015 till today we counted over 100 serious APT incidents that originated from servers of this small provider. Pawn Storm used the servers for at least 80 high profile attacks against various governments in the US, Europe, Asia, and the Middle East. Formally the Virtual Private Server (VPS) hosting company is...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/MKFUpCeHi9s/
*** FBI warns farming industry about equipment hacks, data breaches ***
---------------------------------------------
As Internet-connected equipment is increasingly used in many industry sectors, alerts like the latest one issued by the FBI to US farmers will likely become a regular occurrence. While precision agriculture technology (a.k.a. smart farming) reduces farming costs and increases crop yields, farmers need to be aware of and understand the associated cyber risks to their data and ensure that companies entrusted to manage their data, including digital management tool and application developers...
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/21/farming-cyber-risks/
*** Lab - Cryptographic Algorithms ***
---------------------------------------------
For this lab we'll be using GPG, OpenSSL to demonstrate symmetric and asymmetric encryption/decryption and MD5, SHA1 to demonstrate hash functions. Virtual Machine Needed: Kali Before starting the lab here are some definitions: In all symmetric crypto algorithms (also called Secret Key encryption) a secret key is used for both encrypt plaintext and decrypt the...
---------------------------------------------
http://resources.infosecinstitute.com/lab-cryptographic-algorithms/
*** Fremdenfeindliche Ausdrucke: "Hackerangriff" auf Universitätsdrucker ***
---------------------------------------------
Hackerangriff oder doch nur eine falsche Druckerkonfiguration: In verschiedenen Universitäten in Deutschland sind in den Druckern Dokumente mit fremdenfeindlichem Hintergrund gefunden worden.
---------------------------------------------
http://www.golem.de/news/fremdenfeindliche-ausdrucke-hackerangriff-auf-univ…
*** Security update available for the Adobe Analytics AppMeasurement for Flash Library ***
---------------------------------------------
A Security Bulletin (APSB16-13) has been published regarding a security update for the Adobe Analytics AppMeasurement for Flash Library. This update resolves an important vulnerability in the AppMeasurement for Flash library that could be abused to conduct DOM-based cross-site scripting attacks...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1341
*** DFN-CERT-2016-0655: Squid: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0655/
*** [R2] Nessus < 6.6 Fixes Two Vulnerabilities ***
---------------------------------------------
http://www.tenable.com/security/tns-2016-08
*** Moxa NPort Device Vulnerabilities (Update A) ***
---------------------------------------------
This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-16-099-01 Moxa NPort Device Vulnerabilities that was published April 8, 2016, on the ICS-CERT web page. ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. ICS-CERT has notified Moxa of the report, and Moxa has validated all five of the reported vulnerabilities.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01
*** Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow ***
---------------------------------------------
Topic: Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow Risk: High Text:/* This function is reachable by sending a RNDIS Set request with OID 0x01010209 (OID_802_3_MULTICAST_LIST) from the Guest to...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016040133
*** Avast SandBox Escape via IOCTL Requests ***
---------------------------------------------
Topic: Avast SandBox Escape via IOCTL Requests Risk: Medium Text:* CVE: CVE-2016-4025 * Vendor: Avast * Reported by: Kyriakos Economou * Date of Release: 19/04/2016 * Affected Products: Mu...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016040134
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Wireless LAN Controller Management Interface Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Wireless LAN Controller Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Adaptive Security Appliance Software DHCPv6 Relay Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Wireless LAN Controller HTTP Parsing Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Multiple Cisco Products libSRTP Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2016-0800) ***
http://www.ibm.com/support/docview.wss?uid=swg21980721
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in libcURL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3237) ***
http://www.ibm.com/support/docview.wss?uid=swg21980719
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3197, CVE-2015-4000) ***
http://www.ibm.com/support/docview.wss?uid=swg21980716
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) ***
http://www.ibm.com/support/docview.wss?uid=swg21980714
---------------------------------------------
*** IBM Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2015-8851 ***
http://www.ibm.com/support/docview.wss?uid=swg21981528
---------------------------------------------
*** IBM Security Bulletin: IBM Spectrum Scale, with the Spectrum Scale GUI installed, is affected by a security vulnerability (CVE-2016-0361) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005742
---------------------------------------------
*** Drupal Security Advisories for Third-Party Modules ***
---------------------------------------------
*** EPSA Crop - Image Cropping - Critical -XSS - SA-CONTRIB-2016-024 - Unsupported ***
https://www.drupal.org/node/2710247
---------------------------------------------
*** Organic groups - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2016-023 ***
https://www.drupal.org/node/2710115
---------------------------------------------
*** Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022 ***
https://www.drupal.org/node/2710063
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 19-04-2016 18:00 − Mittwoch 20-04-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Oracle critical updates released, (Wed, Apr 20th) ***
---------------------------------------------
Oracle has released their critical updates list. Looking through it there is a very wide range of products, including java that require a fix. Oracle strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay. There are quite a few remotely exploitable, no auth required issues that are addressed by these patches. You may want to peruse the list to see if some of your products are affected.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20965&rss
*** Java: Neue JDK-Versionen bringen strengere Sicherheitsvorgaben ***
---------------------------------------------
Die Updates JDK 8u91 und 8u92 adressieren erneut vor allem das Thema Security: Unter anderem gilt der MD5-Algorithmus nun als unsicher, und die JVM bekommt Einstellungen zur Behandlung von Speicherüberlauffehlern.
---------------------------------------------
http://heise.de/-3178164
*** Hacking and manipulating traffic sensors ***
---------------------------------------------
With the advent of the Internet of Things, we're lucky to have researchers looking into these devices and pointing out the need for securing them better. One of these researchers is Kaspersky Lab's Denis Legezo, who took it upon himself to map the traffic sensors in Moscow and see whether they could be tampered with. The answer to that question is yes, they can be manipulated, and consequently lead to poor traffic management and annoyance...
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/20/hacking-manipulating-traffic-sen…
*** PoS Malware Steals Credit Card Numbers via DNS Requests ***
---------------------------------------------
A new version of the NewPosThings PoS malware is using a clever technique to extract data from infected PoS terminals that almost no security solution monitors for malware activity.
---------------------------------------------
http://news.softpedia.com/news/pos-malware-steals-credit-card-numbers-via-d…
*** Using a Braun Shaver to Bypass XSS Audit and WAF ***
---------------------------------------------
TL;DR: Sometimes you just need to spend a couple of months to exploit a XSS with a hygiene product.
---------------------------------------------
https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-aud…
*** Encryption everywhere? ***
---------------------------------------------
This article discusses opportunistic encryption (OE), ways to set up systems so that they will automatically encrypt whenever they can rather than just whenever the user requests it. Many types of encryption require a choice by the user - encrypt with PGP rather than sending email in the clear, log into a remote system with...
---------------------------------------------
http://resources.infosecinstitute.com/encryption-everywhere/
*** Towards Generic Ransomware Detection ***
---------------------------------------------
Im not claiming these ideas are novel, nor unbeatable. My goal is simply to raise awareness about alternate means to help stymie the ransomware epidemic. Plus, attempting to write a tool that could generically protect my computer against OS X ransomware, seemed like a fun challenge! Finally, both this research and tool are version 1.0, meaning, likely room for improvement - so feedback is welcome :)
---------------------------------------------
https://objective-see.com/blog/blog_0x0F.html
*** DRAM bitflipping exploits that hijack computers just got easier ***
---------------------------------------------
Approach relies on already installed code, including widely used glibc library.
---------------------------------------------
http://arstechnica.com/security/2016/04/dram-bitflipping-exploits-that-hija…
*** Panama Papers - How Hackers Breached the Mossack Fonseca Firm ***
---------------------------------------------
Introduction The Panama Papers are a huge trove of high confidential documents stolen from the computer systems of the Panamanian law firm Mossack Fonseca that was leaked online during recently. It is considered the largest data leaks ever, the entire archive contains more than 11.5 Million files including 2.6 Terabytes of data related the activities of offshore...
---------------------------------------------
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-th…
*** Kippo and dshield , (Tue, Apr 19th) ***
---------------------------------------------
In this diary I will talk about how to configure kippo honeypot and how to submit your kippos log to SANS Dshield
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20963&rss
*** Security Update for Microsoft Graphics Component (3148522) Version: 2.0 ***
---------------------------------------------
V2.0 (April 19, 2016): To comprehensively address CVE-2016-0145, Microsoft re-released security update 3144432 for affected editions of Microsoft Live Meeting 2007 Console. Customers running Microsoft Live Meeting 2007 Console should install the update to be fully protected from the vulnerability. See Microsoft Knowledge Base Article 3144432 for more information.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-039
*** Bugtraq: ESA-2016-039: EMC ViPR SRM Multiple Cross-Site Request Forgery Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538133
*** Cisco IOS and Cisco IOS XE ntp Subsystem Unauthorized Access Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** F5 Security Advisory: glibc vulnerability CVE-2015-8779 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/39/sol39250133.html?…
*** VMSA-2016-0002.1 ***
---------------------------------------------
VMware product updates address a critical glibc security vulnerability
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2016-0002.html
*** VMSA-2015-0009.2 ***
---------------------------------------------
VMware product updates address a critical deserialization vulnerability
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0009.html
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 18-04-2016 18:00 − Dienstag 19-04-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Touch ID: 90 Prozent der iPhone-Nutzer setzen jetzt auf Code-Sperre ***
---------------------------------------------
Seit der Einführung des Fingerabdruckscanners hat sich laut Apple der Anteil der Nutzer verdoppelt, die ihr iPhone mit einem Gerätecode schützen und damit die Daten verschlüsseln.
---------------------------------------------
http://heise.de/-3177095
*** JavaScript-toting spam emails: What should you know and how to avoid them? ***
---------------------------------------------
We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware. Some of the JavaScript downloaders ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/04/18/javascript-toting-spam-…
*** Google Alerts, Direct Webmaster Communication Get Bugs Fixed Quickly ***
---------------------------------------------
Google determined that Safe Browsing warnings correlate with quicker remediation times, though not as quick as direct contact with webmasters who have registered with Google Search Console.
---------------------------------------------
http://threatpost.com/google-alerts-direct-webmaster-communication-get-bugs…
*** Magnitude EK Activity At Its Highest Via AdsTerra Malvertising ***
---------------------------------------------
The Magnitude exploit kit is maximizing its leads via a large and uninterrupted malvertising campaign.Categories: ExploitsTags: adsterramagnitude EKmalvertisingterraclicks(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/threat-analysis/exploits-threat-analysis/2016…
*** iPrint Appliance 2.0 Patch 1 ***
---------------------------------------------
Abstract: Patch 1 for the iPrint Appliance 2.0 includes bug fixes.Document ID: 5240661Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.530.HP.zip (594.99 MB)Products:iPrint Appliance 2Superceded Patches:iPrint Appliance 2.0 FTF
---------------------------------------------
https://download.novell.com/Download?buildid=W46YTfqEGiQ~
*** Symantec Messaging Gateway Multiple Security Issues ***
---------------------------------------------
Revisions None Severity Severity (CVSS version 2 and CVSS Version 3) CVSS2 Base Score ..
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Python-Based PWOBot Targets European Organizations ***
---------------------------------------------
We have discovered a malware family named 'PWOBot' that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwob…
*** Zahlen, bitte! Täglich 390.000 neue Schadprogramme ***
---------------------------------------------
Momentan hat man das Gefühl, in jedem Mail-Anhang und hinter jedem Link versteckt sich irgendeine Malware. Antiviren-Hersteller und Test-Labore verstärken diesen Eindruck noch durch irrwitzig hohe Zahlen neuer Schadprogramme.
---------------------------------------------
http://heise.de/-3177141
*** 2015 über 550 Millionen Datensätze von Sicherheitslecks betroffen ***
---------------------------------------------
Anzahl bekannt gewordener Zero-Day-Lücken mehr als verdoppelt – Entwickler werden schneller beim Ausmerzen
---------------------------------------------
http://derstandard.at/2000035195204
*** How-To Disable Windows Script Host ***
---------------------------------------------
Numerous spam campaigns are pushing various crypto-ransomware families (and backdoors) via .zip file attachments. And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host. Do yourself a favor and edit your Windows Registry ..
---------------------------------------------
https://labsblog.f-secure.com/2016/04/19/how-to-disable-windows-script-host/
*** Exploit kit writers turn away from Java, go all-in on Adobe Flash ***
---------------------------------------------
312% increase in Flash vulns over 2014, says study Exploit kit writers are no longer fussed about Java vulnerabilities, focusing their attention almost entirely on Adobe Flash.
---------------------------------------------
www.theregister.co.uk/2016/04/19/exploit_kit_writers_love_flash/
*** Homeland Security: Open Source dient der inneren Sicherheit ***
---------------------------------------------
Die Offenlegung von Code habe Vorteile bei der "Cybersicherheit" und werde helfen, die Nation vor Gefahren zu schützen, meint der Technikchef der zuständigen US-Behörde. Außerdem könnten Bürger die Behörde dank Open Source besser überwachen, glauben Entwickler.
---------------------------------------------
http://www.golem.de/news/homeland-security-open-source-dient-der-inneren-si…
*** Tools ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer. The following vulnerabilities have been addressed: ...
---------------------------------------------
http://support.citrix.com/article/CTX209443
*** Perfides PayPal-Phishing mit angeblicher Eventim-Rechnung ***
---------------------------------------------
Eine überdurchschnittlich gut gemachte Phishing-Mail soll PayPal-Kunden in die Datenfalle locken. Die Absender haben sogar beim Header getrickst.
---------------------------------------------
http://heise.de/-3177745
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 15-04-2016 18:00 − Montag 18-04-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Bugtraq: [SECURITY] [DSA 3550-1] openssh security update ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538099
*** Out-of-date apps put 3 million servers at risk of crypto ransomware infections ***
---------------------------------------------
1,600 schools, governments, and aviation companies already backdoored.
---------------------------------------------
http://arstechnica.com/security/2016/04/3-million-servers-are-sitting-ducks…
*** Chrome extensions will soon have to tell you what data they collect ***
---------------------------------------------
Google is about to make it harder for Chrome extensions to collect your browsing data without letting you know about it, according to a new policy announced Friday.Starting in mid-July, developers releasing Chrome extensions ..
---------------------------------------------
http://www.cio.com/article/3057259/chrome-extensions-will-soon-have-to-tell…
*** How to Write Phishing Templates That Work ***
---------------------------------------------
Phish Me Once Phishing isn't hard. Despite all the frightening news reports about ransomware and millions of stolen dollars and identities, people still happily click ..
---------------------------------------------
http://resources.infosecinstitute.com/how-to-write-phishing-templates-that-…
*** ZDI-16-244: Hewlett Packard Enterprise Vertica validateAdminConfig Remote Command Injection Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Vertica. Authentication is not required to exploit this vulnerability.
---------------------------------------------
www.zerodayinitiative.com/advisories/ZDI-16-244/
*** ZDI-16-243: Google Chrome Pdfium JPEG2000 Out-Of-Bounds Read Information Disclosure Vulnerability ***
---------------------------------------------
This vulnerability allows an attacker to leak sensitive information on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-243/
*** Splunk Enterprise Multiple Flaws Let Remote Users Bypass Security and Deny Service and Remote Authenticated Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1035578
*** 'Blackhole' Exploit Kit Author Gets 7 Years ***
---------------------------------------------
A Moscow court this week convicted and sentenced seven hackers for breaking into countless online bank accounts -- including "Paunch," the nickname used by the author of the infamous "Blackhole" exploit kit. Once an extremely ..
---------------------------------------------
http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-year…
*** DSA-3551 fuseiso - security update ***
---------------------------------------------
It was discovered that fuseiso, a user-space implementation of theISO 9660 file system based on FUSE, contains several vulnerabilities.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3551
*** leenk.me <= 2.5.0 - XSS and CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8457
*** DSA-3552 tomcat7 - security update ***
---------------------------------------------
Multiple security vulnerabilities have been discovered in the Tomcatservlet and JSP engine, which may result in information disclosure,the bypass of CSRF protections and bypass of the SecurityManager.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3552
*** FAQ WD <= 1.0.14 - Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8455
*** e-search <= 1.0 - Unauthenticated Reflected Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8458
*** Hacking Team hacker explains how he did it ***
---------------------------------------------
Some nine moths ago, a hacker that calls himself Phineas Fisher managed to breach the systems and networks of Hacking Team, the (in)famous Italian company that provides offensive intrusion and surveillance software to ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/18/hacking-team-hacker-explains/
*** Abhörsicherheit: Web.de sichert Mail-Transport zusätzlich per DANE ab ***
---------------------------------------------
Der Schritt ist bedeutsam, weil Web.de nicht nur einer der großen deutschen Freemail-Dienste ist, sondern, weil der Mutterkonzern United Internet auch zur Initiative "E-Mail made in Germany" gehört – um die es zuletzt freilich still geworden ist.
---------------------------------------------
http://heise.de/-3175333
*** Remote code execution, git, and OS X ***
---------------------------------------------
Sometimes I think about all of those pictures which show a bunch of people in startups. They have their office space, which might be big, or it might be small, but they tend to have Macs. Lots of Macs. A lot of them also use git to ..
---------------------------------------------
https://rachelbythebay.com/w/2016/04/17/unprotected/
*** Oracle Critical Patch Update Pre-Release Announcement - April 2016 ***
---------------------------------------------
This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for April 2016, which will be released on Tuesday, April 19, 2016. While this Pre-Release Announcement is as accurate ..
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html
*** Idiot millennials are saving credit card PINs on their mobile phones ***
---------------------------------------------
Cleartext passwords are bad, kids, mmmkay? More than one in five 18-24 year olds (21 per cent) store PINs for credit or debit cards on their smartphones, tablets or laptops, according to research conducted by Equifax in conjunction with Gorkana.
---------------------------------------------
www.theregister.co.uk/2016/04/18/storing_passwords_smartphone_bad_mkay/
*** Implementation of a Virtual IDS Device in Passive Mode ***
---------------------------------------------
The arrival of server, desktop and network virtualization has brought along enormous flexibility in configuration options and a huge drop in installation and operating costs of IT networks. Due ..
---------------------------------------------
http://resources.infosecinstitute.com/implementation-of-a-virtual-ids-devic…
*** Academic network Janet clobbered with DDoS attacks - again ***
---------------------------------------------
Funny how it always gets targeted at the end of term... Blightys government-funded educational network Janet has once again been hit by a cyber attack, with a fresh ..
---------------------------------------------
www.theregister.co.uk/2016/04/18/janet_clobbered_with_ddos_attacks_again/
*** Oberösterreichische Firma bei Traktorenkauf auf Internetbetrüger reingefallen ***
---------------------------------------------
40.000 Euro Schaden - Homepage von englischem Anbieter "gefakt"
---------------------------------------------
http://derstandard.at/2000035121122