- Daily - CERT.at

Tageszusammenfassung - Montag 14-03-2016
by Daily end-of-shift report 14 Mar '16

14 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-03-2016 18:00 − Montag 14-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** VU#713312: DTE Energy Insight app vulnerable to information exposure *** --------------------------------------------- The DTE Energy Insight app API allows an authenticated user to obtain and query certain limited customer information from other customers. --------------------------------------------- http://www.kb.cert.org/vuls/id/713312 *** Mehr als zwei Jahre alter Java-Security-Patch von Oracle immer noch verwundbar *** --------------------------------------------- Geht es nach dem Sicherheitsexperten Adam Gowdiak hat Oracle vor mehr als zwei Jahren eine Sicherheitslücke falsch bewertet und zudem bei dem Patch gepfuscht, der den Fehler eigentlich hätte beseitigen sollen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Mehr-als-zwei-Jahre-alter-Java-Secur… *** The Source of All Major Android Banking Trojans Just Got Updated To V2 *** --------------------------------------------- An anonymous reader writes: Apparently, during the past months it has started coming to the surface the fact that most top-tier Android malware was actually related, coming from a common malware variant called GM Bot, and sold for only .. --------------------------------------------- http://news.slashdot.org/story/16/03/12/1556259/the-source-of-all-major-and… *** Google Chrome Extension Caught Stealing Bitcoin From Users *** --------------------------------------------- An anonymous reader writes: Bitcoin exchange portal Bitstamp is warning users of a Google Chrome extension that steals their Bitcoin when making a transfer. According to Bitstamp, this extension contains malicious code that is redirecting .. --------------------------------------------- http://news.slashdot.org/story/16/03/12/2328254/google-chrome-extension-cau… *** Armada Collective is back, extorting Financial Intuitions in Switzerland *** --------------------------------------------- These extortion emails usually originate from free email service providers (such as Gmail or Openmail) and are being sent to the info@ email address of the targeted financial institution. Unlike the extortion attempts conducted by Armada Collective in September 2015, we are not aware of .. --------------------------------------------- http://www.govcert.admin.ch/blog/19/armada-collective-is-back-extorting-fin… *** Auto vulnerability scanners turn up mostly false positives *** --------------------------------------------- Automated vulnerability scanners turn up mostly false positives, but even the wild goose chase that results can be cheaper for businesses than manual processes, according to NCC Group security engineer Clint Gibler. --------------------------------------------- http://www.theregister.co.uk/2016/03/14/cheap_auto_vulnerability_scanners_c… *** SSA-833048 (Last Update 2016-03-14): Vulnerability in SIMATIC S7-1200 CPUs prior to V4 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-833048… *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects TS4500 (CVE-2015-7547) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1005695 *** IBM Security Bulletin: glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1023395 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21975835 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SmartCloud Entry (CVE-2016-0475 CVE-2016-0448 CVE-2015-7575 CVE-2016-0466) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1023378 Botnets Plague the Web. This AI Is Out to Stop Them --------------------------------------------- A group of Israeli researchers believe they are the first to have discovered a way to locate botnets and identify who is behind them, by planting honeypots that gather information about attacks carried out by the network, and analyzing that data with machine learning programs. --------------------------------------------- https://motherboard.vice.com/read/botnets-plague-the-web-this-ai-is-out-to-… *** Broken 2013 Java Patch Leads to Sandbox Bypass *** --------------------------------------------- A patch for a critical 2013 Java vulnerability is incomplete, and exposes Java servers and clients to a sandbox bypass, researchers at Security Explorations of Poland said. --------------------------------------------- http://threatpost.com/broken-2013-java-patch-leads-to-sandbox-bypass/116757/

1 0

Tageszusammenfassung - Freitag 11-03-2016
by Daily end-of-shift report 11 Mar '16

11 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-03-2016 18:00 − Freitag 11-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Locky Ransomware Spreading in Massive Spam Attack *** --------------------------------------------- Researchers are tracking a massive spam campaign pelting inboxes with Locky ransomware downloaders in the form of JavaScript attachments. --------------------------------------------- http://threatpost.com/locky-ransomware-spreading-in-massive-spam-attack/116… *** Deinstallieren oder Aktualisieren: Adobe verteilt Notfall-Update für Flash *** --------------------------------------------- Es kommt nicht überraschend: Adobe veröffentlicht wieder ein Notfall-Update für den Flash-Player. Wer ihn nicht bereits deinstalliert hat, sollte das Update installieren. Auch die Digital Editions und der Adobe Reader werden versorgt. --------------------------------------------- http://www.golem.de/news/deinstallieren-oder-aktualisieren-adobe-rollt-notf… *** Security Afterworks Spezial: Secure your Enterprise - Innovative Microsoft-Security-Lösungen im Enterprise- & Mobility-Umfeld *** --------------------------------------------- April 18, 2016 - 3:00 pm - 5:00 pm Microsoft Österreich Am Europlatz 3 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-spezial-secure-your… *** Files compromised by ransomware Trojan for OS X can be decrypted by Doctor Web *** --------------------------------------------- March 11, 2016 At the beginning of March, numerous mass media, websites, and blogs announced about the emergence of the first ever ransomware for Mac computers. Doctor Web specialists examined this malicious program, which was named Mac.Trojan.KeRanger.2, and they have developed a method that can help to decrypt files affected by this Trojan. Mac.Trojan.KeRanger.2 was first detected in a compromised version of the installer for a popular OS X torrent client that was distributed as a DMG file. --------------------------------------------- http://news.drweb.com/show/?i=9877&lng=en&c=9 *** Cerber Ransomware - New, But Mature *** --------------------------------------------- We take a look at Cerber, Ransomware named after the mythical multi-headed dog...Categories: Malware AnalysisTags: cerberransomware(Read more...) --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/03/cerber-ransomware-new-bu… *** OpenSSH Security Advisory: x11fwd.adv *** --------------------------------------------- Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1). --------------------------------------------- http://www.openssh.com/txt/x11fwd.adv *** Cisco Gigabit Switch Router 12000 Series Routers Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Schneider Electric Telvent RTU Improper Ethernet Frame Padding Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability caused by an Institute of Electrical and Electronics Engineers (IEEE) conformance issue involving improper frame padding in Schneider Electric's Telvent SAGE 2300 and 2400 remote terminal units. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-070-01 *** VU#270232: Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability *** --------------------------------------------- Vulnerability Note VU#270232 Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability Original Release date: 10 Mar 2016 | Last revised: 10 Mar 2016 Overview Quagga, version 0.99.24.1 and earlier, contains a buffer overflow vulnerability in bgpd with BGP peers enabled for VPNv4 that may leveraged to gain code execution. Description CWE-121: Stack-based Buffer Overflow - CVE-2016-2342Quagga is a software routing suite that implements numerous routing protocols for... --------------------------------------------- http://www.kb.cert.org/vuls/id/270232 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects Tivoli Provisioning Manager for OS deployment and Tivoli Provisioning Manager for Images (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21978194 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM DataPower Gateways (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977460 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects Rational Publishing Engine (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21978188 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM DataPower Gateways (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974969 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in the GSKit component of IBM DB2 LUW (CVE-2016-0201, CVE-2015-7420 & CVE-2015-7421) *** http://www.ibm.com/support/docview.wss?uid=swg21977787 --------------------------------------------- *** IBM Security Bulletin: Cross-Site Scripting Vulnerability with the UML Vizualization tools *** http://www.ibm.com/support/docview.wss?uid=swg21978003 --------------------------------------------- *** Security Bulletin: Vulnerability in lighttpd affects IBM Integrated Management Module (IMM)(CVE-2015-3200) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099226 --------------------------------------------- *** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21978471 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 10-03-2016
by Daily end-of-shift report 10 Mar '16

10 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-03-2016 18:00 − Donnerstag 10-03-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** First Principles for Network Defenders: A Unified Theory for Security Practitioners *** --------------------------------------------- Great thinkers like Aristotle, Descartes and Elon Musk have said that, in order to solve really hard problems, you have to get back to first principles. First principles in a designated .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/03/first-principles-for-net… *** DSA-3509 rails - security update *** --------------------------------------------- Two vulnerabilities have been discovered in Rails, a web applicationframework written in Ruby. Both vulnerabilities affect Action Pack, whichhandles the web requests for Rails. --------------------------------------------- https://www.debian.org/security/2016/dsa-3509 *** Powershell Malware - No Hard drive, Just hard times, (Wed, Mar 9th) *** --------------------------------------------- ISC Reader Eric Volking submitted a very nice sample of some Powershell based malware. Lets take a look! The malware starts inthe traditional way, by launching itself with an .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20823 *** Bugtraq: [CORE-2016-0004] - SAP Download Manager Password Weak Encryption *** --------------------------------------------- http://www.securityfocus.com/archive/1/537746 *** Bugtraq: [CORE-2016-0003] - Samsung SW Update Tool MiTM *** --------------------------------------------- http://www.securityfocus.com/archive/1/537750 *** DSA-3512 libotr - security update *** --------------------------------------------- Markus Vervier of X41 D-Sec GmbH discovered an integer overflowvulnerability in libotr, an off-the-record (OTR) messaging library, inthe way how the sizes of portions of incoming messages were stored. Aremote attacker can exploit this .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3512 *** DSA-3511 bind9 - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3511 *** Security Advisory: BIND vulnerability CVE-2016-2088 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59692558.html *** Security Advisory: BIND vulnerability CVE-2016-1285 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/46/sol46264120.html *** Security Advisory: BIND vulnerability CVE-2016-1286 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/62/sol62012529.html *** Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015 *** --------------------------------------------- When a PDF is uploaded in Scald File, various tools can be executed if theyre installed on the server, to try to generate a thumbnail out of that PDF.This is mitigated by the need to have the sufficient permissions to upload a file in Scald, .. --------------------------------------------- https://www.drupal.org/node/2684601 *** Ransomware: "Von Zahlungen ist abzuraten" *** --------------------------------------------- DDoS-Attacken, CEO-Frauds und Ransomware: Angriffe auf Firmen nehmen zu. Die futurezone hat den Sicherheitsexperten Michael Krausz dazu befragt. --------------------------------------------- http://futurezone.at/digital-life/ransomware-von-zahlungen-ist-abzuraten/18… *** Erpressungs-Trojaner: Time-Machine-Backups anfällig *** --------------------------------------------- Die Entwickler der OS-X-Ransomware KeRanger haben auch Time-Machine-Backups als Angriffsziel erwogen. Tatsächlich ist es möglich, selbst ohne Admin-Rechte Dokumente in der Datensicherung zu verändern. --------------------------------------------- http://heise.de/-3131762 *** TRUST 2016, organized by SBA Research *** --------------------------------------------- August 29, 2016 - August 30, 2016 - All Day Vienna University of Technology Gußhausstraße 27-29 Vienna --------------------------------------------- https://www.sba-research.org/events/trust-2016-organized-by-sba-research/ *** Kritische Lücke in Jabber-Verschlüsselung OTR *** --------------------------------------------- Das Protokoll Off-the-Record (OTR) und dessen Umsetzung galt als eigentlich als recht sicher. Doch jetzt entdeckten Forscher eine kritische Lücke, die es Angreifern erlaubt, eigenen Code einzuschleusen und auszuführen. Updates schließen das Loch. --------------------------------------------- http://heise.de/-3130396 *** PlugX malware: A good hacker is an apologetic hacker *** --------------------------------------------- Sometimes malware writers put messages in their malware. We found one such message in PlugX dropper. And it was pretty melodramatic .. --------------------------------------------- http://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is… *** [R4] OpenSSL 20160301 Advisory Affects Tenable Nessus *** --------------------------------------------- https://www.tenable.com/security/tns-2016-03 *** Apple Software Update 2.2 *** --------------------------------------------- Impact: An attacker in a privileged network position may be able to control the contents of the updates window --------------------------------------------- https://support.apple.com/en-us/HT206091 *** Vulnerabilities in multiple third party TYPO3 CMS extensions *** --------------------------------------------- It has been discovered that the extension "phpMyAdmin" (phpmyadmin) is susceptible to unsafe comparison of XSRF/CSRF token, multiple full path disclosure vulnerabilities, multiple XSS vulnerabilities, insecure password generation in JavaScript. --------------------------------------------- https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-… *** Security: Drown gefährdet weiterhin zahlreiche Webdienste *** --------------------------------------------- Wie schnell patchen Serverbetreiber die Drown-Sicherheitslücke? Offenbar zu langsam, sagen mehrere Sicherheitsfirmen. Bei Heartbleed lief es deutlich besser. --------------------------------------------- http://www.golem.de/news/security-drown-gefaehrdet-weiterhin-zahlreiche-web… *** Android mobile banking trojan uses layered defenses to avoid removal *** --------------------------------------------- Researchers at ESET have spotted a new Android banking trojan that camouflages itself as a legitimate mobile banking app, but instead of giving access to a persons bank account it steals login credentials. --------------------------------------------- http://www.scmagazine.com/android-mobile-banking-trojan-uses-layered-defens… *** Cisco Prime LAN Management Solution Default Decryption Key Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Updates Available for Adobe Flash Player (APSB16-08) *** --------------------------------------------- A Security Bulletin (APSB16-08) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1327

1 0

Tageszusammenfassung - Mittwoch 9-03-2016
by Daily end-of-shift report 09 Mar '16

09 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-03-2016 18:00 − Mittwoch 09-03-2016 18:00 Handler: n/a Co-Handler: Stephan Richter *** Apple denies researchers claims of bypassing iOS passcode using Siri *** --------------------------------------------- Vulnerability Lab researchers claim to have spotted multiple passcode bypass vulnerabilities in the latest Apple iOS systems. --------------------------------------------- http://www.scmagazine.com/researchers-says-ios-has-passcode-bypass-vulnerab… *** Microsoft-Patchday: Fünf kritische Lücken, alle Windows-Versionen betroffen *** --------------------------------------------- Microsoft verteilt diesen Monat insgesamt 13 Updates für WIndows, Office und seine beiden Browser Internet Explorer und Edge. Mehrere Lücken erlauben es, Windows-Rechner aus der Ferne zu kapern. --------------------------------------------- http://heise.de/-3131122 *** Trivial path for DDoS amplification attacks found by infosec bods *** --------------------------------------------- 600,000 servers are vulnerable to this little-known protocol Security researchers have discovered a new vector for DDoS amplification attacks - and its quite literally trivial. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/09/trivial_ddo… *** KeRanger Mac ransomware is a rewrite of Linux Encoder *** --------------------------------------------- KeRanger, the recently discovered first functional Mac ransomware, is a copy of Linux Encoder, the crypto-ransomware first unearthed and analyzed in November 2015 by Dr. Web researchers. "The encryption functions are identical and have same names: encrypt_file, recursive_task, currentTimestamp and createDaemon to only mention a few. The encryption routine is identical to the one employed in Linux.Encoder", explained Catalin Cosoi, Chief Security Strategist at Bitdefender. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/09/keranger-mac-ransomware-rewrite-… *** A Wall Against Cryptowall? Some Tips for Preventing Ransomware, (Wed, Mar 9th) *** --------------------------------------------- A lot of attention has been paid lately to the Cryptowall / Ransomware family (as in crime family) of malware. What I get asked a lot by clients is how can I prepare / prevent an infection? Prepare is a good word in this case, it encompasses both prevention and setting up processes for dealing with the infection that will inevitably happen in spite of those preventative processes. Plus its the first step in the Preparation / Identification / Containment / Eradication / Restore Service / Lessons... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20821&rss *** Android-Sicherheitsupdates: Immer Ärger mit Stagefright *** --------------------------------------------- Google wird die Stagefright-Probleme nicht los. Auch das März-Update patcht mehrere kritische Lücken, die in den Multimedia-Diensten der Android-Geräte stecken. Updates für Nexus-Smartphones und -Tablets werden bereits verteilt. --------------------------------------------- http://heise.de/-3131138 *** RSA: Seven Attack Trends (March 3, 2016) *** --------------------------------------------- At the RSA Conference in San Francisco last week, SANS researchers described seven cyberattack trends that are likely to come up again and again over the course of this year: Weaponization of Windows PowerShell; Stagefright-like mobile vulnerabilities; Developer environment vulnerabilities like Xcode Ghost; Industrial Control System (ICS) attacks; Targeting unsecure third-party software components; Internet of (Evil) Things; and Ransomware... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/19/201 *** MS16-MAR - Microsoft Security Bulletin Summary for March 2016 - Version: 1.0 *** --------------------------------------------- V1.0 (March 8, 2016): Bulletin Summary published. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-MAR *** [R1] PHP < 5.6.18 / PCRE < 8.38 Vulnerabilities Affect Tenable SecurityCenter *** --------------------------------------------- http://www.tenable.com/security/tns-2016-04 *** Bugtraq: [security bulletin] HPSBHF03557 rev.1 - HPE Networking Products using Comware 7 (CW7) running NTP, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537721 *** Persistent Cross-Site Scripting Vulnerability in Citrix XenMobile Server 10.x Web User Interface *** --------------------------------------------- This vulnerability could potentially be used to execute malicious client-side script in the same context as legitimate content from the web server; if this vulnerability is used to execute script in the browser of an authenticated administrator then the script may be able to gain access to the administrator's session or other potentially sensitive information. --------------------------------------------- https://support.citrix.com/article/CTX207499 *** Cisco Cable Modem with Digital Voice Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco ASA Content Security and Control Security Services Module Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Wireless Residential Gateway with EDVA Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Wireless Residential Gateway Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Dienstag 8-03-2016
by Daily end-of-shift report 08 Mar '16

08 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-03-2016 18:00 − Dienstag 08-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** PhishLabs on the growing sophistication of business email scams *** --------------------------------------------- At the 2016 RSA Conference, CSOs Steve Ragan chats with Joseph Opacki from PhishLabs about how cyber-criminals are becoming increasingly smarter about targeting specific high-end business users to try and steal data or money. --------------------------------------------- http://www.cio.com/video/63026/phishlabs-on-the-growing-sophistication-of-b… *** Google plugs 19 holes in newest Android security update *** --------------------------------------------- In the March 2016 security update for the Android Open Source Project (AOSP), Google has fixed 19 security issues, seven of which are considered to be critical. Among these, and admittedly the most important to patch, are two remote code execution vulnerabilities in - yes, you've guessed it - Mediaserver. Mediaserver is a service in Android that allows the device to index media files that are located on it. The vulnerabilities in question (CVE-2016-0815, CVE-2016-0816)... --------------------------------------------- https://www.helpnetsecurity.com/2016/03/08/android-security-update/ *** Free and Commercial Tools to Implement the Center for Internet Security (CIS) Security Controls, Part 12: Controlled Use of Administrative Privileges *** --------------------------------------------- This is Part 12 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here: Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure... --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/free-and-commercial-to… *** Cloud sellers who acted on Heartbleed sink when it comes to DROWN *** --------------------------------------------- An out-stretched arm slowly disappears... Response to the critical web-crypto-blasting DROWN vulnerability in SSL/TLS by cloud services has been much slower than the frantic patching witnessed when the Heartbleed vulnerability surfaced two years ago. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/08/drown_vulne… *** Erpressungs-Trojaner Keranger: Wie Sie Ihren Mac schützen *** --------------------------------------------- Erstmals zielt funktionstüchtige Ransomware auf OS-X-Nutzer ab. Nach der Infektion bleiben drei Tage, bis "Keranger" Dokumente verschlüsselt. Nutzer sollten prüfen, ob sie betroffen sind - und Gegenmaßnahmen ergreifen. --------------------------------------------- http://heise.de/-3130854 *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for Adobe Digital Editions (APSB16-06) as well as Adobe Acrobat and Reader (APSB16-09) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. A security... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1322 *** DFN-CERT-2016-0402: ISC DHCP: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0402/ *** DFN-CERT-2016-0405: PuTTY: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0405/ *** DFN-CERT-2016-0400: BlackBerry powered by Android: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes mit den Rechten des Mediaservers *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0400/ *** Bugtraq: ESA-2016-012: EMC Documentum xCP - User Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/537712 *** [R3] OpenSSL 20160301 Advisory Affects Tenable Nessus *** --------------------------------------------- http://www.tenable.com/security/tns-2016-03 *** Security Advisory: Libpng vulnerability CVE-2015-8472 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/81/sol81903701.html?… *** Security Advisory: OpenSSL vulnerabilities CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23196136.html?… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) and OpenSSL vulnerabilities affect WebSphere Cast Iron. (CVE-2015-7547 CVE-2015-3193 CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21978339 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in current releases of IBM SDK for Node.js in IBM Bluemix (CVE-2015-3197, CVE-2016-2086, CVE-2016-2216) *** http://www.ibm.com/support/docview.wss?uid=swg21977242 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM XIV Gen2 (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005618 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM XIV Gen3 (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005619 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM XIV Gen3 systems and IBM XIV Management Tools (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005615 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 7-03-2016
by Daily end-of-shift report 07 Mar '16

07 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-03-2016 18:00 − Montag 07-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** When a WordPress Plugin Goes Bad *** --------------------------------------------- Last summer we shared a story about the SweetCaptcha WordPress plugin injecting ads and causing malvertising problems for websites that leveraged the plugin. When this plugin was removed from the official WordPress Plugin directory, the authors revived another WordPress account with a long abandoned plugin and uploaded SweetCaptcha as a "new version" of that plugin. --------------------------------------------- https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html *** Novel method for slowing down Locky on Samba server using fail2ban, (Sun, Mar 6th) *** --------------------------------------------- One of our loyal readers, Gebhard, pointed out a nice post (in German) on how to slow down Lockyif you are using a Samba server for filesharing in your environment. The technique takes advantage of fail2ban and some additional Samba logging to keep Locky from encrypting all the files on the share. It is worth a look. ">[de]:">[en]:https://translate.google.com/translate?sl=autotl=enjs=yprev=_thl=enie=U… --------------- Jim Clausing, --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20805&rss *** KeRanger: Erste Ransomware-Kampagne bedroht Mac OS X *** --------------------------------------------- Ein Erpressungs-Trojaner verschlüsselt erstmals auch Daten von Mac-Nutzern. Der Schädling versteckt sich im BitTorrent-Client Transmission. Apple und die Entwickler haben bereits reagiert. --------------------------------------------- http://heise.de/-3129346 *** Bundestags-Hack: Angriff mit gängigen Methoden und Open-Source-Tools *** --------------------------------------------- Interne Dokumente bringen neue Details zum Hackerangriff auf den Bundestag im letzten Jahr ans Licht: Die Angreifer bedienten sich gängiger Methoden und setzten frei verfügbare Werkzeuge ein. --------------------------------------------- http://heise.de/-3129862 *** Maintainers of new generic top level domains have a hard time keeping abuse in check *** --------------------------------------------- Generic top-level domains (gTLDs) that have sprung up in recent years have become a magnet for cybercriminals, to the point where some of them host more malicious domains than legitimate ones.Spamhaus, an organization that monitors spam, botnet and malware activity on the Internet, has published a list of the worlds top 10 "worst TLDs" on Saturday. Whats interesting is that the list is not based on the overall number of abusive domains hosted under a TLD, but on the TLDs ratio of... --------------------------------------------- http://www.cio.com/article/3041338/maintainers-of-new-generic-top-level-dom… *** DFN-CERT-2016-0398: Squid: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0398/ *** HPE Network Automation Unspecified Flaws Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1035192 *** Filr 2.0 - Security Update 1 *** --------------------------------------------- Abstract: Security Updates for glibc and nscd on the Filr, Search and MySQL 2.0.0 appliances (CVE-2015-7547).Document ID: 5237510Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-2.0.0.182.HP.zip (21.71 MB)Filr-2.0.0.422.HP.zip (23.03 MB)Search-2.0.0.400.HP.zip (21.71 MB)Products:Filr 2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=LqikC-Hosps~ *** Filr 1.2 - Security Update 2 *** --------------------------------------------- Abstract: Security Updates for glibc and nscd on the Filr, Search and MySQL 1.2.0 appliances (CVE-2015-7547).Document ID: 5237480Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:Filr-1.2.0.861.HP.zip (23.03 MB)MySQL-1.2.0.413.HP.zip (21.71 MB)Search-1.2.0.998.HP.zip (21.71 MB)Products:Filr 1.2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=PQBDzZUKFac~ *** Sentinel 7.4 SP1 (Sentinel 7.4.1.0) Build 2512 *** --------------------------------------------- Abstract: Sentinel 7.4.1 upgrade for Sentinel 7.4Document ID: 5237090Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_server-7.4.1.0-2512.x86_64.tar.gz.sha256 (109 bytes)sentinel_server-7.4.1.0-2512.x86_64.tar.gz (1.74 GB)Products:SentinelSentinel 7.3Sentinel 7.3.1Sentinel 7.3.2Sentinel 7.4Sentinel 7.2Sentinel 7.2.1Sentinel 7.2.2Sentinel 7.4.1Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=ZEMvbiAk5k8~ *** innovaphone IP222 / IP232 Denial Of Service *** --------------------------------------------- Topic: innovaphone IP222 / IP232 Denial Of Service Risk: Medium Text: --BEGIN PGP SIGNED MESSAGE -- Hash: SHA512 Advisory ID: SYSS-2015-053 Product: innovaphone IP222/IP232 Manufacturer: inn... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030035 *** Bugtraq: Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537708 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libpng affect PowerKVM (CVE-2015-8126, CVE-2015-8472) *** 2016-03-07T08:14:25-05:00 http://www.ibm.com/support/docview.wss?uid=isg3T1023374 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM MQ Appliance (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977498 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the GNU C Library (glibc) affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023385 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Guardium (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977444 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in grub2 affect PowerKVM (CVE-2015-5281, CVE-2015-8370) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023376 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in netcf affects PowerKVM (CVE-2014-8119) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023367 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail affected by libcurl vulnerability (CVE-2016-0755) *** http://www.ibm.com/support/docview.wss?uid=swg21977843 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023350 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in bind affects PowerKVM (CVE-2015-8704) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023372 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in MIT Kerberos 5 (krb5) affect PowerKVM (CVE-2014-5355, CVE-2015-2694) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023354 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in file affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023349 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in xfsprogs affects PowerKVM (CVE-2012-2150) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023356 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Gnu binutils affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023355 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 4-03-2016
by Daily end-of-shift report 04 Mar '16

04 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-03-2016 18:00 − Freitag 04-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-09) *** --------------------------------------------- A prenotification Security Advisory has been posted regarding upcoming updates for Adobe Acrobat and Reader scheduled for Tuesday, March 8, 2016. We will continue to provide updates on the upcoming release via the Security Advisory as well as the .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1319 *** Open-Xchange Guard 2.2.0 / 2.0 Private Key Disclosure *** --------------------------------------------- The "getprivkeybyid" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the "id" and "cid" parameter to specify the current user by its user- and context-ID. The "auth" parameter contains .. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030034 *** Kriminelle setzen oft auf Standard-Passwörter *** --------------------------------------------- Im Projekt Heisenberg haben Honeypots einen RDP-Port angeboten. Sicherheitsforscher werteten im weiteren Verlauf die Login-Daten von Angreifern aus. --------------------------------------------- http://www.heise.de/newsticker/meldung/Kriminelle-setzen-oft-auf-Standard-P… *** NCSC publishes factsheet Disable SSL 2.0 and upgrade OpenSSL *** --------------------------------------------- On 1 March, a group of researchers presented the DROWN attack methods for TLS. An attacker uses DROWN to abuse servers that still support SSL 2.0. Servers that run a vulnerable version of OpenSSL can be abused in the same way, regardless of whether they support SSL 2.0. An attacker who is able to intercept network traffic that is secured with TLS, may attempt to decrypt this traffic .. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-di… *** Mit Sicherheit - BSI-Magazin 2016/01 *** --------------------------------------------- in dieser Ausgabe des BSI-Magazins blicken wir zurück auf ein Vierteljahrhundert deutsche IT-Sicherheitsgeschichte, denn das Bundesamt für Sicherheit in der Informationstechnik feiert in diesem Jahr sein .. --------------------------------------------- https://www.bsi.bund.de/DE/Publikationen/BSI-Magazin/BSI-Magazin_node.html *** Amazon App Store verbreitet Android-Trojaner *** --------------------------------------------- Kann Nutzer umfassend ausspionieren – Lässt sich aber auch einfach deinstallieren .. --------------------------------------------- http://derstandard.at/2000032287420 *** Drown-Angriff: Server4You stellt tausende betroffene Kunden bloss *** --------------------------------------------- In einem Abuse-Ticket von Server4You an Kunden mit vom Drown-Angriff bedrohten Servern tauchen zehntausende IP-Adressen und Ports betroffener Server auf. Zudem stellt der Hoster den Kunden ein Ultimatum - rudert mittlerweile aber wieder zurück. --------------------------------------------- http://heise.de/-3128656 *** Amazon entfernt Verschlüsselungsfunktion aus Fire-Tablets *** --------------------------------------------- Weil die Kunden sie nicht benutzt hätten, hat Amazon die Android-Funktion zur Verschlüsselung des Speichers aus dem Betriebssystem seiner Fire-Tablets entfernt. So zumindest erklärt der Konzern den nun bekannt gewordenen Schritt. --------------------------------------------- http://heise.de/-3128844 *** Chaos Computer Club bekommt Schwesterverein in Wien *** --------------------------------------------- Mitgliederversammlung am Samstag - Hackertreffen Easterhegg findet in Salzburg statt --------------------------------------------- http://derstandard.at/2000032301583

1 0

Tageszusammenfassung - Donnerstag 3-03-2016
by Daily end-of-shift report 03 Mar '16

03 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-03-2016 18:00 − Donnerstag 03-03-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** LibreSSL Unaffected By DROWN *** --------------------------------------------- The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug. The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws. As a result, LibreSSL is not .. --------------------------------------------- http://it.slashdot.org/story/16/03/02/1620221/libressl-unaffected-by-drown *** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016 *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Prime Infrastructure Log File Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Schneider Electric Building Operation Automation Server Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01 *** Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability *** --------------------------------------------- This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02 *** Windows Built-In PDF Reader Exposes Edge Browser To Hacking *** --------------------------------------------- Edge, Microsofts new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT .. --------------------------------------------- http://news.slashdot.org/story/16/03/02/2210256/windows-built-in-pdf-reader… *** Open-Xchange Guard Access Control Flaw Lets Remote Authenticated Users Obtain Private Keys in Certain Cases *** --------------------------------------------- http://www.securitytracker.com/id/1035174 *** Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011 *** --------------------------------------------- The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on .. --------------------------------------------- https://www.drupal.org/node/2679515 *** Register now for the International NCSC One Conference 2016 *** --------------------------------------------- Protecting Bits & Atoms is the theme for our international One Conference 2016. It is especially timely given the increasingly connected physical and digital worlds and how information and communication technologies (ICT) have ingrained themselves into the very fabric of our society. The ONE conference will take place on Tuesday April 5 and Wednesday April 6 at the World Forum in The Hague, The Netherlands. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/register-now-for-the-intern… *** Wie Betrüger Apple Pay missbrauchen können *** --------------------------------------------- Apple Pay ist praktisch und gilt als sicher. Doch das System lässt sich von Kriminellen missbrauchen, um digitale Kreditkartenkopien zu erstellen. --------------------------------------------- http://www.golem.de/news/security-wie-betrueger-apple-pay-missbrauchen-koen… *** Java Deserialization Attacks with Burp *** --------------------------------------------- This blog is about Java deserialization and the Java Serial Killer Burp extension. If you want to download the extension and skip past all of this, head to the Github page here. The recent Java deserialization attack that was discovered has provided a large window of opportunity for penetration testers to gain access to the underlying systems that Java applications communicate with. --------------------------------------------- https://blog.netspi.com/java-deserialization-attacks-burp/ *** Valve informiert Steam-Nutzer über Weihnachts-Datenpanne *** --------------------------------------------- Fast drei Monate nach der massiven Datenpanne informiert Valve nun die betroffenen Nutzer. Die hatten das Problem in der Zwischenzeit wahrscheinlich längst vergessen. --------------------------------------------- http://heise.de/-3127829

1 0

Tageszusammenfassung - Mittwoch 2-03-2016
by Daily end-of-shift report 02 Mar '16

02 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-03-2016 18:00 − Mittwoch 02-03-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Threat Actors Behind "Shrouded Crossbow" Create BIFROSE for UNIX *** --------------------------------------------- We recently came across a variant of the BIFROSE malware that has been rewritten for UNIX and UNIX-like systems. This is the latest tool developed by attackers behind operation Shrouded Crossbow, which have produced other BIFROSE variants such as KIVARS and KIVARS x64. UNIX-based operating systems are widely used in servers, workstations, and even mobile devices. With a lot of highly confidential data found in these servers and devices, a UNIX version of BIFROSE can certainly be classified as a... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/m3eM40z3oI8/ *** Cachebleed-Angriff: CPU-Cache kann private Schlüssel verraten *** --------------------------------------------- Forschern ist es gelungen, RSA-Verschlüsselungsoperationen von OpenSSL mittels eines Cache-Timing-Angriffs zu belauschen und so den privaten Key zu knacken. Der Cachebleed-Angriff nutzt dabei Zugriffskonflikte auf den Cache-Speicher. --------------------------------------------- http://www.golem.de/news/cachebleed-angriff-cpu-cache-kann-private-schluess… *** Let's ride with TeslaCrypt *** --------------------------------------------- TeslaCrypt is a ransomware spread by e-mails or exploit kits. It encrypts your files and asks you to pay in order to retrieve the decryption key. The current version is 3.0. Many analysis are already available on the Internet. In this article we are focusing on two aspects of TeslaCrypt: - The attack vector - The web callback... --------------------------------------------- http://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/ *** Security: Angebliche Locky-Warnung vom BKA ist ein Trojaner *** --------------------------------------------- Die Angst vor Locky wird jetzt offenbar von Kriminellen ausgenutzt. In einer angeblich vom Bundeskriminalamt stammenden Mail wird vor dem Kryptotrojaner gewarnt und ein Werkzeug zur Entfernung angeboten - das selbst Malware enthält. --------------------------------------------- http://www.golem.de/news/security-angebliche-locky-warnung-vom-bka-ist-ein-… *** $17 smartwatch sends something to random Chinese IP address *** --------------------------------------------- Samsung Gear 2 also has some problems, researcher says RSA bsides A cheap smart watch often peddled on eBay uses a pairing app for Android or iOS that contains a backdoor that quietly connects to an unknown Chinese IP address. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/02/chinese_bac… *** iPhone-Fingerabdruck lässt sich mit Plastilin austricksen *** --------------------------------------------- Ein Hersteller von Fingerabdrucksensoren zeigt, wie einfach Apples Touch-ID mit gefälschten Fingerabdrücken zu umgehen ist. --------------------------------------------- http://futurezone.at/produkte/iphone-fingerabdruck-laesst-sich-mit-plastili… *** Der DROWN Angriff auf SSL/TLS *** --------------------------------------------- Es ist wieder soweit: Es gibt einen Presserummel rund um eine neu entdeckte Schwachstelle in SSL/TLS. Es gibt einen Namen (DROWN = Decrypting RSA with Obsolete and Weakened eNcryption) und ein fancy Logo. Nachzulesen ist alles unter: [...] Wir haben uns das angesehen und beschlossen, dazu keine offizielle Warnung zu publizieren. Das Problem ist nicht so dringend und dramatisch, wie manche... --------------------------------------------- http://www.cert.at/services/blog/20160302151126-1688.html *** Django Bugs Let Remote Users Conduct Redirect and Cross-Site Scripting Attacks and Determine Valid Usernames *** --------------------------------------------- http://www.securitytracker.com/id/1035152 *** DFN-CERT-2016-0366: Perl: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes mit Benutzerrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0366/ *** Intel Security - Security Bulletin: Protected resource access bypass vulnerability resolved in multiple McAfee endpoint products for Microsoft Windows *** --------------------------------------------- Multiple McAfee endpoint products include a private mechanism to access settings and files protected by self-protection rules. This mechanism is not sufficiently secure and may be misused to access registry keys and files that should be protected from tampering. --------------------------------------------- https://kc.mcafee.com/corporate/index?page=content&id=SB10151 *** Schneider Electric Building Operation Application Server Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01 *** Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripiting *** --------------------------------------------- This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco NX-OS Software TCP Netstack Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Nexus 3000 Series and 3500 Platform Switches Insecure Default Credentials Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Web Security Appliance HTTPS Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT System Software Convert Timing Channel Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT System Software Device Management UI Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Privileged Identity Manager Virtual Appliance (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21978009 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail affected by glibc, getaddrinfo stack-based buffer overflow (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977368 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Marketing Platform, IBM Campaign, IBM Predictive Insight, IBM Contact Optimization, IBM Marketing Operations (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976886 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Tivoli Storage Manager Fastback for Workstations (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974685 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSL and MD5 Signature and Hash Algorithm (CVE-2015-7575) affect IBM System Networking RackSwitch products. *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099210 --------------------------------------------- *** Security Bulletin: Multiple vulnerabilities, including MD5 Signature and Hash Algorithm (CVE-2015-7575), affect IBM Flex System Networking Switches *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099200 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libpng affect IBM Cognos Metrics Manager (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540) *** http://www.ibm.com/support/docview.wss?uid=swg21976924 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Client Application Access (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977618 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 1-03-2016
by Daily end-of-shift report 01 Mar '16

01 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 29-02-2016 18:00 − Dienstag 01-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Bleichenbacher-Angriff: Drown entschlüsselt mit uraltem SSL-Protokoll *** --------------------------------------------- Kein moderner Browser unterstützt das alte SSL-Protokoll Version 2. Trotzdem kann es zum Sicherheitsrisiko werden, solange Server es aus Kompatibilitätsgründen unterstützen. Es muss nicht einmal derselbe Server sein. --------------------------------------------- http://www.golem.de/news/bleichenbacher-angriff-drown-entschluesselt-mit-ur… *** The Definitive Guide on Win32 to NT Path Conversion *** --------------------------------------------- Posted by James Forshaw, path'ological reverse engineer. How the Win32 APIs process file paths on Windows NT is a tale filled with backwards compatibility hacks, weird behaviour, and beauty. Incorrect handling of Win32 paths can lead to security vulnerabilities. This blog post is to try and give a definitive* guide on the different types of paths supported by the OS. I'm going to try and avoid discussion of quirks in the underlying filesystem implementations (such as NTFS... --------------------------------------------- http://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32… *** De-obfuscating malicious Vbscripts *** --------------------------------------------- With the returned popularity of visual basic as a first attack vector in mind, we took a look at de-obfuscating a few recent vbs files starting with a very easy one and progressing to a lot more complex script.Categories: Malware AnalysisTags: bankerclickerde-obfuscatedecryptdroppermalwareobfuscationPieter Arntztrojanvbsvbscriptworm(Read more...) --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/02/de-obfuscating-malicious… *** Look Into Locky *** --------------------------------------------- Some sources say that Locky is the latest ransomware created and released in the wild by Dridex gang. Our studies indicate that it is well prepared, which means that the threat actor/s behind it has invested for it.Categories: Malware AnalysisTags: Lockyransomware(Read more...) --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/03/look-into-locky/ *** OpenSSL Security Advisories *** --------------------------------------------- CVE-2016-0800 (OpenSSL advisory) [High severity] CVE-2016-0705 (OpenSSL advisory) [Low severity] CVE-2016-0798 (OpenSSL advisory) [Low severity] CVE-2016-0797 (OpenSSL advisory) [Low severity] CVE-2016-0799 (OpenSSL advisory) [Low severity] CVE-2016-0702 (OpenSSL advisory) [Low severity] CVE-2016-0703 (OpenSSL advisory) [High severity] CVE-2016-0704 (OpenSSL advisory) [Moderate severity] --------------------------------------------- https://openssl.org/news/vulnerabilities.html *** VU#938151: Forwarding Loop Attacks in Content Delivery Networks may result in denial of service *** --------------------------------------------- Vulnerability Note VU#938151 Forwarding Loop Attacks in Content Delivery Networks may result in denial of service Original Release date: 29 Feb 2016 | Last revised: 29 Feb 2016 Overview Content Delivery Networks (CDNs) may in some scenarios be manipulated into a forwarding loop, which consumes server resources and causes a denial of service (DoS) on the network. Description CWE-400: Uncontrolled Resource Consumption (Resource Exhaustion)Content Delivery Networks (CDNs) are used to improve... --------------------------------------------- http://www.kb.cert.org/vuls/id/938151 *** F5 Security Advisory: Multiple NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/00/sol00329831.html?… *** Bugtraq: [security bulletin] HPSBUX03552 SSRT102983 rev.1 - HP-UX BIND running Named, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537659 *** DFN-CERT-2016-0355: phpMyAdmin: Mehrere Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0355/ *** Bugtraq: [SYSS-2016-009] Sophos UTM 525 Web Application Firewall - Cross-Site Scripting in *** --------------------------------------------- http://www.securityfocus.com/archive/1/537662 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of Tivoli Network Manager IP Edition (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974785 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities in Apache Tomcat affect IBM RLKS Administration and Reporting Tool *** http://www.ibm.com/support/docview.wss?uid=swg21976103 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977374 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977372 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web 7.0 software (CVE-2016-0603) *** http://www.ibm.com/support/docview.wss?uid=swg21978024 --------------------------------------------- *** IBM Security Bulletin: Cross-Site scripting vulnerability in IBM Business Process Manager document list control (CVE-2016-0227) *** http://www.ibm.com/support/docview.wss?uid=swg21978058 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM OS Images for Red Hat Linux Systems, AIX, and Windows. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977880 --------------------------------------------- *** IBM Security Bulletin:A vulnerability in IBM Java SDK affects IBM Image Construction and Composition Tool. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977647 --------------------------------------------- *** IBM Security Bulletin:A vulnerability in IBM Java SDK affects IBM Workload Deployer. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977646 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SmartCloud Entry (CVE-2016-0475 CVE-2016-0448 CVE-2015-7575 CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023408 --------------------------------------------- *** Security Bulletin: Vulnerability in IBM Java SDK affects IBM System Networking Switch Center (CVE-2015-7575) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099203 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM PureApplication System. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21978026 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Mobile *** http://www.ibm.com/support/docview.wss?uid=swg21976765 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business *** http://www.ibm.com/support/docview.wss?uid=swg21976678 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Software Architect, Software Architect for WebSphere Software & Rational Software Architect RealTime *** http://www.ibm.com/support/docview.wss?uid=swg21976894 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Tivoli System Automation Application Manager (CVE-2015-5254) *** http://www.ibm.com/support/docview.wss?uid=swg21977546 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 29-02-2016
by Daily end-of-shift report 29 Feb '16

29 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 26-02-2016 18:00 − Montag 29-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fixing the Internets routing security is urgent and requires collaboration *** --------------------------------------------- The Internet is fragile. Many of its protocols were designed at a time when the goal was rapid network expansion based on trust among operators. Today, the Internets open nature is what makes it so great for business, education and communication, but the absence of security mechanisms at its core is something that criminals are eager to exploit.In late January, traffic to many IP (Internet Protocol) addresses of the U.S. Marine Corps was temporarily diverted through an ISP in Venezuela. --------------------------------------------- http://www.cio.com/article/3038752/fixing-the-internets-routing-security-is… *** Angler Exploit Kit Learns New Tricks, Finds Home On Popular Website *** --------------------------------------------- Angler Exploit evaded detection through new technique that bypasses Firefox and Chrome security protection. --------------------------------------------- http://threatpost.com/angler-exploit-kit-learns-new-tricks-finds-home-on-po… *** HackingTeam Reborn; A Brief Analysis of an RCS Implant Installer *** --------------------------------------------- As Im generally quite occupied with my day job as Director of R&D at Synack, the weekend is when I finally have some free time to blog. This weekend I wasnt sure what Id write about until @osxreverser tweeted late Friday afternoon:... --------------------------------------------- https://objective-see.com/blog/blog_0x0D.html *** The rise of polymorphic malware *** --------------------------------------------- 97% of malware is unique to a specific endpoint, rendering signature-based security virtually useless. The data collected by Webroot throughout 2015 shows that today's threats are truly global and highly dynamic. Many attacks are staged, delivered, and terminated within a matter of hours, or even minutes, having harvested user credentials and other sensitive information. Countering these threats requires an innovative approach to attack detection that leverages advanced techniques and... --------------------------------------------- https://www.helpnetsecurity.com/2016/02/29/the-rise-of-polymorphic-malware/ *** ATMZombie: banking trojan in Israeli waters *** --------------------------------------------- On November 2015, Kaspersky Lab researchers identified ATMZombie, a banking Trojan that is considered to be the first malware to ever steal money from Israeli banks. The incident Israeli banks experienced had a very fascinating and innovative method of stealing the money. --------------------------------------------- http://securelist.com/blog/research/73866/atmzombie-banking-trojan-in-israe… *** Increasing the resilience of Europe's telecommunication infrastructures through Incident Reporting *** --------------------------------------------- A recent ENISA report analyses how mandatory incident reporting schemes have improved resilience and security in the EU telecoms sector. Experiences from this scheme can also serve as a model for the implementation of the forthcoming NIS Directive in other sectors. --------------------------------------------- https://www.enisa.europa.eu/media/press-releases/increasing-the-resilience-… *** Security: 85 Prozent der SSL-VPNs haben unsichere Konfigurationen *** --------------------------------------------- Zahlreiche SSL-VPNs sichern den Traffic der Nutzer nur unzureichend ab - das behauptet eine Sicherheitsfirma. Viele Anbieter würden nach wie vor SHA-1 oder MD5 verwenden. Außerdem seien rund 10 Prozent der Dienste für Heartbleed anfällig. --------------------------------------------- http://www.golem.de/news/security-85-prozent-der-ssl-vpns-haben-unsichere-k… *** Klickbetrug: Trojaner-Familie infiltriert immer wieder Google Play *** --------------------------------------------- Android-Nutzer müssen sich derzeit vor kostenlosen Apps in Acht nehmen, die sich als beliebte Spiele ausgeben. Dahinter verbergen sich Klickbetrugs-Apps, mit denen Gauner Kasse machen. --------------------------------------------- http://heise.de/-3120091 *** Cyber-Attack Against Ukrainian Critical Infrastructure *** --------------------------------------------- On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine. This report provides an account of the events that took place based on interviews with company personnel. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01 *** OpenSSL CVE-2016-0799: heap corruption via BIO_printf *** --------------------------------------------- There are a couple of issues with OpenSSL's BIO_*printf() functions, defined in crypto/bio/b_print.c, that are set to be fixed in the forthcoming security release. The function that is primarily responsible for interpreting the format string and transforming this string and the functions arguments to a string is _dopr(). --------------------------------------------- https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-co… *** VU#419128: IKE/IKEv2 protocol implementations may allow network amplification attacks *** --------------------------------------------- Vulnerability Note VU#419128 IKE/IKEv2 protocol implementations may allow network amplification attacks Original Release date: 29 Feb 2016 | Last revised: 29 Feb 2016 Overview Implementations of the IKEv2 protocol are vulnerable to network amplification attacks. Description CWE-406: Insufficient Control of Network Message Volume (Network Amplification)IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900%... --------------------------------------------- http://www.kb.cert.org/vuls/id/419128 *** F5 Security Advisory: libpng out-of-bounds read vulnerability CVE-2015-7981 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/21/sol21057235.html?… *** APPLE-SA-2016-02-25-1 Apple TV 7.2.1 *** --------------------------------------------- APPLE-SA-2016-02-25-1 Apple TV 7.2.1Apple TV 7.2.1 is now available and addresses the following:bootpAvailable for: Apple TV (3rd Generation)Impact: A malicious Wi-Fi network may be able to determine networksa device has previously accessedDescription: Upon connecting to a Wi-Fi network, iOS may havebroadcast MAC addresses of previously accessed networks via the DNAv4protocol. This issue was addressed through disabling DNAv4 onunencrypted Wi-Fi networks.CVE-IDCVE-2015-3778 : Piers... --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Feb/msg00000.ht… *** Access Governance Suite 6.0-6.4 *** --------------------------------------------- Abstract: README for HTML Fragment Privilege Escalation Vulnerability E-Fix E-Fix Deliverable: AGS-SV-eFix022416.zipDocument ID: 5236850Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:AGS-SV-eFix022416.zip (3.83 kB)AGS-SV-eFix022416-CHECKSUM.txt (99 bytes)Products:Access Governance 6.4Access Governance 6.1Access Governance 6.2Access Governance 6.3Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=Tft9udlb11s~ *** D-Link / Netgear FIRMADYNE Command Injection / Buffer Overflow *** --------------------------------------------- Topic: D-Link / Netgear FIRMADYNE Command Injection / Buffer Overflow Risk: High Text:Hello, We’d like to report several vulnerabilities in embedded devices developed by D-Link and Netgear, which were discove... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020224 *** Bugtraq: [security bulletin] HPSBGN03549 rev.1 - HP IceWall Products using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537637 *** Cisco Videoscape Distribution Suite for Internet Streaming TCP Session Handling Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Citrix Security Advisory for glibc Vulnerability CVE-2015-7547 *** --------------------------------------------- A vulnerability has been recently disclosed in the glibc getaddrinfo() function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue has been assigned the following CVE identifier:... --------------------------------------------- https://support.citrix.com/article/CTX206991 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM WebSphere MQ Internet Pass-Thru (CVE-2015-7575) *** 2016-02-26T13:23:47-05:00 http://www.ibm.com/support/docview.wss?uid=swg21977517 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects Rational Functional Tester (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976947 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere BigInsights (Applicable CVEs: CVE-2015-7575, CVE-2016-0448, CVE-2016-0466, CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=swg21976080 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input (CVE-2016-0262) *** http://www.ibm.com/support/docview.wss?uid=swg21977828 --------------------------------------------- *** IBM Security Bulletin: Current releases of the IBM SDK, Java Technology Edition are affected by CVE-2016-0603 *** http://www.ibm.com/support/docview.wss?uid=swg21977549 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Cordova affects IBM MobileFirst Platform Foundation (CVE-2015-8320) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000091 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere DataPower XC10 Appliance (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976366 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere eXtreme Scale (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976442 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime Version 6 affects IBM Cognos Business Viewpoint (CVE-2015-7575 ) *** http://www.ibm.com/support/docview.wss?uid=swg21977407 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow an authenticated user to view work logs during purchase orders that they should not have access to (CVE-2016-0222) *** http://www.ibm.com/support/docview.wss?uid=swg21976949 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSL affect IBM BladeCenter Switches (CVE-2015-3194, CVE-2015-3195) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099199 --------------------------------------------- *** IBM Security Bulletin: Insecure Transmission Vulnerability with IBM InfoSphere Information Server (CVE-2015-7490) *** http://www.ibm.com/support/docview.wss?uid=swg21975827 --------------------------------------------- *** IBM Security Bulletin: libpng related security vulnerabilities identified in IBM Expeditor (CVE-2015-7981, CVE-2015-8126, CVE-2015-8540, CVE-2015-8472) *** http://www.ibm.com/support/docview.wss?uid=swg21975904 --------------------------------------------- *** IBM Security Bulletin: Sensitive data lingers in memory on the WebSphere DataPower XC10 Appliance *** http://www.ibm.com/support/docview.wss?uid=swg21971658 --------------------------------------------- *** IBM Security Bulletin: Sensitive data lingers in memory on the WebSphere eXtreme Scale server *** http://www.ibm.com/support/docview.wss?uid=swg21971657 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance denial of service vulnerability (CVE-2015-5286) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021122 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance security vulnerability (CVE-2015-5251) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021121 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Nova denial of service vulnerability (CVE-2015-3280) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021120 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 26-02-2016
by Daily end-of-shift report 26 Feb '16

26 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 25-02-2016 18:00 − Freitag 26-02-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** VU#444472: QNAP Signage Station and iArtist Lite contain multiple vulnerabilities *** --------------------------------------------- CVE-2015-6022An authenticated attacker without administrative permissions may upload a malicious file, such as a PHP script, --------------------------------------------- http://www.kb.cert.org/vuls/id/444472 *** DSA-3492 gajim - security update *** --------------------------------------------- Daniel Gultsch discovered a vulnerability in Gajim, an XMPP/jabberclient. Gajim didnt verify the origin of roster update, allowing anattacker to spoof them and potentially allowing her to intercept messages. --------------------------------------------- https://www.debian.org/security/2016/dsa-3492 *** Open Web Analytics 1.5.7 Cross Site Scripting *** --------------------------------------------- Open Web Analytics suffers from a Cross-Site Scripting vulnerability in the owa_site_id parameter because it fails to sanitize input before rendering the content to the user. The vulnerability can be triggered by hitting the ALT+SHIFT+X key after the payload is injected. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020217 *** Bugtraq: Zimbra Cross-Site Scripting vulnerabilities *** --------------------------------------------- Recently Zimbra Collaboration 8.6 Patch 5 was released. It fixed two Cross-Site Scripting vulnerabilities discovered by Fortinet's FortiGuard Labs. --------------------------------------------- http://www.securityfocus.com/archive/1/537627 *** Sicherheitsupdate für ältere Apple-TV-Geräte *** --------------------------------------------- Apple hat am Donnerstagabend das Betriebssystem älterer Multimediaboxen aktualisiert. Das Update bringt zahlreiche Security-Fixes. --------------------------------------------- http://heise.de/-3118206 *** Quick Audit of *NIX Systems, (Fri, Feb 26th) *** --------------------------------------------- If you think that only computers running Microsoft Windows are targeted by attackers, youre wrong! UNIX (used here as a generic term, not focusing on a specific distribution or brand) is a key operating system on the Internet. Many websites and other public services are relying on it (Netcraftis compiling interesting stats on this topic). Therefore it is mandatory to keep an eye on your servers by using proactive and reactive controls. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20771&rss *** Apache Xerces-C Buffer Overflow Lets Remote Users Deny Service or Potentially Execute Arbitrary Code *** --------------------------------------------- A vulnerability was reported in Apache Xerces-C. A remote user can execute arbitrary code on the target system. A remote user can send specially crafted documents to trigger a buffer overflow in the XML parser library and cause the target application to crash or potentially execute arbitrary code on the target system. --------------------------------------------- http://www.securitytracker.com/id/1035113 *** Krypto-Trojaner Locky: Batch-Dateien infizieren Windows, Tool verspricht Schutz *** --------------------------------------------- Batch-Dateien sind der neueste Schrei, wenn es darum geht, den Krypto-Trojaner Locky am Virenscanner vorbei zu schleusen - und der Plan geht auf. Auf der Suche nach Schutzmaßnahmen haben wir ein Tool ausprobiert, das Locky und Co. stoppen soll. --------------------------------------------- http://heise.de/-3118188 *** Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities *** --------------------------------------------- Infor CRM suffers from multiple stored cross-site scripting vulnerabilities. Input passed to several POST/PUT parameters in JSON format is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020219 *** Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792) *** --------------------------------------------- The following new pre-authentication exploit against Jenkins (CVE-2016-0792) works because Groovy is on the classpath. There are probably a million other apps that use XStream and have Groovy on the classpath. I put almost no effort into trying to find this vulnerable pattern in other open source applications -- this Jenkins CVE is just one of many. --------------------------------------------- https://www.contrastsecurity.com/security-influencers/serialization-must-di… *** IKE/IKEv2: Ripe for DDoS Abuse *** --------------------------------------------- This is my latest research into preemptive DDoS trends. This time I looked into IKEv2 and what potential it has in regards to DDoS abuse use cases and amplification measurements. The short answer is, it could be easily weaponized for DDoS campaigns. --------------------------------------------- https://www.reddit.com/r/netsec/comments/47l3zv/ikeikev2_ripe_for_ddos_abus… *** IBM Security Bulletins*** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794 *** http://www.ibm.com/support/docview.wss?uid=swg21977355 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affects IBM Control Center (CVE-2015-4872, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977686 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance information disclosure vulnerability (CVE-2015-5163) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021118 --------------------------------------------- *** Security Bulletin: Vulnerabilities in glibc affect IBM Integrated Management Module II (IMM2) for System x, BladeCenter and Flex Systems (CVE-2015-1472, CVE-2013-7423, CVE-2014-7817, CVE-2014-9402) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099198 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM QRadar SIEM and Incident Forensics (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977665 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM SDK Java Technology Edition affects IBM Development Package for Apache Spark (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977538 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM B2B Advanced Communications (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976813 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM QRadar SIEM and Incident Forensics. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977664 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect Watson Explorer, Watson Content Analytics, and OmniFind Enterprise Edition (CVE-2015-7575, CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21976276 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Control Center (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977575 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Initiate Master Data Service (CVE-2015-4872, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976545 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security AppScan Enterprise (CVE-2016-0466, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976553 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affect Rational Policy Tester (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976733 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005673 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023364 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Tivoli Endpoint Manager for Remote Control. *** http://www.ibm.com/support/docview.wss?uid=swg21976855 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Business Developer (CVE-2015-7575, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21976768 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software *** http://www.ibm.com/support/docview.wss?uid=swg21976840 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Cast Iron (CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21977301 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM Business Process Manager and IBM HTTP Server shipped with IBM Cloud Orchestrator (CVE-2015-1932, CVE-2015-4938) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000043 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 25-02-2016
by Daily end-of-shift report 25 Feb '16

25 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 24-02-2016 18:00 − Donnerstag 25-02-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Neue Virenwelle: Krypto-Trojaner Locky tarnt sich als Fax *** --------------------------------------------- Der gefährliche Erpressungs-Trojaner wird seit kurzem über Mails verbreitet, die vorgeben, dass der Empfänger ein Fax erhalten hat. Die Virenscanner können mit der aktuellen Locky-Fassung noch nicht viel anfangen. --------------------------------------------- http://heise.de/-3117249 *** Eavesdropping by the Foscam Security Camera *** --------------------------------------------- Brian Krebs has a really weird story about the build-in eavesdropping by the Chinese-made Foscam security camera: Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. --------------------------------------------- https://www.schneier.com/blog/archives/2016/02/eavesdropping_b_1.html *** Behind the Malware - Botnet Analysis *** --------------------------------------------- While analyzing our website firewall logs we discovered an old vulnerability in the RevSlider plugin being retargeted. RevSlider, the plugin whose vulnerability led to massive website compromises in 2015, was being leveraged again in an attempt to infect websites over a year since its initial disclosure. The original hack required sending an AJAX request containing the action revslider_ajax_action to ... --------------------------------------------- https://blog.sucuri.net/2016/02/behind-the-malware-botnet-analysis.html *** Cisco FirePOWER Management Center Unauthenticated Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in the Cisco FirePOWER Management Center could allow an unauthenticated, remote attacker to obtain information about the Cisco FirePOWER Management Center software version from the device login page. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-001 *** --------------------------------------------- Advisory ID: SA-CORE-2016-001 Project: Drupal core Version: 6.x, 7.x, 8.x Date: 2016-February-24 Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Multiple vulnerabilities --------------------------------------------- https://www.drupal.org/SA-CORE-2016-001 *** OpenSSL kündigt Patches für Sicherheitslücken an *** --------------------------------------------- Administratoren, auf dessen Servern die beliebte Kryptobibliothek für SSL/TLS-Verbindungen zum Einsatz kommt, müssen am Dienstag wieder mal patchen. --------------------------------------------- http://heise.de/-3117855 *** Critical Vulnerabilities in Palo Alto Networks PAN-OS , (Thu, Feb 25th) *** --------------------------------------------- Yesterday, Palo Alto Networks released an update to PAN-OS, which addresses five different vulnerabilities [1]. The security researcher who identified the vulnerabilities will publish details about these issues at a conference on March 16th. You MUST patch affected systems before that date. Two of the vulnerabilities appear to be in particular dangerous, and affected devices should be patched immediately. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20767&rss *** Malicious websites exploit Silverlight bug that can pwn Macs and Windows *** --------------------------------------------- Malicious websites are exploiting a recently fixed vulnerability in Microsoft's Silverlight application framework to perform drive-by malware attacks on vulnerable visitor devices, a security researcher has determined. The critical code-execution vulnerability, which Microsoft patched last month, was actively exploited for two years in attack code owned by Italy-based exploit broker Hacking Team. --------------------------------------------- http://arstechnica.com/security/2016/02/malicious-websites-exploit-silverli…

1 0

Tageszusammenfassung - Mittwoch 24-02-2016
by Daily end-of-shift report 24 Feb '16

24 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 23-02-2016 18:00 − Mittwoch 24-02-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Zahlreiche Hersteller patchen dramatische glibc-Lücke *** --------------------------------------------- Linux ist fast überall und dementsprechend verbreitet ist auch die glibc, die in älteren Versionen angreifbar ist. Sicherheits-Updates gibt es unter anderem von Zyxel, VMware und Citrix, andere geben Entwarnung. --------------------------------------------- http://heise.de/-3115787 *** OpenCms 9.5.2 Cross Site Scripting *** --------------------------------------------- Topic: OpenCms 9.5.2 Cross Site Scripting Risk: Low Text: Advisory ID: SYSS-2015-063 Product: OpenCms Official Maintainer: Alkacon Software GmbH Affected Version(s): 9.5.2 Tested ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020206 *** DFN-CERT-2016-0326/">Bibliothek libssh: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- Zwei Schwachstellen in der Bibliothek libssh ermöglichen einem entfernten, nicht authentifizierten Angreifer das Durchführen eines Denial-of-Service (DoS)-Angriffs sowie das Umgehen von Sicherheitsvorkehrungen und in der Folge das Ausspähen von Informationen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0326/ *** Squid: Multiple Denial of Service issues in HTTP Response processing. *** --------------------------------------------- Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses. --------------------------------------------- http://www.squid-cache.org/Advisories/SQUID-2016_2.txt *** Exploiting a Kernel Paged Pool Buffer Overflow in Avast Virtualization Driver *** --------------------------------------------- Version(s): 11.1.2245; possibly earlier versions Description: A vulnerability was reported in avast!. A local user can gain system privileges on the target system. Avast Internet Security, Avast Pro Antivirus, Avast Premier, and Avast Free Antivirus are affected. Solution: The vendor has issued a fix (11.1.2253). --------------------------------------------- http://www.securitytracker.com/id/1035093 *** Drupal 6 hits the end of the line *** --------------------------------------------- If you have a Drupal 6 website then you wont be receiving any more official security advisories or patches; from today your site is vulnerable to any new security issues discovered in Drupal 6 core or its modules, forever. --------------------------------------------- https://nakedsecurity.sophos.com/2016/02/24/drupal-6-hits-the-end-of-the-li… *** Admins aufgepasst: Krypto-Trojaner befällt hunderte Webserver *** --------------------------------------------- Der Erpressungs-Trojaner CTB-Locker hat es dieses Mal nicht auf Windows-Nutzer, sondern auf Webserver abgesehen. Er hat bereits Dateien hunderter Websites verschlüsselt, ein Ende ist derzeit nicht absehbar. --------------------------------------------- http://heise.de/-3116470 *** F5: sol13304944: NTP vulnerability CVE-2015-7974 *** --------------------------------------------- NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." (CVE-2015-7974) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/13/sol13304944.html *** Analyzis of a Malicious .lnk File with an Embedded Payload, (Wed, Feb 24th) *** --------------------------------------------- We received some feedback today from Nick, aSANS ISC reader who detected an interesting phishing campaign based on an ACE file. I also detected the same kind of fileearlier this morning. ACE is an old compression algorithm developed by a German company called e-merge. This file format was popular around the year2000. Today it almost disappeared and was replaced by more popularformatsbut ACE files can still be handled by popular tools like WinRAR or WinZIP. The fact that the format is quite old --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20763&rss *** Attackers Can Turn Microsofts Exploit Defense Tool EMET Against Itself *** --------------------------------------------- itwbennett writes: FireEye researchers have found a way for exploits to trigger a specific function in EMET that disables all protections it enforces for other applications. The researchers believe that their new technique, which essentially uses EMET against itself, is more reliable and easier to use than any previously published bypasses. It works against all supported versions of EMET - 5.0, 5.1 and 5.2 - but Microsoft patched the issue in EMET 5.5, which was released on Feb. 2. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/rwo8Nq2dFiw/attackers-can-t… *** Ransomware: Locky kommt jetzt auch über Jscript *** --------------------------------------------- Eine Spam-Kampagne verteilt die Locky-Ransomware jetzt auch über Jscript-Anhänge in E-Mails - die angeblich von einem Wursthersteller kommen. (Trojaner, Virus) --------------------------------------------- http://www.golem.de/news/ransomware-locky-kommt-jetzt-auch-ueber-javascript… *** Mousejacking: What you need to know *** --------------------------------------------- Got a wireless mouse or keyboards that uses a USB dongle? Seems that many of them can be fed fake clicks and keystrokes from a distance... --------------------------------------------- https://nakedsecurity.sophos.com/2016/02/24/mousejacking-what-you-need-to-k… *** Cisco ACE 4710 Application Control Engine Command Injection Vulnerability *** --------------------------------------------- A vulnerability in the Device Manager GUI of the Cisco ACE 4710 Application Control Engine could allow an authenticated, remote attacker to execute any command-line interface (CLI) command on the ACE with admin user privileges. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cleaners ought to be clean (and clear) *** --------------------------------------------- There are many programs that purport to clean up and optimize system performance. While Microsoft does not endorse the use of these tools with Windows, we do not view them as unwanted or malicious. Many programs in this category have a practice of providing a free version of their software that scans your system, ... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/02/24/cleaners-ought-to-be-cl… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK for Node.js affect the Cordova tools in Rational Application Developer affecting Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-2086, CVE-2016-2216, *** http://www.ibm.com/support/docview.wss?uid=swg21977146 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the Cordova tools in Rational Application Developer affecting Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-0701, CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=swg21977144 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Explorer for z/OS 3.0 (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976483 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-0483, CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, *** http://www.ibm.com/support/docview.wss?uid=swg21977021 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK Version 8 Service Refresh 2 that affect IBM BigFix Compliance Analytics. *** http://www.ibm.com/support/docview.wss?uid=swg21976854 --------------------------------------------- *** IBM Security Bulletin: Java specific SLOTH - Weak MD5 Signature Hash *** http://www.ibm.com/support/docview.wss?uid=swg21975823 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime shipped with WebSphere Partner Gateway Advanced/Enterprise editions (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976925 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Method Composer (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21975877 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects Rational Developer for System z (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976476 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM SPSS Modeler (CVE-2016-0466, CVE-2015-7575, CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=swg21977518 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM WebSphere MQ (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977523 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 6, 7, 8 affect IBM Transformation Extender Hypervisor Edition for AIX (CVE-2016-0466, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977061 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 6, 7, 8 affect IBM Transformation Extender Hypervisor Edition (CVE-2016-0466, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976970 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect FileNet Content Manager, IBM Content Foundation and FileNet BPM (CVE-2015-7575, CVE-2016-0475, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21975820 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs) *** http://www.ibm.com/support/docview.wss?uid=swg21976845 --------------------------------------------- *** IBM Security Bulletin: Fixes available for Security Vulnerabilities in IBM WebSphere Portal *** http://www.ibm.com/support/docview.wss?uid=swg21976358 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 23-02-2016
by Daily end-of-shift report 23 Feb '16

23 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 22-02-2016 18:00 − Dienstag 23-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/02/cve-2016-0034.html *** Incident Handling with Docker Containers *** --------------------------------------------- Honestly, I never really played with Docker but - For a few weeks, I succumbed to the temptation of playing with Docker thanks to a friend who's putting everything in docker containers. If you still don't know Docker, here is a very brief .. --------------------------------------------- https://blog.rootshell.be/2016/02/22/incident-handling-docker-to-the-rescue/ *** Is DNSSEC causing more problems than it solves? *** --------------------------------------------- New paper points to security protocol as vector for DDoS attacks The complex security protocol for the domain name system - DNSSEC - has another black mark against it: it is being used as a way to carry out denial-of-service (DDoS) .. --------------------------------------------- www.theregister.co.uk/2016/02/23/dnssec_more_problem_than_solution/ *** Ecommerce fraud surges 163% *** --------------------------------------------- The worst fears of online retailers has been confirmed with data just released today: in 2015, the number of attacks by fraudsters was up 163 percent - growing two and a half times in a mere three-quartered period. This data is part of the newly .. --------------------------------------------- https://www.helpnetsecurity.com/2016/02/23/ecommerce-fraud-surges-163/ *** Betrüger stahlen Grazer Unternehmen online 147.000 Euro *** --------------------------------------------- Unbekannte brachen in das Firmennetz ein und überwiesen den Betrag auf ein polnisches Konto. Das Geld ist verloren. --------------------------------------------- http://futurezone.at/b2b/betrueger-stahlen-grazer-unternehmen-online-147-00… *** 90% of SSL VPNs use insecure or outdated encryption, putting your data at risk *** --------------------------------------------- Have you ever thought how secure and reliable your SSL VPN? Probably you should. --------------------------------------------- https://www.htbridge.com/blog/90-percent-of-ssl-vpns-use-insecure-or-outdat… *** Mobile malware evolution 2015 *** --------------------------------------------- As the functionality of mobile devices and mobile services grows, the appetite of cybercriminals who profit from mobile malware will grow too. Malware authors will continue to improve their creations, develop new technologies and look for new ways of spreading mobile malware. Their main aim is to make money. --------------------------------------------- http://securelist.com/analysis/kaspersky-security-bulletin/73839/mobile-mal… *** Hackers arent so interested in your credit card data these days. Thats bad news *** --------------------------------------------- World governments now primary sources of breaches Healthcare and government have overtaken the retail sector as most-targeted for data breaches, according to security firm .. --------------------------------------------- www.theregister.co.uk/2016/02/23/breach_trends_gemalto/ *** Sicherheitsforscher: Gefahr durch Android-Banking-Trojaner größer denn je *** --------------------------------------------- Kaspersky sieht in einem Android-Trojaner "eine der größten Gefahren, die wir derzeit kennen“, während Sicherheitsexperten von IBM davon berichten, dass der Quellcode eines bekannten Trojaners veröffentlicht wurde. Ein Tutorial läd zum Ausprobieren ein --------------------------------------------- http://heise.de/-3115424 *** Two Charts That Demonstrate One Of Android's Big Security Problems *** --------------------------------------------- Applying the most recent security updates to your device's operating system is a best practice security fundamental. If you're not running the latest version of an OS, you're opening .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/23/two-charts-that-demonstrate-one-of… *** Flaws in Wireless Mice and Keyboards Let Hackers Type on Your PC *** --------------------------------------------- Security researchers "mousejacking" attack exploits vulnerable wireless devices to type on a target PC from a hundred yards away. --------------------------------------------- http://www.wired.com/2016/02/flaws-in-wireless-mice-and-keyboards-let-hacke… *** Cisco Nexus 2000 Series Fabric Extender Software Default Credential Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** PowerPoint and Custom Actions *** --------------------------------------------- We've recently observed a Phishing attack which uses PowerPoint Custom Actions instead of macros to execute a malicious payload. Although using PowerPoint attachments is not new, these types of attacks are interesting as they generally bypass controls that assert on macro enabled Office attachments. --------------------------------------------- http://phishme.com/powerpoint-and-custom-actions/ *** TYPO3 CMS 6.2.19 and 7.6.4 released *** --------------------------------------------- https://typo3.org/news/article/typo3-cms-6219-and-764-released/

1 0

Tageszusammenfassung - Montag 22-02-2016
by Daily end-of-shift report 22 Feb '16

22 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-02-2016 18:00 − Montag 22-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** glibc: Neue Version repariert dramatische Lücke in Linux-Netzwerkfunktionen *** --------------------------------------------- Den kritische Fehler, den Angreifer zur Übernahme von Linux-Systemen nutzen konnten, hat das glibc-Team mit Version 2.23 offenbar behoben. Die anderen Änderungen wie Unicode-8-Support stehen im Schatten des Bugfix. --------------------------------------------- http://heise.de/-3112519 *** Joomla Sites Join WordPress As TeslaCrypt Ransomware Target *** --------------------------------------------- Joomla is the newest prey of attackers behind a campaign that has targeted WordPress websites by injecting JavaScript files with malicious code. --------------------------------------------- http://threatpost.com/joomla-sites-join-wordpress-as-teslacrypt-ransomware-… *** PCI DSS 3.2 slated for early 2016 *** --------------------------------------------- PCI DSS version 3.2, scheduled for release in the first half of 2016, likely March or April, will address the current threat landscape as well as "trending attacks causing compromises" detailed in current breach forensics reports. --------------------------------------------- http://www.scmagazine.com/pci-dss-32-slated-for-early-2016/article/478089/ *** Investigating a Compromised Server with Rootcheck *** --------------------------------------------- What do you do if you suspect your server (VPS or dedicated) has been compromised? If you are a customer, you have the option to leverage our team to perform the incident response on your behalf, but what if you want to do an investigation on your own? In this .. --------------------------------------------- https://blog.sucuri.net/2016/02/investigating-a-compromised-server-with-roo… *** Wie Privatleute von Online-Kriminellen zur Geldwäsche missbraucht werden *** --------------------------------------------- Kriminelle Banden nutzen unscheinbare Privatleute zur Geldwäsche. Neuerdings haben sie auch Flüchtlinge im Visier. An die Hintermänner kommt man kaum ran. --------------------------------------------- http://heise.de/-3112859 *** Security: Rätselhafter Anstieg von Tor-Adressen *** --------------------------------------------- Ein ungewöhnlicher Anstieg von .onion-Adressen im Tor-Netzwerk gibt zurzeit Rätsel auf. Grund für den Anstieg könnte eine neue Messaging-App sein - oder Malware. --------------------------------------------- http://www.golem.de/news/security-sprunghafter-anstieg-von-tor-adressen-160… *** Warning - Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System *** --------------------------------------------- Are you also the one who downloaded Linux Mint on February 20th? You may have been Infected! Linux Mint is one of the best and popular Linux distros available today, but if you have downloaded and installed the operating system recently you .. --------------------------------------------- https://thehackernews.com/2016/02/linux-mint-hack.html *** DSA-3479 graphite2 - security update *** --------------------------------------------- Multiple vulnerabilities have been found in the Graphite font renderingengine which might result in denial of service or the execution ofarbitrary code if a malformed font file is processed. --------------------------------------------- https://www.debian.org/security/2016/dsa-3479 *** Synology NAS DSM 5.2 Remote Code Execution (RCE) *** --------------------------------------------- RCE in Synology NAS DSM 5.2 due to lack of input sanitisation. RCE triggered indirectly via port forwarding mechanism in the NAS UI. --------------------------------------------- http://rileykidd.com/2016/01/12/synology-nas-dsm-5-2-remote-code-execution-… *** A Skeleton Key of Unknown Strength *** --------------------------------------------- TL;DR: The glibc DNS bug (CVE-2015-7547) is unusually bad. Even Shellshock and Heartbleed tended to affect things we knew were on the network and knew we had to defend. This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn't even know had network surface (sudo) are thus exposed, as is software written in .. --------------------------------------------- http://dankaminsky.com/2016/02/20/skeleton/ *** Sicherheitsforscher: Piraten-App-Store vorübergehend in Apples App Store *** --------------------------------------------- Über mehrere Monate hat eine in Apples offiziellem Software-Laden erhältliche, als Übersetzungs-Tool getarnte iOS-App ihren Nutzern offenbar gecrackte Apps zum Download angeboten. --------------------------------------------- http://heise.de/-3113988 *** Deutschland: "Bundestrojaner" ist einsatzbereit *** --------------------------------------------- Nach monatelangen Vorbereitungen steht den Ermittlernin Deutschland eine eigene Software für Online-Durchsuchungen zur Verfügung. --------------------------------------------- http://futurezone.at/netzpolitik/deutschland-bundestrojaner-ist-einsatzbere… *** Neue Masche: Krypto-Trojaner Locky über Javascript-Dateien verbreitet *** --------------------------------------------- Nachdem der Verschlüsselungs-Trojaner zunächst vor allem über Office-Dateien verbreitet wurde, verschicken die Täter jetzt Skripte. Dadurch ist ein Ludwigsluster Wursthersteller unfreiwillig zur Anlaufstelle der Locky-Opfer geworden. --------------------------------------------- http://heise.de/-3113689

1 0

Tageszusammenfassung - Freitag 19-02-2016
by Daily end-of-shift report 19 Feb '16

19 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-02-2016 18:00 − Freitag 19-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Maimed Ramnit Still Lurking in the Shadow *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/02/maimed_ramnit_still.ht… *** ZDI-16-172: Google Chrome Pdfium JPEG2000 Out-Of-Bounds Read Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-172/ *** Mutliple vulnerabilities in SAP 3D Visual Enterprise Viewer SketchUp document *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-176/ http://www.zerodayinitiative.com/advisories/ZDI-16-175/ http://www.zerodayinitiative.com/advisories/ZDI-16-174/ http://www.zerodayinitiative.com/advisories/ZDI-16-173/ *** Krypto-Trojaner Locky wütet in Deutschland: Über 5000 Infektionen pro Stunde *** --------------------------------------------- Die neue Ransomware Locky findet hierzulande offenbar massenhaft Opfer, darunter auch ein Fraunhofer-Institut. Inzwischen haben die Täter ihrem Schädling sogar Deutsch beigebracht. --------------------------------------------- http://heise.de/-3111774 *** B+B SmartWorx VESP211 Authentication Bypass Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an authentication bypass vulnerability in B+B SmartWorx's VESP211 serial servers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-049-01 *** AMX Multiple Products Credential Management Vulnerabilities *** --------------------------------------------- This advisory contains mitigations details for hard-coded passwords in multiple AMX products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-049-02 *** Privilege Escalation: Schon wieder Sicherheitslücke bei Comodo *** --------------------------------------------- Ein unsicheres Standardpasswort in der Comodo-Internet-Security-Suite ermöglicht es Angreifern, ihre Rechte zu erweitern, um beliebige Programme auszuführen. Auf dem Rechner selbst - aber möglicherweise auch aus der Ferne. --------------------------------------------- http://www.golem.de/news/privilege-escalation-schon-wieder-sicherheitslueck… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- http://support.citrix.com/article/CTX206001

1 0

Tageszusammenfassung - Donnerstag 18-02-2016
by Daily end-of-shift report 18 Feb '16

18 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-02-2016 18:00 − Donnerstag 18-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WordPress Sites Leveraged in Layer 7 DDoS Campaigns *** --------------------------------------------- We first disclosed that the WordPress pingback method was being misused to perform massive layer 7 Distributed Denial of Service (DDoS) attacks back on March 2014. The problem, as previously described,was that any WordPress website with the pingback feature enabled (which is on by default) could .. --------------------------------------------- https://blog.sucuri.net/2016/02/wordpress-sites-leveraged-in-ddos-campaigns… *** Angler exploit kit generated by "admedia" gates, (Thu, Feb 18th) *** --------------------------------------------- On 2016-02-01, the Sucuri blog reported a spike in compromised WordPress sites generating hidden iframes with malicious URLs [1]. By 2016-02-02, I started seeing exploit kit (EK) traffic related to this campaign [2]. Sucuri noted that admedia was a common string used in malicious URLs generated by .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20741 *** SimpliSafe home alarms transmit PIN unlock codes in the clear - ideal for lurking burglars *** --------------------------------------------- How to break into hundreds of thousands of homes in America Pics and vid If youve got a SimpliSafe wireless home alarm system, as hundreds of thousands of homes in the US apparently do, then its time to buy a new alarm system because yours is screwed. --------------------------------------------- www.theregister.co.uk/2016/02/17/simplisafe_wireless_home_alarm_system_crac… *** Nodejs - Access bypass - Moderately Critical -- DRUPAL-SA-CONTRIB-2016-007 *** --------------------------------------------- The module doesn't disconnect unauthenticated sockets, allowing those sockets to receive broadcast messages. For sites that only serve authenticated pages, or only allows Node.js connections from authenticated users, the expectation is that only authenticated Drupal users will see broadcast messages. --------------------------------------------- https://www.drupal.org/node/2670636 *** Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006 *** --------------------------------------------- The module doesn't sufficiently protect against the premature triggering of order completion without successful payment by the manual entry of a specially-constructed URL which contains the correct payment redirect key. --------------------------------------------- https://www.drupal.org/node/2670632 *** Instagram rolls out two factor authentication *** --------------------------------------------- But SMS still a mess. Hipsters and selfie-lovers will enjoy extra security after Instagram added two-factor authentication to its service. --------------------------------------------- www.theregister.co.uk/2016/02/18/instagram_rolls_out_two_factor_authenticat… *** Funkregulierung: TP-Link muss WLAN-Firmware sperren *** --------------------------------------------- TP-Link sperrt die Firmware aller WLAN-Geräte. Andere Hersteller tun es wohl auch. Damit können User ihre Geräte nicht mehr warten. Das bewirkt die neue Funkregulierung auf beiden Seiten des Atlantik. --------------------------------------------- http://heise.de/-3109847 *** Gerichtlich angeordnete iPhone-Entsperrung: Google-Chef unterstützt Widerstand des Apple-Chefs *** --------------------------------------------- Google-Chef Sundar Pichai meint so wie Apple-Chef Tim Cook, falls sich das FBI durchsetze, dass Apple beim Entsperren eines iPhone zu helfen habe, werde ein riskanter Präzedenzfall geschaffen. --------------------------------------------- http://heise.de/-3109864 *** These were the Top 10 Android Threats in 2015 - Plus, What to Expect in 2016 *** --------------------------------------------- Mobile World Congress is next week and F-Secure is jazzed to be participating again - it promises to be another awesome expo. But while the tech world buzzes about which devices will be unveiled by the top handset makers, leave it to us to interrupt the conversation to remind you about security .. --------------------------------------------- http://safeandsavvy.f-secure.com/2016/02/18/these-were-the-top-10-android-t… *** DSA-3482 libreoffice - security update *** --------------------------------------------- An anonymous contributor working with VeriSign iDefense Labsdiscovered that libreoffice, a full-featured office productivitysuite, did not correctly handle Lotus WordPro files. This would enablean attacker to crash the program, or execute arbitrary code, bysupplying a specially crafted .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3482 *** Ransomware: US-Krankenhaus zahlt 40 Bitcoins Lösegeld *** --------------------------------------------- Bitcoins im Wert von 15.000 Euro blätterte ein Krankenhaus in Los Angeles hin, um seine von einem Erpressungstrojaner verschlüsselten Daten wieder freizukriegen. Das sei der schnellste Weg gewesen, sagte der Krankenhaus-Chef. --------------------------------------------- http://heise.de/-3109956 *** VB2015 paper: Will Android Trojans, Worms or Rootkits Survive in SEAndroid and Containerization? *** --------------------------------------------- Sophos researchers Rowland Yu and William Lee look at whether recent security enhancements to Android, such as SEAndroid and containerization, will be enough to defeat future malware threats. --------------------------------------------- https://www.virusbulletin.com/blog/2016/02/vb2015-paper-will-android-trojan… *** A Letter to the Insiders - Think Twice *** --------------------------------------------- Insider threats come in many forms, from the unwitting to the negligent, and even the downright malicious. For those who may be unwillingly co-opted into cybercrime, either by subterfuge or coercion, we can provide education, technical measures, policies and processes that limit the risk. But what can .. --------------------------------------------- https://blog.team-cymru.org/2016/02/a-letter-to-the-insiders-think-twice/ *** New Ransomware PadCrypt: The first with Live Chat Support *** --------------------------------------------- A new ransomware has been discovered and what sets apart this variant from the rest is its implementation of a chat interface embedded into the product. That link for 'Live Chat' will prompt...read moreThe post New Ransomware PadCrypt: The first with Live Chat Support appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2016/02/18/new-ransomware-padcrypt-first-live-c…

1 0

Tageszusammenfassung - Mittwoch 17-02-2016
by Daily end-of-shift report 17 Feb '16

17 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 16-02-2016 18:00 − Mittwoch 17-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco 1000 Series Connected Grid Routers SNMP BRIDGE MIB Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Stuxnet als erster Akt: USA wollten Iran mit Cyberangriff lahmlegen *** --------------------------------------------- Geheimprojekt "Nitro Zeus" hätte Infrastruktur zerstören sollen – außerdem detaillierte Pläne gegen Nuklearanlage .. --------------------------------------------- http://derstandard.at/2000031233923 *** Machine-Learning: Künstliche neuronale Netzwerke erleichtern Passwortcracking *** --------------------------------------------- Ein Machbarkeitsnachweis zeigt, dass künstliche neuronale Netzwerke mit etwas Training benutzt werden können, um Passwörter zu knacken. Selbst bei recht komplexen klappt das erstaunlich gut. --------------------------------------------- http://www.golem.de/news/machine-learning-kuenstliche-neuronale-netzwerke-e… *** Pwning CCTV cameras *** --------------------------------------------- CCTV is ubiquitous in the UK. A recent study estimates there are about 1.85m cameras across the UK - most in private premises. Most of those cameras will be connected to some kind of recording device, which these days means a Digital Video Recorder or DVR. --------------------------------------------- https://www.pentestpartners.com/blog/pwning-cctv-cameras/ *** Gerichtliche Anordnung zum iPhone-Entsperren: Apple-Chef Tim Cook widersetzt sich *** --------------------------------------------- Tim Cook hat sich ungewöhnlicherweise in einem offenen Brief an die Kunden gewandt. Darin begründet er, warum sich das Unternehmen weigert, dem FBI mit einer Hintertür bei Ermittlungen zu helfen. --------------------------------------------- http://heise.de/-3107769 *** Verheerender Fehler gefährdet fast alle Linux-Systeme *** --------------------------------------------- Fehler in der glibc kann zum Einschmuggeln von Code ausgenutzt werden - Update dringend empfohlen --------------------------------------------- http://derstandard.at/2000031281408 *** Linux Fysbis Trojan, a new weapon in the Pawn Storm's arsenal *** --------------------------------------------- Malware researchers at PaloAlto discovered the Fysbis Trojan, a simple and an effective Linux threat used by the Russian cyberspy group Pawn Storm. Do you remember the Pawn Storm hacking crew? Security experts have identified this group of Russian hackers with several names, including .. --------------------------------------------- http://securityaffairs.co/wordpress/44551/hacking/pawn-storm-linux-fysbis-t… *** Mazar: Forscher warnen vor mächtiger Android-Malware *** --------------------------------------------- Verwendet Tor-Netzwerk um Spuren zu verwischen - Kann volle Kontrolle �bernehmen, braucht aber reichlich Mitarbeit der Nutzer --------------------------------------------- http://derstandard.at/2000031296473 *** OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update *** --------------------------------------------- In May 2015, researchers at Qihoo 360 published a report on OceanLotus that included details about malware targeting Chinese infrastructure. In that report, there is a description about a piece of malware that targets OS X systems. A sample of that malware was uploaded to VirusTotal a few months .. --------------------------------------------- https://www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an… *** [HTB23284]: RCE via CSRF in osCommerce *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered vulnerability in popular e-commerce software osCommerce with 280,000 store owners (according to the vendor). The vulnerability can be exploited to execute arbitrary PHP code on the remote system, compromise the vulnerable web application, its database and even the web server and related environment. --------------------------------------------- https://www.htbridge.com/advisory/HTB23284 *** [HTB23291]: SQL Injection in webSPELL *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered two vulnerabilities in a popular CMS webSPELL developed for the needs of esport related communities. The vulnerability allows a remote authenticated attacker with cashbox access privileges to execute arbitrary SQL commands .. --------------------------------------------- https://www.htbridge.com/advisory/HTB23291 *** The Dridex Banking Trojan *** --------------------------------------------- Dridex is a generation of banking trojans, one of the most prominent threats for companies. A banking trojan basically is malicious software (malware) that tries to obtain confidential information from your computer system, targetting specifically online banking and payment systems. The Dridex trojan is equipped to steal all data necessary for fraudulent activities. --------------------------------------------- http://www.techknow.one/forum/index.php?topic=9346

1 0

Tageszusammenfassung - Dienstag 16-02-2016
by Daily end-of-shift report 16 Feb '16

16 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 15-02-2016 18:00 − Dienstag 16-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** More Multi-Architecture IoT Malware, (Mon, Feb 15th) *** --------------------------------------------- Attackers have problems too: Attacks against Internet of Things (IoT) devices are simple (as in log in...), but the attacker never knows what kind of architecture they may hit. IoT devices often go beyond the standard x86 architecture we are used to on our servers and workstations. What I typically see .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20731 *** Password cracking attacks on Bitcoin wallets net $103,000 *** --------------------------------------------- Hackers have siphoned about $103,000 out of Bitcoin accounts that were protected with an alternative security measure, according to research that tracked six years' worth of transactions. Account-holders used easy-to-remember passwords to protect their accounts instead of the long cryptographic keys normally required. --------------------------------------------- http://arstechnica.com/security/2016/02/password-cracking-attacks-on-bitcoi… *** Cisco Emergency Responder Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software for Cisco Industrial Ethernet 2000 Series Switches Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Exploiting (pretty) blind SQL injections, (Mon, Feb 15th) *** --------------------------------------------- Although a lot has been written about SQL injection vulnerabilities, they can still be found relatively often. In most of the cases Ive seen in last couple of years, I had to deal with blind SQL injection vulnerabilities. Typically, .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20733 *** VoIP phones can be turned into spying or money-making tools *** --------------------------------------------- A security vulnerability present in many enterprise-grade VoIP phones can easily be exploited by hackers to spy on employees and management, says security consultant Paul Moore. In a less dangerous attack alternative, these compromised devices can also be made to covertly place calls to premium .. --------------------------------------------- https://www.helpnetsecurity.com/2016/02/16/voip-phones-can-turned-spying-mo… *** Ransomware: Neben deutschen Krankenhäusern auch US-Klinik von Virus lahmgelegt *** --------------------------------------------- Nicht nur in Deutschland kämpfen Krankenhäuser immer wieder gegen Verschlüsselungstrojaner. In Los Angeles ist eine Klinik seit mehr als einer Woche lahmgelegt. Die Programmierer fordern angeblich mehr als 3 Millionen US-Dollar Lösegeld. --------------------------------------------- http://heise.de/-3103733 *** "Fake President": E-Mail-Betrüger erleichtern Konzerne um Millionenbeträge *** --------------------------------------------- Vorstands-Accounts und machen ahnungslose Buchhalter zu ihren Komplizen --------------------------------------------- http://derstandard.at/2000031179980 *** Geldautomaten: Skimming an der Netzwerkbuchse *** --------------------------------------------- Skimming ist ein bekanntes Problem - Kriminelle verwenden nachgebaute Tastaturfelder und Magnetkartenleser, um Kundendaten an Geldautomaten zu kopieren. Jetzt warnt der Hersteller NCR vor neuen Gefahren. --------------------------------------------- http://www.golem.de/news/geldautomaten-skimming-an-der-netzwerkbuchse-1602-… *** USN-2855-2: Samba regression *** --------------------------------------------- Ubuntu Security Notice USN-2855-216th February, 2016samba regressionA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryUSN-2855-1 introduced a regression in .. --------------------------------------------- http://www.ubuntu.com/usn/usn-2855-2/ *** Erpressungs-Trojaner Locky schlägt offenbar koordiniert zu *** --------------------------------------------- Locky lauerte vermutlich bereits eine Weile auf den infizierten Systemen, ehe es am vergangenen Montag zeitgleich bei mehreren Opfern mit der Verschlüsselung persönlicher Dateien begonnen hat. --------------------------------------------- http://heise.de/-3104069 *** Stuxnet angeblich Teil eines größeren Angriffs auf kritische Infrastruktur des Iran *** --------------------------------------------- Dass die USA und Israel hinter Stuxnet steckten, um Irans Atomprogramm zu stören, gilt mittlerweile als gesichert. Ein neuer Dokumentarfilm behauptet nun, dass der Cyber-Wurm Teil eines viel größeren Programms war, das den ganzen Iran lahmlegen sollte. --------------------------------------------- http://heise.de/-3104957 *** TYPO3 CMS 6.2.18 and 7.6.3 released *** --------------------------------------------- Both versions are maintenance releases and contain bug and security fixes. In case the extension compatibility6 is used, please make sure to upgrade to version 7.6.2. --------------------------------------------- https://typo3.org/news/article/typo3-cms-6218-and-763-released/ *** Glibc: Sicherheitslücke gefährdet fast alle Linux-Systeme *** --------------------------------------------- Eine schwerwiegende Sicherheitslücke klafft in der Glibc-Bibliothek, die in fast allen Linux-Systemen genutzt wird: Eine DNS-Funktion erlaubt die Ausführung von bösartigem Code. Nutzer sollten schnellstmöglich Updates installieren. --------------------------------------------- http://www.golem.de/news/glibc-sicherheitsluecke-gefaehrdet-fast-alle-linux… *** CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow *** --------------------------------------------- The glibc project thanks the Google Security Team and Red Hat for reporting the security impact of this issue, and Robert Holiday of Ciena for reporting the related bug 18665. --------------------------------------------- https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

1 0

Tageszusammenfassung - Montag 15-02-2016
by Daily end-of-shift report 15 Feb '16

15 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 12-02-2016 18:00 − Montag 15-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** A Look Behind The Skype Malvertising Campaign *** --------------------------------------------- As reported by F-Secure, a recent malvertising campaign has been hitting several top publishers to push the Angler exploit kit and install the TeslaCrypt ransomware, according to the Finnish company. Some of these infections happened via Skype, which displays ad banners within its product. --------------------------------------------- https://blog.malwarebytes.org/malvertising-2/2016/02/a-look-behind-the-skyp… *** Fake SUPEE-5344 Patch Steals Payment Details *** --------------------------------------------- In case you don't know, SUPEE-5344 is an official security patch to the infamous Magento shoplift bug. That bug allows bad actors to obtain admin access to vulnerable Magento sites. While the patch was released February 2015 many sites unfortunately did .. --------------------------------------------- https://blog.sucuri.net/2016/02/fake-supee-5344-patch-steals-payment-detail… *** VMware VMSA-2015-0007.3 has been Re-released, (Sat, Feb 13th) *** --------------------------------------------- VMware has re-issue VMSA-2015-0007.3 today after they found an earlier fix for CVE-2016-2342 was incomplete. Affected ESXi versions are: 5.0, 5.1 and 5.5. Advisory can be .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20727 *** Critical Fixes Issued for Windows, Java, Flash *** --------------------------------------------- Microsoft Windows users and those with Adobe Flash Player or Java installed, its time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security updates for its Flash Player software that plugs at least 22 security holes in the widely-used browser plugin. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks. --------------------------------------------- http://krebsonsecurity.com/2016/02/criticial-fixes-issued-for-windows-java-… *** Verschlüsselungs-Trojaner: mp3-Variante von TeslaCrypt *** --------------------------------------------- Leser gaben der Redaktion Hinweise auf verschlüsselte Dateien mit der Endung .mp3. Die scheint eine neue Variante des Verschlüsselungs-Trojaners TeslaCrypt zu erzeugen. --------------------------------------------- http://heise.de/-3101992 *** DSA-3477 iceweasel - security update *** --------------------------------------------- Holger Fuhrmannek discovered that missing input sanitising in theGraphite font rendering engine could result in the execution of arbitrarycode. --------------------------------------------- https://www.debian.org/security/2016/dsa-3477 *** Nigerianischer Astronaut im All verloren: Spam begeistert Netz *** --------------------------------------------- Nutzer können angeblich ein Investment von drei Millionen Dollar verdoppeln --------------------------------------------- http://derstandard.at/2000031110981 *** IT-Sicherheit: Immer mehr komplexe Angriffe auf Firmen *** --------------------------------------------- Neuer Cybersicherheits-Bericht zeigt erhöhte Gefahrenlage im Internet --------------------------------------------- http://derstandard.at/2000031119634 *** Mazar Bot Actively Targeting Android Devices *** --------------------------------------------- Researchers at Heimdal Security report public attacks against Android devices using the Mazar bot, which was advertised months ago in a Russian cybercrime forum. --------------------------------------------- http://threatpost.com/mazar-bot-actively-targeting-android-devices/116240/ *** Update auf Version 1.17: Veracrypt soll jetzt doppelt so schnell sein *** --------------------------------------------- Veracrypt ist einer der beliebtesten Nachfolger des eingestellten Truecrypt - ein Update bringt jetzt neue Funktionen. Ausserdem soll das Laden von Containern deutlich schneller vonstattengehen - bislang einer der grössten Kritikpunkte .. --------------------------------------------- http://www.golem.de/news/update-auf-version-1-17-veracrypt-soll-jetzt-doppe… *** Virus legte Krankenhaus in Deutschland lahm *** --------------------------------------------- "Befunde mussten persönlich, per Telefon oder Fax übermittelt werden" --------------------------------------------- http://derstandard.at/2000031136914 *** [R1] Nessus < 6.5.5 Multiple Vulnerabilities *** --------------------------------------------- http://www.tenable.com/security/tns-2016-02 *** Reflecting on Recent iOS and Android Security Updates *** --------------------------------------------- The last thirty days proven to be yet another exciting time for the mobile security ecosystem. Apple and Google released updates for their respective mobile operating systems that fix several critical issues - including some in the kernel that may be exploited remotely. --------------------------------------------- https://blog.zimperium.com/reflecting-on-recent-ios-and-android-security-up…

1 0

Tageszusammenfassung - Freitag 12-02-2016
by Daily end-of-shift report 12 Feb '16

12 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 11-02-2016 18:00 − Freitag 12-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** SC Congress: "flakey kettles and dolls that swear at you" *** --------------------------------------------- Ken Munro, managing director of Pen Test Partners, showed the SC Congress just how easy it is to crack a whole range of IoT nonsense --------------------------------------------- http://www.scmagazine.com/sc-congress-flakey-kettles-and-dolls-that-swear-a… *** Determining Physical Location on the Internet *** --------------------------------------------- Interesting research: "CPV: Delay-based Location Verification for the Internet": Abstract: The number of location-aware services over the Internet continues growing. Some of these require the clients geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g.,... --------------------------------------------- https://www.schneier.com/blog/archives/2016/02/determining_phy.html *** New Trojan threatens users' bank accounts *** --------------------------------------------- February 12, 2016 Banking Trojans are considered to be one of the most dangerous threats. Not only they have a complex architecture but they are also capable to perform a wide variety of functions. Yet, some attackers do not disdain to contrive rather primitive malicious programs such as, for example, Trojan.Proxy2.102, which was examined by Doctor Web specialists. Trojan.Proxy2.102 steals money from victims' bank accounts using the following method. Once launched, it installs a root... --------------------------------------------- http://news.drweb.com/show/?i=9840&lng=en&c=9 *** Vermehrte Scans und Workarounds zu Ciscos ASA-Lücke *** --------------------------------------------- Die Angreifer sammeln offenbar bereits aktiv Informationen zu möglicherweise verwundbaren Systemen, während die Verteidiger noch mit den Tücken des Updates kämpfen. --------------------------------------------- http://heise.de/-3100443 *** Download.com and Others Bundle Superfish-Style HTTPS Breaking Adware *** --------------------------------------------- It's a scary time to be a Windows user. Lenovo was bundling HTTPS-hijacking Superfish adware, Comodo ships with an even worse security hole called PrivDog, and dozens of other apps like LavaSoft are doing the same. It's really bad, but if you want your encrypted web sessions to be hijacked just head to CNET Downloads or any freeware site, because they are all bundling HTTPS-breaking adware now. --------------------------------------------- http://www.howtogeek.com/210265/download.com-and-others-bundle-superfish-st… *** How to Avoid Potentially Unwanted Programs *** --------------------------------------------- We've come up with a PUPs cheat sheet that businesses can use to train IT staff and users. A little PUPs awareness, if you will. Read on to learn more about how you get PUPs, Categories: Online SecurityTags: avoidpotentially unwanted programsPUP(Read more...) --------------------------------------------- https://blog.malwarebytes.org/online-security/2016/02/how-to-avoid-potentia… *** How to use the traffic light protocol - TLP *** --------------------------------------------- The TLP or Traffic Light Protocol is a set of designations designed to help sharing of sensitive information. It has been widely adopted in the CSIRT and security community. The originator of the information labels the information with one of four colours. These colours indicate what further dissemination, if any, can be undertaken by the recipient. Note that the colours only mark the level of dissemination, not the sensitivity level (although they often align). --------------------------------------------- https://www.vanimpe.eu/2015/08/21/use-traffic-light-protocol-tlp/ *** D-Link DSL-2750B Remote Command Execution *** --------------------------------------------- Topic: D-Link DSL-2750B Remote Command Execution Risk: High Text:After some playing around Ive noticed something interesting during login phase: by sending wrong credentials, user is redirec... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020128 *** Sophos UTM 9 Cross Site Scripting *** --------------------------------------------- Topic: Sophos UTM 9 Cross Site Scripting Risk: Low Text: -- Vendor: -- Sophos (https://www.sophos.com) -- Affected Products/Versions: -- Produc... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020117 *** ASUS Router Administrative Interface Exposure *** --------------------------------------------- Topic: ASUS Router Administrative Interface Exposure Risk: Low Text:Asus wireless routers running ASUSWRT firmware (in other words, anything with an RT- in the model name) have a design flaw in w... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020116 *** ZCM 11.3.x - Fix for CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability - See TID 7017240 *** --------------------------------------------- Abstract: Vulnerability overview: CVE-2015-5970 An XPath injection exists in the ChangePassword RPC method implementation. By combining this with an entity reference to a file on the appliance, an attacker can exfiltrate arbitrary text files from the vulnerable device.This issue has been found and reported by cpnrodzc7 working with HPs Zero Day Initiative (ZDI-CAN-3136). Patch overview: This patch contains the necessary files and installation information to correct the below issue on ZCM 11.3.x --------------------------------------------- https://download.novell.com/Download?buildid=vt0EO0DgaX8~ *** ZCM 11.4.x - Fix for CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability - See TID 7017240 *** --------------------------------------------- Abstract: Vulnerability overview: CVE-2015-5970 An XPath injection exists in the ChangePassword RPC method implementation. By combining this with an entity reference to a file on the appliance, an attacker can exfiltrate arbitrary text files from the vulnerable device.This issue has been found and reported by cpnrodzc7 working with HPs Zero Day Initiative (ZDI-CAN-3136). Patch overview: This patch contains the necessary files and installation information to correct the below issue on ZCM 11.4.x --------------------------------------------- https://download.novell.com/Download?buildid=SOM6P0NdZ5U~ *** PostgreSQL Bugs Let Remote Users Deny Service and Let Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1035005 *** DFN-CERT-2016-0260: Mozilla Firefox, Firefox ESR: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0260/ *** DFN-CERT-2016-0263: Cacti: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0263/

1 0

Tageszusammenfassung - Donnerstag 11-02-2016
by Daily end-of-shift report 11 Feb '16

11 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 10-02-2016 18:00 − Donnerstag 11-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Critical bug found in Cisco ASA products, attackers are scanning for affected devices *** --------------------------------------------- Several Cisco Adaptive Security Appliance (ASA) products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code exec... --------------------------------------------- http://www.net-security.org/secworld.php?id=19427 *** Some notes on VirusTotal. *** --------------------------------------------- Many of you are probably familiar with VirusTotal, a service that allows you to scan a file or URL using multiple antivirus and URL scanners. VirusTotal results are often used in write-ups about...read moreThe post Some notes on VirusTotal. appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2016/02/09/some-notes-on-virustotal/ *** Seo-moz.com SEO Spam Campaign *** --------------------------------------------- Here at Sucuri we handle countless cases of SEO spam. This malware involves a website being compromised in order to spread (mostly pharmaceutical) advertisements by linking visitors to unwanted websites and stuffing spam keywords into the site. These links and keywords help the spam websites to rank higher in search engines like Google, sending evenRead More The post Seo-moz.com SEO Spam Campaign appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/02/seo-moz-com-seo-spam-campaign.html *** Malvertising Via Skype Delivers Angler *** --------------------------------------------- A recent malvertising campaign shows that platforms that display ads, even when they are not necessarily the browser, are not immune to the attack. An example of a popular non-browser application that shows ads is Skype. These images would be familiar to avid Skype users. This did not really bother us much until last night, when we... --------------------------------------------- https://labsblog.f-secure.com/2016/02/10/malvertising-via-skype-delivers-an… *** Tomcat IR with XOR.DDoS, (Thu, Feb 11th) *** --------------------------------------------- Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response "> "> ">0 S root 31847 1 0 80 0 - 1124641 futex_ 2015 ? 02:36:33 /usr/bin/java -classpath /usr/share/apache-tomcat-7.0.65/bin/bootstrap.jar ">Here you can see that it is running from /usr/share/apache-tomcat-7.0.65. ">The Tomcat configurations --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20721&rss *** Building automation systems are so bad IBM hacked one for free *** --------------------------------------------- Remote sites owned as router, controller and server all fall to pen-test team An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/11/building_au… *** How Malware Detects Virtualized Environment, and its Countermeasures - An Overview *** --------------------------------------------- Virtual Machines are usually considered a good way to analyze malware as they can provide an isolated environment for the malware to trigger but their actions can be controlled and intercepted. However, modern age malware detects their environment in which they are running, and if they detect they are running in VM, they sustain their... --------------------------------------------- http://resources.infosecinstitute.com/how-malware-detects-virtualized-envir… *** DFN-CERT-2016-0252: Cisco Adaptive Security Appliance Software: Eine Schwachstelle ermöglicht die Übernahme der Systemkontrolle *** --------------------------------------------- Eine Schwachstelle in der Cisco Adaptive Security Appliances Software ermöglicht einem entfernten, nicht authentifizierten Angreifer beliebigen Programmcode auszuführen und so die Kontrolle über ein betroffenes System zu übernehmen, auch ist die Durchführung eines Denial-of-Service-Angriffs möglich. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0252/ *** ZDI-16-163: Dell SonicWALL GMS Virtual Appliance Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-163/ *** ZDI-16-164: Dell SonicWALL GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-164/ *** Cisco Spark Representational State Transfer Interface Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Spark Representational State Transfer Interface Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Spark Representational State Transfer Interface Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Advanced Malware Protection and Email Security Appliance Proxy Engine Security Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- A number of vulnerabilities have been identified in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that could allow a malicious, unprivileged user to perform privileged operations or execute commands. --------------------------------------------- https://support.citrix.com/article/CTX206001 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libssh2 affects PowerKVM (CVE-2015-1782) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023318 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in curl affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023307 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects Tivoli Storage Manager Operations Center and Tivoli Storage Manager Client Management Service (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976362 --------------------------------------------- *** IBM Security Bulletin:Security Bulletin: Vulnerability in IBM Java Runtime affect AppScan Source (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976569 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in cpio affects PowerKVM (CVE-2014-9112) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023298 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Linux Kernel affects PowerKVM (CVE-2016-0728) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023279 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Netezza Platform Software clients (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=swg21976419 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Order Management is affected by Apache Commons Collections security vulnerabilities (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21975793 --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerability in Liberty for Java for IBM Bluemix (CVE-2015-7417) *** http://www.ibm.com/support/docview.wss?uid=swg21976218 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM JAVA Runtime affect AppScan Source (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21976159 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 10-02-2016
by Daily end-of-shift report 10 Feb '16

10 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 09-02-2016 18:00 − Mittwoch 10-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fast Flux Bot Nets and Fluxer - Part 1 *** --------------------------------------------- This time well start a two-parter on fast flux bot nets including the concept of domain generation algorithms. --------------------------------------------- http://www.scmagazine.com/fast-flux-bot-nets-and-fluxer--part-1/article/473… *** DMA Locker Strikes Back *** --------------------------------------------- A few days ago we published a post about a new ransomware - DMA Locker (read more here). At that time, it was using a pretty simple way of storing keys. Having the original sample was enough to recover files. Unfortunately, the latest version (discovered February 8th) comes with several improvements and RSA key. Let's... --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/dma-locker-strikes-back/ *** Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months *** --------------------------------------------- Regen your keys ASAP Web hosting biz Linode broke the security in its customers virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/linode_ssh_… *** Skimmers Hijack ATM Network Cables *** --------------------------------------------- If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data. --------------------------------------------- http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/ *** Patchday: Microsoft stopft 6 kritische Lücken, lässt alte Internet-Explorer-Versionen im Regen stehen *** --------------------------------------------- Es ist wieder einmal Zeit zum Updaten für Microsoft-Anwender. Wer noch ältere Versionen des Internet Explorer im Einsatz hat, muss jetzt schleunigst handeln. --------------------------------------------- http://heise.de/-3098499 *** The history of Cryptowall: a large scale cryptographic ransomware threat *** --------------------------------------------- This tracker focusses on tracking the development changes in the CryptoWall ransomware, it does not attempt to track every single CryptoWall sample that exists. It simply exists to track the family in a more higher level fashion, a few samples will be listed next to specific versions just for reference rather than bulk collection. The timeline below shows the development track of CryptoWall when new versions were first seen. Below the timeline you will find an overview. --------------------------------------------- https://www.cryptowalltracker.org/ *** Sparkle-Installer: Gatekeeper-Sicherung für Macs lässt sich umgehen *** --------------------------------------------- Viele App-Entwickler für Mac nutzen das Sparkle-Framwork für praktische Auto-Updates - und machen damit zahlreiche Mac-Programme angreifbar. Betroffen sind nicht nur VLC und uTorrent. --------------------------------------------- http://www.golem.de/news/man-in-the-middle-angriff-sparkle-installer-macht-… *** Cracking Damn Insecure and Vulnerable App (DIVA) - part 5: *** --------------------------------------------- In the first four articles, we have discussed solutions for the first eleven challenges in DIVA. In this last article of this series, we will discuss the remaining two challenges that are related to native code. In case if you missed the previous articles in this series, here are the links. http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… --------------------------------------------- http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… *** Hijacking forgotten & misconfigured subdomains *** --------------------------------------------- Its been a while since my last blog post, so I decided to release a new tool. I think that we need more articles about "DNS hacking", I hope that you will learn something new here. --------------------------------------------- http://www.xexexe.cz/2016/02/hijacking-forgotten-misconfigured.html *** Network forensic analysis tool NetworkMiner 2.0 released *** --------------------------------------------- NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. ... --------------------------------------------- http://www.net-security.org/secworld.php?id=19421 *** MSRT February 2016 *** --------------------------------------------- The February release of the Microsoft Malicious Software Removal Tool (MSRT) includes updated detections for the following malware families: Bladabindi Gamarue Sality Kelihos Diplugem The updates include detections for the latest variants from these malware families. There were no new malware families added to the MSRT this month. The MSRT works in tandem with real-time... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/02/09/msrt-february-2016/ *** MS16-FEB - Microsoft Security Bulletin Summary for February 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-FEB *** Deception: Shine Bright Like a Diamond *** --------------------------------------------- ***German Summary: Projektpläne, Designs, Kundendaten: Die Kronjuwelen eines jeden Unternehmens gehören vor Cyberkriminellen unter allen Umständen versteckt - oder? Werfen Sie den Ködern aus, denn jetzt täuschen die Guten! Deception ("Täuschung") lautet der neue Cyber-Security-Ansatz, der nach Schätzungen des renommierten Marktforschungsunternehmens Gartner bereits 2018 in rund 10 % aller Unternehmen zum Einsatz kommen wird. Virtuelle Fallen... --------------------------------------------- http://blog.sec-consult.com/2016/02/deception-shine-bright-like-diamond.html *** Tollgrade SmartGrid Sensor Management System Software Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Tollgrade Communications, Inc.'s SmartGrid LightHouse Sensor Management System (SMS) Software EMS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-040-01 *** Bugtraq: Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537490 *** Bugtraq: ESA-2016-010 EMC Documentum xCP Security Update for Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537489 *** Bugtraq: dotDefender Firewall CSRF *** --------------------------------------------- http://www.securityfocus.com/archive/1/537491 *** [2016-02-10] Yeager CMS multiple vulnerabilities *** --------------------------------------------- Yeager CMS suffers from multiple critical security issues including multiple SQL injections, arbitrary file upload, server-side request forgery and non-permanent cross-site scripting vulnerabilities. Unauthenticated attackers are able to compromise Yeager CMS in both application and database levels. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** DFN-CERT-2016-0237: Horde Application Framework: Zwei Schwachstellen ermöglichen einen Cross-Site-Scripting-Angriff *** --------------------------------------------- 09.02.2016 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0237/ *** Cisco Security Advisories *** --------------------------------------------- *** Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Collaboration Provisioning Local Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Application Policy Infrastructure Controller Enterprise Module Web Framework Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Video Communications Server Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Products Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Manager Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect Liberty for Java for IBM Bluemix January 2016 CPU (CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976217 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Security SiteProtector System (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976042 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Manager (FSM) (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023319 --------------------------------------------- *** IBM Security Bulletin: IBM Pure Power Integrated Manager (PPIM) is affected by vulnerabilities in ntp (CVE-2014-9750, CVE-2014-9751) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023291 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Pure Power Integrated Manager (PPIM) (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023292 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects Watson Explorer (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974808 --------------------------------------------- *** IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2015-8380, CVE-2015-8382, CVE-2015-8391) *** http://www.ibm.com/support/docview.wss?uid=swg21976124 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=swg21971058 --------------------------------------------- *** IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21976393 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2014-8121) *** http://www.ibm.com/support/docview.wss?uid=swg21976290 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Mobile (CVE-2015-2730) *** http://www.ibm.com/support/docview.wss?uid=swg21976295 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by an OpenSSH vulnerability (CVE-2008-5161) *** http://www.ibm.com/support/docview.wss?uid=swg21976082 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by multiple NTP vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=swg21975967 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM MQ Light (CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=swg21976345 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVS-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21975832 --------------------------------------------- *** IBM Security Bulletin: A Security Vulnerability has been identified in Apache Solr shipped with IBM Operations Analytics - Log Analysis *** http://www.ibm.com/support/docview.wss?uid=swg21975544 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL and libcURL affect IBM Security Access Manager (CVE-2014-3613, CVE-2014-8150) *** http://www.ibm.com/support/docview.wss?uid=swg21974736 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM MQ Light (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976341 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 9-02-2016
by Daily end-of-shift report 09 Feb '16

09 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 08-02-2016 18:00 − Dienstag 09-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Gate To Nuclear EK Uses Fake CloudFlare DDoS Check *** --------------------------------------------- This rogue CloudFlare page hides a malicious payload. Categories: ExploitKits Tags: cloudflareEKNuclear(Read more...) --------------------------------------------- https://blog.malwarebytes.org/exploitkits/2016/02/gate-to-nuclear-ek-uses-f… *** Patching Complex Web Vulnerabilities Using ModSecurity WAF *** --------------------------------------------- In this blog post we will demonstrate complicated examples of common web application vulnerabilities, and see how they can be mitigated with ModSecurity WAF. --------------------------------------------- https://www.htbridge.com/blog/patching-complex-web-vulnerabilities-using-mo… *** Its 2016 and a font file can own your computer *** --------------------------------------------- Libgraphite font library buggy and vulnerable in Firefox, Thunderbird, WordPad and more says Talos Cisco-owned Talos has announced a bunch of font library bugs present in apps running on Windows and Linux, affecting client and-server-side machines. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/libgraphite… *** Power Grid Honeypot Puts Face on Attacks *** --------------------------------------------- Researchers from MalCrawler built a honeypot mimicking an electronic management system at the heart of a power grid, exposing attackers' behavior once they have access to critical infrastructure systems. --------------------------------------------- http://threatpost.com/power-grid-honeypot-puts-face-on-attacks/116217/ *** Russian hackers used malware to manipulate the Dollar/Ruble exchange rate *** --------------------------------------------- Russian-language hackers have managed to break into Russian regional bank Energobank, infect its systems, and gain unsanctioned access to its trading system terminals, which allowed them to manipulat... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3201 *** How to Hack the Power Grid Through Home Air Conditioners *** --------------------------------------------- Researchers show how hackers can manipulate the remote on-off device installed on some air conditioners to cause a blackout. --------------------------------------------- http://www.wired.com/2016/02/how-to-hack-the-power-grid-through-home-air-co… *** (Not only) Oracle Java Windows installer vulnerable *** --------------------------------------------- Oracle hat einen Out-of-Band Patch für Java 6, 7 und 8 für Windows veröffentlicht, mit dem eine Sicherheitslücke im Installationsprozess geschlossen wird. Es sind dazu bereits zahlreiche Medienberichte erschienen, in denen allerdings häufig die Tatsache ausser acht gelassen wird, dass es sich hier nicht um eine Java-spezifische Schwachstelle handelt. Das Problem - Stichwort "Binary Planting" -... --------------------------------------------- http://www.cert.at/services/blog/20160209102305-1678.html *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for Adobe Photoshop and Bridge (APSB16-03), Flash Player (APSB16-04), Adobe Experience Manager (APSB16-05) and Adobe Connect (APSB16-07) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. This... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1315 *** DSA-3472 wordpress - security update *** --------------------------------------------- Two vulnerabilities were discovered in wordpress, a web blogging tool.The Common Vulnerabilities and Exposures project identifies thefollowing problems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3472 *** DSA-3471 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a full virtualizationsolution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3471 *** DSA-3470 qemu-kvm - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu-kvm, a fullvirtualization solution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3470 *** DSA-3469 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a full virtualizationsolution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3469 *** USN-2880-2: Firefox regression *** --------------------------------------------- Ubuntu Security Notice USN-2880-28th February, 2016firefox regressionA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryUSN-2880-1 introduced a regression in Firefox.Software description firefox - Mozilla Open Source web browser DetailsUSN-2880-1 fixed vulnerabilities in Firefox. This update introduced aregression which caused Firefox to crash on startup with some configurations.This update fixes the problem.We apologize --------------------------------------------- http://www.ubuntu.com/usn/usn-2880-2/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily