- Daily - CERT.at

Tageszusammenfassung - 16.08.2018
by Daily end-of-shift report 16 Aug '18

16 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-08-2018 18:00 − Donnerstag 16-08-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VORACLE Attack Can Recover HTTP Data From VPN Connections ∗∗∗ --------------------------------------------- A new attack named VORACLE can recover HTTP traffic sent via encrypted VPN connections under certain conditions. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-h… ∗∗∗ Microsoft Flaw Allows Full Multi-Factor Authentication Bypass ∗∗∗ --------------------------------------------- This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building. --------------------------------------------- https://threatpost.com/microsoft-flaw-allows-full-multi-factor-authenticati… ∗∗∗ Linux: Kernel und Distributionen schützen vor Prozessorlücke Foreshadow/L1TF ∗∗∗ --------------------------------------------- Mit neuen Kernel-Updates kann man sich vor den als Foreshadow oder L1TF genannten Prozessorlücken schützen, die viele moderne Intel-Prozessoren betreffen. --------------------------------------------- http://heise.de/-4137264 ∗∗∗ Patchday Microsoft: Angreifer attackieren Internet Explorer ∗∗∗ --------------------------------------------- In diesem Monat veröffentlicht Microsoft Sicherheitsupdates für 60 Lücken in Windows & Co. Zwei Schwachstellen sind derzeit im Fokus von Angreifern. --------------------------------------------- http://heise.de/-4137351 https://isc.sans.edu/forums/diary/Microsoft+August+2018+Patch+Tuesday/23986/ ∗∗∗ August 2018 Office Update Release ∗∗∗ --------------------------------------------- The August 2018 Public Update releases for Office are now available! This month, there are 23 security updates and 23 non-security updates. All of the security and non-security updates are listed in KB article 4346823. A new version of Office 2013 Click-To-Run is available: 15.0.5059.1000 A new version of Office 2010 Click-To-Run is available: 14.0.7212.5000 --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2018/08/14… ∗∗∗ Betrügerische E-Mail der Internet Domain Services Austria (IDSA) ∗∗∗ --------------------------------------------- Selbstständige, Vereine und Unternehmen erhalten von den Internet Domain Services Austria (IDSA) eine E-Mail. Sie sollen 197,50 Euro an idsa.at zahlen, damit Fremde keine Domain registrieren, die ihrer ähnelt. Empfänger/innen können die Nachricht ignorieren, denn ihr Inhalt ist betrügerisch und erfunden. Ebenso wenig gibt es die Internet Domain Services Austria. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-e-mail-der-internet-d… ∗∗∗ Pfändungstermine wegen Urheberrechtsverletzung ignorieren ∗∗∗ --------------------------------------------- KonsumentInnen erhalten von der ADVOKAT RECHTSANWALT AG eine Nachricht, in der ein Pfändungstermin wegen nicht Bezahlens einer Abmahnung zu einer Urheberrechtsverletzung genannt wird. Grund sei das illegale Streamen von Filmen auf kinox.to. KonsumentInnen müssen die 426,55 Euro nicht bezahlen und die angedrohte Pfändung findet nie statt. --------------------------------------------- https://www.watchlist-internet.at/news/pfaendungstermine-wegen-urheberrecht… ===================== = Vulnerabilities = ===================== ∗∗∗ Philips IntelliSpace Cardiovascular Vulnerabilities ∗∗∗ --------------------------------------------- This medical advisory includes mitigation recommendations for improper privilege management and unquoted search path vulnerabilities in Philips IntelliSpace Cardiovascular (ISCV) software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-226-01 ∗∗∗ File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056 ∗∗∗ --------------------------------------------- Project: File (Field) PathsDate: 2018-August-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem.The module doesnt sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code. --------------------------------------------- https://www.drupal.org/sa-contrib-2018-056 ∗∗∗ VMSA-2018-0020 ∗∗∗ --------------------------------------------- VMware vSphere, Workstation, and Fusion updates enable Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM vulnerability. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0020.html ∗∗∗ VMSA-2018-0021 ∗∗∗ --------------------------------------------- Operating System-Specific Mitigations address L1 Terminal Fault - OS vulnerability in VMware Virtual Appliances. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0021.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (kernel, linux-4.9, postgresql-9.4, and ruby-zip), Fedora (cgit, firefox, knot-resolver, mingw-LibRaw, php-symfony, php-symfony3, php-symfony4, php-zendframework-zend-diactoros, php-zendframework-zend-feed, php-zendframework-zend-http, python2-django1.11, quazip, sox, and thunderbird-enigmail), openSUSE (python-Django and seamonkey), Oracle (kernel), Red Hat (kernel, kernel-rt, and redhat-virtualization-host), Scientific Linux [...] --------------------------------------------- https://lwn.net/Articles/762706/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fuse), Fedora (cri-o, gdm, kernel-headers, postgresql, units, and wpa_supplicant), Mageia (iceaepe, kernel-linus, kernel-tmb, and libtomcrypt), openSUSE (aubio, libheimdal, nemo-extensions, and python-Django1), Red Hat (flash-plugin), SUSE (apache2, kernel, php7, qemu, samba, and ucode-intel), and Ubuntu (gnupg). --------------------------------------------- https://lwn.net/Articles/762804/ ∗∗∗ ZDI-18-939: Foxit Reader PDF File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-939/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ Xen Security Advisories ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ F5 Security Advisories ∗∗∗ --------------------------------------------- https://support.f5.com/csp/new-updated-articles ∗∗∗ Security Advisory - Buffer Overflow Vulnerability on Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180725-… ∗∗∗ Security Advisory - Side-Channel Vulnerability Variants 3a and 4 ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180615-… ∗∗∗ Security Advisory - CPU Side Channel Vulnerability "L1TF" ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180815-… ∗∗∗ Security Notice - Statement About the Side Channel Vulnerability "L1TF" of Chips ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2018/huawei-sn-20180815-01-… ∗∗∗ VMSA-2018-0022 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0022.html ∗∗∗ VMSA-2018-0019.1 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0019.html ∗∗∗ HPESBHF03874 rev.1 - Certain HPE Products using Intel-based Processors, L1 Terminal Fault (L1TF) Speculative Side-channel Vulnerabilities, Local Disclosure of Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03875 rev.1 - HPE Integrated Lights Out 4 and 5, (iLO 4, 5), Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2018
by Daily end-of-shift report 14 Aug '18

14 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Montag 13-08-2018 18:00 − Dienstag 14-08-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Badness, Enumerated by Robots ∗∗∗ --------------------------------------------- A condensed summary of the blacklist data generated from traffic hitting bsdly.net and cooperating sites. --------------------------------------------- https://bsdly.blogspot.com/2018/08/badness-enumerated-by-robots.html ∗∗∗ Brazilian banking customers targeted by IoT DNS hijacking attacks ∗∗∗ --------------------------------------------- Attackers launched a DNS hijacking campaign targeting Brazilian bank customer credentials through the end-user IoT devices. --------------------------------------------- https://www.scmagazine.com/brazilian-banking-customers-targeted-by-iot-dns-… ∗∗∗ CVE? Nope. NVD? Nope. Serious must-patch type flaws skipping mainstream vuln lists - report ∗∗∗ --------------------------------------------- Infosec firm fingers decentralised reporting The first half of 2018 saw a record haul of reported software vulnerabilities yet a high proportion of these won't appear in any mainstream flaw-tracking lists, researcher Risk Based Security (RBS) has claimed. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/08/14/record_soft… ∗∗∗ Patchday: SAP kümmert sich um seine Software ∗∗∗ --------------------------------------------- Im August hat SAP zwölf neue Sicherheitshinweise für verschiedene Anwendungen veröffentlicht. --------------------------------------------- http://heise.de/-4137050 ∗∗∗ Erpresserische E-Mail nennt Telefonnummer ∗∗∗ --------------------------------------------- Kriminelle versenden eine erpresserische E-Mail. Darin nennen sie die letzten vier Ziffern einer Telefonnummer und behaupten, dass sie über intimite Aufnahmen verfügen. Empfänger/innen sollen innerhalb von 48 Stunden 1000 US-Dollar in Bitcoins bezahlen, damit es zu keiner Veröffentlichung kommt. Konsument/innen müssen keine Reaktion zeigen. --------------------------------------------- https://www.watchlist-internet.at/news/erpresserische-e-mail-nennt-telefonn… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Creative Cloud Desktop Application (APSB18-20), Adobe Flash Player (APSB18-25), Adobe Experience Manager (APSB18-26) and Adobe Acrobat and Reader (APSB18-29). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1594 ∗∗∗ SQL Injection, XSS & CSRF vulnerabilities in Pimcore software ∗∗∗ --------------------------------------------- Pimcore is affected by several security vulnerabilities, which can be exploited by an attacker to read data records from the database, attack other users of the web application with JavaScript code, browser exploits or Trojan horses, and perform arbitrary actions in the context of the logged-in user (CSRF). --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/sql-injection-xss-csrf-vulne… ∗∗∗ Cisco IOS, IOS XE: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, nicht authentisierter Angreifer kann eine Schwachstelle in Cisco IOS und IOS XE ausnutzen, indem er einen speziell präparierten Ciphertext an ein mit IKEv1 (Internet Key Exchange Version 1) konfiguriertes Gerät sendet. Dieses Gerät reagiert fehlerhaft auf dabei auftretende Entschlüsselungsfehler, wodurch verschlüsselte Nonces ausgespäht werden können. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1591/ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (thunderbird), Debian (gdm3 and samba), openSUSE (cgit and lxc), SUSE (grafana, kafka, logstash, openstack-monasca-installer and samba), and Ubuntu (gdm3 and libarchive). --------------------------------------------- https://lwn.net/Articles/762556/ ∗∗∗ Synology-SA-18:43 MailPlus Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of MailPlus Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_43 ∗∗∗ Security Advisory - Multiple Vulnerabilities in IPsec IKE of Huawei Firewall Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180813-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10720115 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (CVE-2018-2783, CVE-2018-2800, CVE-2018-2790). ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10720313 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718949 ∗∗∗ IBM Security Bulletin: IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to cross-site request forgery (CVE-2018-1455) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22016659 ∗∗∗ HPESBHF03868 rev.1 - HPE ML10 Gen9 using Intel Xeon Processor E3-1200 v5 with Intel Active Management Technology, multiple local and remote vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2018
by Daily end-of-shift report 13 Aug '18

13 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-08-2018 18:00 − Montag 13-08-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Popular Android Apps Vulnerable to Man-in-the-Disk Attacks ∗∗∗ --------------------------------------------- Some of the most popular Android applications installed on your phone may be vulnerable to a new type of attack named "Man-in-the-Disk" that can grant a third-party app the ability to crash them and/or run malicious code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/popular-android-apps-vulnera… ∗∗∗ KeyPass ransomware ∗∗∗ --------------------------------------------- In the last few days, our anti-ransomware module has been detecting a new variant of malware - KeyPass ransomware. According to our information, the malware is propagated by means of fake installers that download the ransomware module. --------------------------------------------- https://securelist.com/keypass-ransomware/87412/ ∗∗∗ DEF CON 2018: Hacking Medical Protocols to Change Vital Signs ∗∗∗ --------------------------------------------- LAS VEGAS – In recent years there has been more attention paid to the security of medical devices; however, there has been little security research done on the unique protocols used by these devices. Many of the insulin pumps, heart monitors and other gadgets found in hospital rooms use aging protocol to communicate with nurses' [...] --------------------------------------------- https://threatpost.com/def-con-2018-hacking-medical-protocols-to-change-vit… ∗∗∗ Angreifer können per Fax in Firmennetze eindringen ∗∗∗ --------------------------------------------- Sicherheitsexperten haben in Multifunktionsdruckern, wie sie in vielen Büros vorhanden sind, eine Sicherheitslücke entdeckt. Angreifer könnten sich durch Senden eines manipulierten Fax Zugang zum Firmennetzwerk verschaffen. --------------------------------------------- https://help.orf.at/stories/2929974/ ∗∗∗ Apple macOS vulnerability paves the way for system compromise with a single click ∗∗∗ --------------------------------------------- A security researcher uncovered a zero-day in Apple software by tweaking a few lines of code. Speaking at Defcon in Las Vegas last week, Patrick Wardle, Chief Research Officer of Digita Security, described his research into "synthetic" interactions with a user interface (UI) that can lead to severe macOS system security issues. --------------------------------------------- https://www.zdnet.com/article/apple-zero-day-vulnerability-permits-attacker… ∗∗∗ Erpresser-Mails: Online-Gauner kassieren jetzt mit Handynummern ab ∗∗∗ --------------------------------------------- Online-Abzocker verschicken Mails, in denen sie behaupten, das Handy des Empfängers gehackt zu haben. Sie untermauern dies mit einem Auszug der Handynummer. --------------------------------------------- https://heise.de/-4134298 ∗∗∗ Gebäudeautomatisierung wird zur Wanze: Bugs in Crestron-Systemen ∗∗∗ --------------------------------------------- Büros, Unis, Flughäfen, Hotels, Privathäuser - Bugs in Crestron-Produkten lassen die Komponenten zu Wanzen werden - übers Internet, Kamerabilder inklusive. --------------------------------------------- http://heise.de/-4133763 ∗∗∗ Vulnerabilities in smart card drivers open systems to attackers ∗∗∗ --------------------------------------------- Security researcher Eric Sesterhenn of X41 D-SEC GmbH has unearthed a number of vulnerabilities in several smart card drivers, some of which can allow attackers to log into the target system without valid credentials and achieve root/admin privileges. "A lot of attacks against smart cards have been performed in the past but not much work has focused on hacking the driver side of the smart card stack [the piece of software that interacts with chip [...] --------------------------------------------- https://www.helpnetsecurity.com/2018/08/13/vulnerabilities-smart-card-drive… ∗∗∗ FBI Warns of 'Unlimited' ATM Cashout Blitz ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an "ATM cash-out," in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours. --------------------------------------------- https://krebsonsecurity.com/2018/08/fbi-warns-of-unlimited-atm-cashout-blit… ∗∗∗ Warnung vor betrügerischen Maschinenangeboten ∗∗∗ --------------------------------------------- Auf Kleinanzeigen-Plattformen finden Interessent/innen günstige Nutzfahrzeuge und Landmaschinen. Sie führen zu den Anbietern insolvenzamt.com, maschinen-insolvenzamt.com und anbud-spzoo.eu. Bei den Händlern handelt es sich um Fake-Shops. Sie liefern trotz Bezahlung keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-betruegerischen-maschine… ===================== = Vulnerabilities = ===================== ∗∗∗ 2018-1581: Oracle Datenbankserver: Eine Schwachstelle ermöglicht die vollständige Kompromittierung der Software ∗∗∗ --------------------------------------------- [...] Die Schwachstelle betrifft auch Oracle Database 12.1.0.2 für Windows und jede Version der Software auf Linux- und Unix-Systemen. Die Patches für diese Systeme wurden bereits mit dem letzten Oracle Critical Patch Update im Juli 2018 ausgeliefert. Anwender, die bisher keine Patches eingespielt haben, sollten dies unverzüglich nachholen. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1581/ http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-503… ∗∗∗ 2018-1582: NextCloud: Zwei Schwachstellen ermöglichen Stored Cross-Site-Scripting-Angriffe ∗∗∗ --------------------------------------------- Zwei Schwachstellen in Nextcloud Server sowie Nextcloud Talk ermöglichen einem entfernten, einfach authentisierten Angreifer die Durchführung von Stored Cross-Site-Scripting (XSS)-Angriffen. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1582/ https://nextcloud.com/security/advisory/?id=NC-SA-2018-008 https://nextcloud.com/security/advisory/?id=NC-SA-2018-009 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blender, openjdk-8, postgresql-9.6, and sam2p), Fedora (libmspack, mingw-glib2, mingw-glibmm24, and rsyslog), Mageia (blender, glpi, godot, kernel, lftp, libjpeg, libsndfile, libsoup, mariadb, mp3gain, openvpn, and soundtouch), openSUSE (cgit, libvirt, mailman, NetworkManager-vpnc, and sddm), Slackware (bind), and SUSE (ffmpeg, glibc, and libvirt). --------------------------------------------- https://lwn.net/Articles/762502/ ∗∗∗ 2018-08-10: Vulnerability in eSOMS LDAP Integration ∗∗∗ --------------------------------------------- https://search-ext.abb.com/library/Download.aspx?DocumentID=9AKK107046A5821… ∗∗∗ IBM Security Bulletin: eDiscovery Manager is affected by public disclosed vulnerability from Apache Poi ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719481 ∗∗∗ HPESBST03861 rev.1 - HPE 3PAR Service Processor (SP), Multiple Local and Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03870 rev.1 - HPE 3PAR Service Processor (SP), Local Disclosure of Privileged Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03858 rev.1 - HPE OfficeConnect 1810 Switch Series Local Disclosure of Sensitive Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2018
by Daily end-of-shift report 10 Aug '18

10 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-08-2018 18:00 − Freitag 10-08-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Neue Macs können beim ersten Kontakt mit WLAN gehackt werden ∗∗∗ --------------------------------------------- Betroffen sind Firmenkunden von Apple. Die Schwachstelle wurde auf der Black Hat Konferenz präsentiert. --------------------------------------------- https://futurezone.at/digital-life/neue-macs-koennen-beim-ersten-kontakt-mi… ∗∗∗ The 10 Best Practices for Identifying and Mitigating Phishing ∗∗∗ --------------------------------------------- Phishing (a form of social engineering) is escalating in both frequency and sophistication; consequently, it is even more challenging to defend against cyber-related attacks. These days, any industry, any workplace, any work role can be targeted by a phishing scam that is spreading beyond simple malicious email attachments and link manipulation techniques (i.e., phishers may [...] --------------------------------------------- https://resources.infosecinstitute.com/the-10-best-practices-for-identifyin… ∗∗∗ Practical Web Cache Poisoning ∗∗∗ --------------------------------------------- Web cache poisoning has long been an elusive vulnerability, a theoretical threat used mostly to scare developers into obediently patching issues that nobody could actually exploit. In this paper Ill show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage. --------------------------------------------- https://portswigger.net/blog/practical-web-cache-poisoning ∗∗∗ VIA C3: "God Mode"-Sicherheitslücke in Prozessoren entdeckt ∗∗∗ --------------------------------------------- Ein IT-Experte hat einen schwerwiegenden Bug in alten CPUs von VIA Technologies aufgespürt und auch gleich eine Gegenmaßnahme programmiert. --------------------------------------------- http://heise.de/-4133425 ∗∗∗ Vulnerabilities in mPOS devices could lead to fraud and theft ∗∗∗ --------------------------------------------- Vulnerabilities in mPOS (mobile point-of-sale) machines could allow malicious merchants to defraud customers and attackers to steal payment card data, Positive Technologies researchers have found. The use of mPOS devices has seen huge growth over the last few years as the barriers to entry to be provided a device and start accepting card payments are effectively zero. --------------------------------------------- https://www.helpnetsecurity.com/2018/08/10/mpos-vulnerabilities/ ∗∗∗ Nicht bei shop-and-smile.com einkaufen ∗∗∗ --------------------------------------------- Auf shop-and-smile.com finden Konsument/innen Elektroartikel. Die angebotenen Produkte sind gebraucht und nicht neu. Das ist im Rahmen eines Einkaufs nicht offensichtlich. Eine Bezahlung der Ware ist entgegen anderer Aussagen nur im Voraus möglich. Die Watchlist Internet rät von einem Einkauf bei shop-and-smile.com ab. --------------------------------------------- https://www.watchlist-internet.at/news/nicht-bei-shop-and-smilecom-einkaufe… ===================== = Vulnerabilities = ===================== ∗∗∗ Crestron TSW-X60 and MC3 ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for OS command injection, improper access control, and insufficiently protected credentials vulnerabilities in Crestrons TSW-X60 and MC3 devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01 ∗∗∗ NetComm Wireless 4G LTE Light Industrial M2M Router ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for information exposure, cross-site forgery, cross-site scripting, and information exposure through directory listing vulnerabilities in NetComm Wireless 4G LTE Light Industrial M2M Router. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-221-02 ∗∗∗ PostgreSQL 10.5, 9.6.10, 9.5.14, 9.4.19, 9.3.24, and 11 Beta 3 Released! ∗∗∗ --------------------------------------------- Two security vulnerabilities have been closed by this release: CVE-2018-10915: Certain host connection parameters defeat client-side security defenses CVE-2018-10925: Memory disclosure and missing authorization in INSERT ... ON CONFLICT DO UPDATE --------------------------------------------- https://www.postgresql.org/about/news/1878/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (exiv2, kernel-headers, kernel-tools, libgit2, and thunderbird-enigmail), openSUSE (blueman, cups, gdk-pixbuf, libcdio, libraw, libsoup, libtirpc, mysql-community-server, python-mitmproxy, sssd, and virtualbox), Red Hat (cobbler), SUSE (ceph, firefox, NetworkManager-vpnc, openssh, and wireshark), and Ubuntu (openjdk-7 and openjdk-8). --------------------------------------------- https://lwn.net/Articles/762337/ ∗∗∗ wpa_supplicant: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1564/ ∗∗∗ Red Hat Certification: Mehrere Schwachstellen ermöglichen u. a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1571/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10720235 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718367 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2018-2633, CVE-2018-2603, CVE-2018-2579, CVE-2018-2602, CVE-2018-2794, & CVE-2018-2783) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10717207 ∗∗∗ IBM Security Bulletin: A security vulnerability in OpenSSL affects IBM Rational ClearQuest (CVE-2018-0739) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718373 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearCase (CVE-2018-0739) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10717211 ∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Data Server Driver for JDBC and SQLJ is affected by a 3RD PARTY Unsafe deserialization ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22012479 ∗∗∗ IBM Security Bulletin: A security vulnerability in IBM Rational ClearQuest with SSL/TLS communications (CVE-2016-2922) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718377 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2018
by Daily end-of-shift report 09 Aug '18

09 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-08-2018 18:00 − Donnerstag 09-08-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Warnung vor Bewerbung bei webex-solutions.at ∗∗∗ --------------------------------------------- Webex Solutions ist eine betrügerische Scheinfirma. Sie sucht Mitarbeiter/innen. Auf ihrer Website webex-solutions.at fragt sie persönliche Daten von Interessent/innen ab. In Wahrheit gibt es keine zu besetzende Stelle. Kriminelle nutzen die Angaben ihrer Opfer, damit sie mit diesen ein Konto eröffnen und darüber Geldwäscherei betreiben können. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-bewerbung-bei-webex-solu… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB18-29) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB18-29) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, August 14, 2018. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1591 ∗∗∗ [Drupal] PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055 ∗∗∗ --------------------------------------------- This module enables you to add or overwrite PHP configuration on a drupal website. The module doesnt sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker.This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer phpconfig". --------------------------------------------- https://www.drupal.org/sa-contrib-2018-055 ∗∗∗ RSYSLOG: Eine Schwachstelle ermöglicht u. a. einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- Ein entfernter, nicht authentisierter Angreifer kann eine Schwachstelle in RSYSLOG ausnutzen, um einen Denial-of-Service (DoS)-Angriff durchzuführen oder möglicherweise auch beliebigen Programmcode zur Ausführung zu bringen. Der Hersteller hat RSYSLOG 8.37.0 (v8-stable) zur Verfügung gestellt. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1558/ https://www.adiscon.com/news/news-release/rsyslog-8-37-0-v8-stable-released/ ∗∗∗ Vulnerabilities in multiple third party TYPO3 CMS extensions ∗∗∗ --------------------------------------------- several vulnerabilities have been found in the following third party TYPO3 extensions: * "Heise Shariff" (rx_shariff) * "Register to tt_address" (registeraddress) * "Amazon AWS S3 FAL driver (CDN)" (aus_driver_amazon_s3) * "Powermail" (powermail) * "AWS SDK for PHP" (aws_sdk_php) * "Front End User Registration" (sr_feuser_register) * "Amazon Web Services SDK " (aws_sdk) * "Frontend Treeview" (mh_treeview) * "TemplaVoilà! Plus" (templavoilaplus) --------------------------------------------- http://lists.typo3.org/pipermail/typo3-announce/2018/000429.html ∗∗∗ Black Hat: Windows-10-Assistent Cortana reißt Sicherheitslücken auf ∗∗∗ --------------------------------------------- Auf der Black Hat in Las Vegas haben Forscher mehrere Lücken in Cortana aufgedeckt. So lässt sich zum Beispiel Schadcode über den Sprachassistenten ausführen. --------------------------------------------- http://heise.de/-4132425 ∗∗∗ BIND deny-answer-aliases Bug Lets Remote Users Cause the Target named Service to Crash ∗∗∗ --------------------------------------------- A remote user can trigger an INSIST assertion failure in 'name.c', causing the 'named' service to stop processing. Systems that use the "deny-answer-aliases" feature are affected. --------------------------------------------- http://www.securitytracker.com/id/1041436 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (kamailio and wpa), Fedora (kernel-headers, kernel-tools, moodle, and vim-syntastic), and openSUSE (clamav, enigmail, and java-11-openjdk). --------------------------------------------- https://lwn.net/Articles/762205/ ∗∗∗ IBM Security Bulletin: IBM UrbanCode Deploy diagnostics files may contain confidential data (CVE-2017-1286) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg2C1000377 ∗∗∗ IBM Security Bulletin: Vulnerabilities CVE-2018-1333 and CVE-2018-8011 in the IBM i HTTP Server affect IBM i. ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10720141 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719933 ∗∗∗ IBM Security Bulletin: Plugins can be uploaded to IBM UrbanCode Deploy without Authentication (CVE-2017-1749) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg2C1000374 ∗∗∗ HPESBHF03805 rev.23 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2018
by Daily end-of-shift report 08 Aug '18

08 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-08-2018 18:00 − Mittwoch 08-08-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Update Mechanism Flaws Allow Remote Attacks on UEFI Firmware ∗∗∗ --------------------------------------------- The glitch stems from a functionality intended to allow updates to the UEFI firmware. --------------------------------------------- https://threatpost.com/update-mechanism-flaws-allow-remote-attacks-on-uefi-… ∗∗∗ Cookie Consent Script Used to Distribute Malware ∗∗∗ --------------------------------------------- Most websites today use cookies. Since May 25th, 2018, all websites that do business in the European Union (EU) had to make some changes to be compliant with the EU General Data Protection Regulation (GDPR). Even though cookie usage is mentioned only once in GDPR, any organization utilizing them to track users' browsing activity have had to add a warning about how they are using them and ask for the user consent. --------------------------------------------- https://blog.sucuri.net/2018/08/cookie-consent-script-used-to-distribute-ma… ∗∗∗ IT-Grundschutz: Neuer Online-Kurs veröffentlicht ∗∗∗ --------------------------------------------- Ein neues Online-Angebot für den modernisierten IT-Grundschutz erleichtert Anwendern den Einstieg in die Umsetzung der IT-Grundschutz-Methodik. Basierend auf dem IT-Grundschutz-Kompendium und den BSI-Standards 200-1,-2 und -3 führt die vom Bundesamt für Sicherheit in der Informationstechnik (BSI) entwickelte und veröffentlichte Web-Schulung die Anwender in unterschiedlichen Lektionen durch die IT-Grundschutz-Vorgehensweise. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/IT-Grundsch… ∗∗∗ PayPal-Betrug mit eigener E-Mailadrese ∗∗∗ --------------------------------------------- Konsument/innen erhalten von PayPal eine Benachrichtigung darüber, dass sie ihre E-Mailadresse für die Eröffnung eines Kontos bestätigen sollen. Das Konto haben Kriminelle eröffnet. Sie kaufen mit der fremden E-Mailadresse und erfundenen Daten ein. Die Rechnungen und Mahnungen dafür erhalten die Opfer. Diese müssen die offenen PayPal-Forderungen nicht bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/paypal-betrug-mit-eigener-e-mailadre… ===================== = Vulnerabilities = ===================== ∗∗∗ Medtronic MyCareLink 24950 Patient Monitor ∗∗∗ --------------------------------------------- This medical device advisory includes mitigation recommendations for insufficient verification of data authenticity and storing passwords in a recoverable format vulnerabilities in the Medtronic MyCareLink 24950 Patient Monitor. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01 ∗∗∗ Medtronic MiniMed 508 Insulin Pump ∗∗∗ --------------------------------------------- This medical device advisory includes mitigation recommendations for cleartext transmission of sensitive information and authentication bypass by capture-replay vulnerabilities in the Medtronic MiniMed 508 Insulin Pump. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-02 ∗∗∗ Delta Electronics CNCSoft and ScreenEditor ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for stack-based buffer overflow and out-of-bounds read vulnerabilities in Delta Electronics CNCSoft and ScreenEditor software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-219-01 ∗∗∗ What Do I Need To Know about "SegmentSmack", (Wed, Aug 8th) ∗∗∗ --------------------------------------------- "SegmentSmack" is yet another branded vulnerability, also known as CVE-2018-5390. It hit the "news" yesterday. Succesful exploitation may lead to a denial of service against a targeted system. At this point, not a lot is known about this vulnerability. But here are some highlights: [...] --------------------------------------------- https://isc.sans.edu/forums/diary/What+Do+I+Need+To+Know+about+SegmentSmack… ∗∗∗ HPSBHF03589 rev. 2 - HP Ink Printers Remote Code Execution ∗∗∗ --------------------------------------------- Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution. --------------------------------------------- https://support.hp.com/us-en/document/c06097712 ∗∗∗ Android Security Bulletin - August 2018 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2018-08-05 or later address all of these issues. [...] The most severe of these issues is a critical vulnerability that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2018-08-01 ∗∗∗ 2018-08 Out of Cycle Security Bulletin: Junos platforms vulnerable to SegmentSmack attack [VU#962459] ∗∗∗ --------------------------------------------- [...] Crafted sequences of TCP/IP packets may allow a remote attacker to create a denial of service (DoS) condition on routing engines (REs) running Junos OS. The attack requires a successfully established two-way TCP connection to an open port. The rate of attack traffic is lower than typical thresholds for built-in Junos OS distributed denial-of-service (DDoS) protection, so additional configuration is required to defend against these issues on affected platforms. --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10876 ∗∗∗ VMSA-2018-0019 ∗∗∗ --------------------------------------------- Horizon 6, 7, and Horizon Client for Windows updates address an out-of-bounds read vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0019.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (ceph, exiv2, myrepos, and seamonkey), openSUSE (libofx and znc), Oracle (kernel), Red Hat (qemu-kvm-rhev), SUSE (clamav, kernel, and rubygem-sprockets-2_12), and Ubuntu (gnupg, lftp, libxcursor, linux-hwe, linux-azure, linux-gcp, linux-raspi2, and lxc). --------------------------------------------- https://lwn.net/Articles/762022/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (slurm-llnl), Fedora (libmspack), openSUSE (cups, kernel, kernel-firmware, libcgroup, and ovmf), Oracle (kernel), and SUSE (cups, enigmail, libcdio, and pidgin). --------------------------------------------- https://lwn.net/Articles/762098/ ∗∗∗ eDirectory 9.1.1 Hot Patch 1 ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=vP3nS-Hctkk~ ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM® SDK for Node.js™ affect IBM® SDK for Node.js™ in IBM Cloud (CVE-2018-7158, CVE-2018-7159, CVE-2018-7160) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22011860 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718421 ∗∗∗ HPESBHF03850 rev.3 - HPE ProLiant, Synergy, and Moonshot Systems: Local Disclosure of Information, CVE-2018-3639 – Speculative Store Bypass and CVE-2018-3640 – Rogue System Register Read ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0006 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2018-0006.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2018
by Daily end-of-shift report 07 Aug '18

07 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Montag 06-08-2018 18:00 − Dienstag 07-08-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Lets Encrypt Is Now Officially Trusted by All Major Root Certificates ∗∗∗ --------------------------------------------- Lets Encrypt announced yesterday that they are now directly trusted by all major root certificates including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Lets Encrypt is now directly trusted by all major browsers and operating systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lets-encrypt-is-now-official… ∗∗∗ DoS-Schwachstelle im Kernel - keine Panik! ∗∗∗ --------------------------------------------- In der Nacht auf heute wurde eine Schwachstelle im Linux Kernel bekannt, die einen DoS-Angriff durch spezielle TCP-Pakete ermöglicht ... Auf den ersten Blick klingt das hochkritisch und stellt eine enorme Gefahr für Unternehmen dar, die Webauftritte und Mailserver auf Linux-Servern betreiben. Auf den zweiten Blick gibt es jedoch einige wichtige Einschränkungen, die das Risiko minimieren. --------------------------------------------- https://www.cert.at/services/blog/20180807131134-2285.html ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in multiple I-O DATA network camera products ∗∗∗ --------------------------------------------- Overview: Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities. Products Affected: TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier --------------------------------------------- https://jvn.jp/en/jp/JVN83701666/ ∗∗∗ FreeBSD: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- Ein entfernter, nicht authentisierter Angreifer kann die Schwachstelle durch den Versand von TCP-Paketen an ein betroffenes System ausnutzen und einen Denial-of-Service (DoS)-Zustand bewirken. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1548/ ∗∗∗ [openssl-announce] Forthcoming OpenSSL releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0i and 1.0.2p. These releases will be made available on 14th August 2018 between approximately 1200-1600 UTC. These are bug-fix releases. They also contain the fixes for two LOW severity security issues (CVE-2018-0732 and CVE-2018-0737) --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2018-August/000129.html ∗∗∗ Android Patchday: Monatliches Update beseitigt zahlreiche Schwachstellen ∗∗∗ --------------------------------------------- Wie bereits im Vormonat hat Google auch beim aktuellen Patchday durchweg Sicherheitslücken mit hohem bis kritischem Schweregrad beseitigt. --------------------------------------------- http://heise.de/-4130865 ∗∗∗ Manueller Umstieg nötig: Mozilla Thunderbird 60 mit wichtigen Security-Updates ∗∗∗ --------------------------------------------- Sieht schöner aus – und ist obendrein sicherer: Thunderbird-User sollten auf Version 60 umsteigen. Dazu ist ein manuelles Update erforderlich. --------------------------------------------- http://heise.de/-4131114 ∗∗∗ IBM Security Bulletin: IBM API Connect is vulnerable to denial of service attacks via https-proxy-agent/newrelic(a)3.1.0 (CVE-2018-3739) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718999 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Scale packaged in IBM Elastic Storage Server ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10717301 ∗∗∗ IBM Security Bulletin: IBM Flex System FC5022 16Gb SAN Scalable Switch is affected by vulnerabilities in Brocade Fabric OS (CVE-2017-6225 CVE-2017-6227) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10720085 ∗∗∗ JSA10876 - 2018-08 Out of Cycle Security Bulletin: Junos platforms vulnerable to SegmentSmack attack [VU#962459] ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10876&actp=RSS ∗∗∗ SSA-179516 (Last Update: 2018-08-07): OpenSSL Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-179516.pdf ∗∗∗ SSA-979106 (Last Update: 2018-08-07): Vulnerabilities in SIMATIC STEP 7 (TIA Portal) and SIMATIC WinCC (TIA Portal) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-979106.pdf ∗∗∗ SSA-920962 (Last Update: 2018-08-07): Vulnerabilities in Automation License Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-920962.pdf ∗∗∗ HPESBHF03835 rev.1 - HPE Integrated Lights-Out 3, 4, 5 (iLO 3, 4, 5), Moonshot Chassis Manager, and Moonshot Component Pack, Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2018
by Daily end-of-shift report 06 Aug '18

06 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-08-2018 18:00 − Montag 06-08-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Method Simplifies Cracking WPA/WPA2 Passwords on 802.11 Networks ∗∗∗ --------------------------------------------- It should be noted that this method does not make it easier to crack the password for a wireless network. It instead makes the process of acquiring a hash that can can be attacked to get the wireless password much easier. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-method-simplifies-cracki… ∗∗∗ DDoS-Angriffe: Die Bedrohung stabilisiert sich ∗∗∗ --------------------------------------------- Durch den Schlag gegen Webstresser.org haben DDoS-Angriffe im deutschsprachigen Raum klar nachgelassen. Grund zur Entwarnung ist das aber nicht. --------------------------------------------- http://heise.de/-4128961 ∗∗∗ Abmahnung der Anwalt AG wegen Urheberrechtsverletzung ∗∗∗ --------------------------------------------- Die ANWALT AG, vertreten durch Dr. Rene De La Porte, versendet eine Abmahnung wegen Urheberrechtsverletzung. Empfänger/innen sollen 426,55 Euro wegen eines Rechtsverstoßes auf kinox.to bezahlen. Das Schreiben ist betrügerisch. Konsument/innen müssen den Geldbetrag nicht bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/abmahnung-der-anwalt-ag-wegen-urhebe… ===================== = Vulnerabilities = ===================== ∗∗∗ Enigmail 2.0.8 released ∗∗∗ --------------------------------------------- A security issue has been fixed that allows an attacker to prepare a plain, unauthenticated HTML message in a way that it looks like its signed and/or encrypted. --------------------------------------------- https://www.enigmail.net/index.php/en/download/changelog ∗∗∗ EMC Data Protection Advisor XML External Entity Processing Flaw Lets Remote Authenticated Users Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- A remote authenticated user can supply specially crafted XML External Entity (XXE) data to the target REST API to read files on the target system with the privileges of the target service or cause denial of service conditions on the target system. --------------------------------------------- http://www.securitytracker.com/id/1041417 ∗∗∗ CA API Developer Portal Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- The developer portal does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. --------------------------------------------- http://www.securitytracker.com/id/1041416 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (cgit, python-django, and python2-django), Debian (ant, cgit, libmspack, python-django, symfony, vim-syntastic, and xml-security-c), Fedora (kernel-headers, libao, libvorbis, mingw-gdal, mingw-xerces-c, and python-XStatic-jquery-ui), openSUSE (bouncycastle, java-10-openjdk, libgcrypt, libsndfile, mutt, nautilus, ovmf, python-dulwich, rpm, util-linux, wireshark, and xen), Oracle (kernel), Red Hat (kernel, openslp, rhvm-setup-plugins, and xmlrpc), --------------------------------------------- https://lwn.net/Articles/761923/ ∗∗∗ IBM Security Bulletin: Vulnerability in IBM Rhapsody Model Manager with potential for Cross-Site Scripting attack ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718345 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2018
by Daily end-of-shift report 03 Aug '18

03 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-08-2018 18:00 − Freitag 03-08-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Cryptominers: Binary-Process-Cron Variants and Methods of Removal ∗∗∗ --------------------------------------------- This post provides a brief overview of how to manually remove server-side cryptominers and other types of Binary-Process-Cron malware from a server. Unlike browser-based JavaScript cryptominers that have been injected into a web page, a binary server-level cryptominer abuses server resources without affecting the computers or mobile devices of site .. --------------------------------------------- https://blog.sucuri.net/2018/08/cryptominer-variants-removal.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (busybox, graphicsmagick, and libmspack), Fedora (pam_yubico), Scientific Linux (openslp), Slackware (lftp), SUSE (cups, libtirpc, and thunderbird), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/761752/ ∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management could allow an authenticated user to obtain sensitive information from the WhoAmI API (CVE-2018-1528) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22017450 ∗∗∗ IBM Security Bulletin: Invalid user group vulnerability in IBM MQ on Unix platform(CVE-2018-1551) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10716113 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Rational DOORS Next Generation with potential for Cross-Site Scripting attack (CVE-2018-1422) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719817 ∗∗∗ IBM Security Bulletin:A vulnerability in GSKit and GSKit-Crypto affects IBM Performance Management products (CVE-2018-1447) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015283 ∗∗∗ HPESBHF03872 rev.1 - HPE Intelligent Management Center Platform (IMC PLAT), Remote Directory Traversal ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03841 rev.2 - Certain HPE Servers with AMD-based Processors, Multiple Vulnerabilities (Fallout/Masterkey) ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPSBGN02298 SSRT071502 rev.3 - HP Notebook PC Quick Launch Button (QLB) Software Running on Windows, Remote Execution of Arbitrary Code, Gain Privileged Access ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2018
by Daily end-of-shift report 02 Aug '18

02 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-08-2018 18:00 − Donnerstag 02-08-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Crime and Crypto: An Evolution in Cyber Threats ∗∗∗ --------------------------------------------- Cybercriminals are constantly experimenting with new ways to take money from their victims. Their tactics evolve quickly to maximize returns and minimize risk. The emergence of cryptocurrency has opened up new opportunities to do just that. To better understand today’s threat landscape, it’s worth exploring the origins of cryptocurrencies and the progress cybercriminals have made in using it to advance their own interests. --------------------------------------------- https://www.webroot.com/blog/2018/08/02/crime-crypto-evolution-cyber-threat… ∗∗∗ Save the Date: 4th e-Health Security Conference ∗∗∗ --------------------------------------------- ENISA is organising the 4th eHealth Security workshop in cooperation with the Dutch Ministry of Health, Welfare and Sport, on the 14th of November. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/save-the-date-4th-e-health-secu… ∗∗∗ Reddit Breach Highlights Limits of SMS-Based Authentication ∗∗∗ --------------------------------------------- Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesnt seem too severe. Whats interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security. --------------------------------------------- https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-… ∗∗∗ The Year Targeted Phishing Went Mainstream ∗∗∗ --------------------------------------------- A story published here on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason -- sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack). But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and --------------------------------------------- https://krebsonsecurity.com/2018/08/the-year-targeted-phishing-went-mainstr… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Core - 3rd-party libraries -SA-CORE-2018-005 ∗∗∗ --------------------------------------------- The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. --------------------------------------------- https://www.drupal.org/SA-CORE-2018-005 ∗∗∗ Telegram: Passport-Dokumentenspeicher des Krypto-Messengers hat Schwachstellen ∗∗∗ --------------------------------------------- Geraten die von Telegram verwahrten Passwort-Hashes für Passport in falsche Hände, ließen sie sich leichter knacken, als man das eigentlich haben will. --------------------------------------------- http://heise.de/-4127755 ∗∗∗ Django Open Redirect Flaw in CommonMiddleware Lets Remote Users Redirect the Target Users Browser to an Arbitrary Site ∗∗∗ --------------------------------------------- On systems with django.middleware.common.CommonMiddleware and the APPEND_SLASH setting enabled and with a project that has a URL pattern that accepts any path ending in a slash, a remote user can create a URL that, when loaded by the target user, will redirect the target user's browser to an arbitrary site. --------------------------------------------- http://www.securitytracker.com/id/1041403 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (busybox and mutt), Fedora (bibutils and wireshark), openSUSE (glibc and rsyslog), Slackware (blueman), SUSE (cups, ovmf, and polkit), and Ubuntu (bouncycastle, libmspack, and python-django). --------------------------------------------- https://lwn.net/Articles/761625/ ∗∗∗ Vuln: Symfony CVE-2018-14773 Security Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/104943 ∗∗∗ Cisco AMP for Endpoints Mac Connector Software Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Reflected and Document Object Model-Based Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 300 Series Managed Switches Authenticated Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 300 Series Managed Switches Persistent Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Collaboration Provisioning Unauthorized Password Change Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: IBM Security Identity Manager is affected by an Apache vulnerability. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719413 ∗∗∗ IBM Security Bulletin: API Connect Developer Portal is affected by multiple PHP vulnerabilities ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10713449 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22016803 ∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management installs with a default administrator account that a remote intruder could use to gain administrator access to the system.(CVE-2018-1524) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22017452 ∗∗∗ IBM Security Bulletin : Multiple vulnerabilities in IBM GSKit affect IBM Host On-Demand. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10716977 ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities have been identified in Open SSL, which is shipped with IBM Tivoli Network Manager IP Edition (CVE-2017-3737, CVE-2017-3738). ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10717007 ∗∗∗ HPESBST03857 rev.1 - HPE XP7 Command View Advanced Edition Products using JDK, Local and Remote Authentication Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03859 rev.1 - HPE XP P9000 Command View Advanced Edition Software (CVAE) - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03860 rev.1 - HPE XP P9000 Command View Advanced Edition (CVAE) Software, Local and Remote Unauthorized Access to Sensitive Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2018
by Daily end-of-shift report 01 Aug '18

01 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-07-2018 18:00 − Mittwoch 01-08-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Facebook Phishing via SMS, (Wed, Aug 1st) ∗∗∗ --------------------------------------------- Facebook accounts are still a pretty hot commodity to spread malware. No ruse works better than having a "Friend" offer you some new software or browser extension. As a result, we keep seeing attempts to phish Facebook credentials. Late last week I came across a simple example of such an attempt that in particular targeted users of mobile .. --------------------------------------------- https://isc.sans.edu/diary/23940 ∗∗∗ When Cameras and Routers attack Phones. Spike in CVE-2014-8361 Exploits Against Port 52869, (Wed, Aug 1st) ∗∗∗ --------------------------------------------- Universal Plug an Play (UPnP) is the gift that keeps on giving. One interesting issue with UPnP (aside from the fact that it never ever should be exposed to the Internet, but often is), is the .. --------------------------------------------- https://isc.sans.edu/diary/23942 ∗∗∗ Österreichischer Hoster: E-Mail-Addressen bei EDIS abhanden gekommen ∗∗∗ --------------------------------------------- Die E-Mail-Adressen zu Kundenkonten des Hosters EDIS sind bei Have I Been Pwned aufgetaucht. Kunden der Firma wurden per E-Mail vor einem Zwischenfall gewarnt. --------------------------------------------- http://heise.de/-4125214 ∗∗∗ Efail: HTML Mails have no Security Concept and are to blame ∗∗∗ --------------------------------------------- I recently wrote down my thoughts about why I think deprecated cryptographic standards are to blame for the Efail vulnerability in OpenPGP and S/MIME. However I promised that Ill also cover the other .. --------------------------------------------- https://blog.hboeck.de:443/archives/894-Efail-HTML-Mails-have-no-Security-C… ===================== = Vulnerabilities = ===================== ∗∗∗ Johnson Controls Metasys and BCPro ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for an information exposure through an error message vulnerability in Johnson Controls Metasys and BCPro products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-212-02 ∗∗∗ WECON LeviStudioU ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for stack-based buffer overflow and heap-based buffer overflow vulnerabilities in WECONs LeviStudioU HMI editor. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-212-03 ∗∗∗ AVEVA InTouch Access Anywhere ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for a cross-site scripting vulnerability in the outdated and insecure third-party jQuery library used in the AVEVA InTouch Access Anywhere remote access software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04 ∗∗∗ AVEVA Wonderware License Server ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for an improper restriction of operations within the bounds of a memory buffer vulnerability in the Flexera lmgrd third-party component used by the AVEVA Wonderware License Server. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-212-05 ∗∗∗ Vuln: Apache Camel CVE-2018-8027 XML External Entity Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/104933 ∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is affected by a cross-site scripting vulnerability. (CVE-2018-1554) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10713695 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2018-2783) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10717143 ∗∗∗ IBM Security Bulletin: IBM MQ Appliance affected by an OpenSSL vulnerability (CVE-2018-0739) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10717517 ∗∗∗ IBM Security Bulletin: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit JNDI component could affect IBM InfoSphere Optim Performance Manager. CVE-2018-2633 CVE-2018-2603 CVE-2018-2579 ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014113 ∗∗∗ July 31, 2018 TNS-2018-11 [R1] SecurityCenter 5.7.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2018
by Daily end-of-shift report 31 Jul '18

31 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Montag 30-07-2018 18:00 − Dienstag 31-07-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ "National CERT" vs. "National CSIRTs" ∗∗∗ --------------------------------------------- "National CERT" vs. "National CSIRTs"2018/07/31The NIS Directive built upon previous work in the space of network and information security and also tried to use the established language of the field. This worked - up to a point. Im trying to summarize the differences and pitfalls regarding the term "national CSIRT". --------------------------------------------- http://www.cert.at/services/blog/20180731155524-2252_en.html ∗∗∗ Betrug mit günstigen Wohnungen ∗∗∗ --------------------------------------------- Kriminelle inserieren günstige Wohnungen in guter Lage. Sie teilen Wohnungssuchenden mit, dass eine Besichtigung der Immobilie nur bei Bezahlung einer hohen Kaution möglich sei. Interessent/innen, die das Geld an das genannten Unternehmen bezahlen, verlieren es, denn es gibt die angebotene Wohnung nicht. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-guenstigen-wohnungen/ ∗∗∗ Update on the Distrust of Symantec TLS Certificates ∗∗∗ --------------------------------------------- Firefox 60 (the current release) displays an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1, 2016 that chains up to a Symantec root certificate. This is part of the consensus proposal for removing trust in Symantec TLS certificates that Mozilla adopted in 2017. This proposal was also adopted by the Google Chrome team, and more recently Apple announced their plan to distrust Symantec TLS certificates. --------------------------------------------- https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-syma… ===================== = Vulnerabilities = ===================== ∗∗∗ OTRS: Eine Schwachstelle ermöglicht das Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- Ein Agent kann in OTRS als entfernter, einfach authentifizierter Angreifer mit Hilfe einer speziell präparierten URL seine Privilegien eskalieren und beliebige Benutzerrechte erlangen. Dazu gehören auch Adminstratorrechte. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1499/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (network-manager-vpnc), Fedora (wireshark), Oracle (java-1.7.0-openjdk and yum-utils), Red Hat (chromium-browser, java-1.7.0-openjdk, memcached, qemu-kvm-rhev, and yum-utils), Scientific Linux (java-1.7.0-openjdk and yum-utils), Slackware (file and seamonkey), SUSE (gdk-pixbuf, libcgroup, libcgroup1, libvirt, and sssd), and Ubuntu (mysql-5.5 and mysql-5.5, mysql-5.7). --------------------------------------------- https://lwn.net/Articles/761375/ ∗∗∗ Drupal 8 release on August 1st, 2018 - DRUPAL-PSA-2018-07-30 ∗∗∗ --------------------------------------------- The Drupal Security Team will be coordinating a security release for Drupal 8 this week on Wednesday, August 1, 2018. (We are issuing this PSA in advance because the in the regular security release window schedule, August 1 would not typically be a core security window.)The Drupal 8 core release will be made between noon and 3pm EDT. It is rated as moderately critical and will be an update to a vendor library only.August 1 also remains a normal security release window for contributed projects. --------------------------------------------- https://www.drupal.org/psa-2018-07-30 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719211 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719209 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IPv6 and MQ affect IBM SAN Volume Controller, IBM Storwize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10717931 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10717693 ∗∗∗ IBM Security Bulletin: RCE vulnerability (CVE-2018-1595) affects IBM Platform Symphony, IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=isg3T1027819 ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by a vulnerability in freetype2 (CVE-2016-10328) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719055 ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in dhcp (CVE-2018-5732 CVE-2018-5733) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719059 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719203 ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in GNU C Library ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719047 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM GSKit affect IBM Personal Communications ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10717437 ∗∗∗ Linux kernel vulnerability CVE-2016-8650 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46394694 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2018
by Daily end-of-shift report 30 Jul '18

30 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-07-2018 18:00 − Montag 30-07-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ An Introduction to the Xposed Framework for Android Penetration Testing ∗∗∗ --------------------------------------------- Introduction When it comes to the Pen Testing of Android-based applications, the main focus and attention of the Pen Tester is to live in the mindset of the Cyber attacker literally. The Pen Tester must then carry out an attack to see how the software code can be manipulated, what the weak spots of the […]The post An Introduction to the Xposed Framework for Android Penetration Testing appeared first on InfoSec Resources.An Introduction to the Xposed Framework for Android Penetration --------------------------------------------- https://resources.infosecinstitute.com/an-introduction-to-the-xposed-framew… ∗∗∗ Top 10 Free Threat-Hunting Tools ∗∗∗ --------------------------------------------- Threat hunting is an alternative approach to dealing with cyber-attacks, compared to network security systems that include appliances such as firewalls that monitor traffic as it flows through a system. While these common methods of defense generally investigate threats after they have occurred, the strategy of threat hunting involves searching through networks, detecting and isolating […]The post Top 10 Free Threat-Hunting Tools appeared first on InfoSec Resources.Top 10 Free --------------------------------------------- https://resources.infosecinstitute.com/top-10-free-threat-hunting-tools/ ∗∗∗ State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China ∗∗∗ --------------------------------------------- Heres a timely reminder that email isnt the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned. This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. --------------------------------------------- https://krebsonsecurity.com/2018/07/state-govts-warned-of-malware-laden-cd-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (libextractor and wesnoth), Debian (ffmpeg, fuse, libidn, mercurial, openssl, policykit-1, tomcat7, tomcat8, wireshark, and wordpress), Fedora (java-1.8.0-openjdk, java-openjdk, libpng10, php, sox, and suricata), Gentoo (curl and znc), openSUSE (bouncycastle, Chromium, cinnamon, e2fsprogs, ImageMagick, kernel, libgcrypt, mercurial, openssh, openssl-1_0_0, openssl-1_1, python, qutebrowser, rubygem-sprockets, shadow, and xen), Slackware (kernel), ... --------------------------------------------- https://lwn.net/Articles/761324/ ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in Open SSL, which is shipped with IBM Tivoli Network Manager IP Edition (CVE-2016-0702). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718745 ∗∗∗ IBM Security Bulletin: Users of Helm with IBM Cloud Private can elevate their privileges (CVE-2018-1714) ∗∗∗ --------------------------------------------- https://www-prd-trops.events.ibm.com/node/718339 ∗∗∗ IBM Security Bulletin: A vulnerability in Apache Solr (lucene) affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22017447 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10717895 ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by a vulnerability in GNU C Library (CVE-2017-12133) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718991 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerabilty in Freetype 2 (CVE-2016-10328) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718665 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerabilty in PHP (CVE-2018-7584) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718663 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilties in dhcp (CVE-2018-5732, CVE-2018-5733) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718661 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilties in GNU C Library ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718659 ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by a vulnerabilities in freetype2 (CVE-2016-10244 CVE-2017-8105 CVE-2017-8287) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718993 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerability in IPsec-Tools (CVE-2016-10396) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718657 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718381 ∗∗∗ IBM Security Bulletin: IBM Cloud Functions is affected by two function runtimevulnerabilities ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718977 ∗∗∗ HPESBHF03867 rev.1 - HPE Systems with Intel-based processors with SPI Flash Engine, Local Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2018
by Daily end-of-shift report 27 Jul '18

27 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-07-2018 18:00 − Freitag 27-07-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Häftlinge erhacken sich Guthaben im Wert von 225.000 Dollar ∗∗∗ --------------------------------------------- Durch Austricksen eines Tablet-Systems haben sich US-Häftlinge Guthaben für Digitalkonsum verschafft. --------------------------------------------- https://futurezone.at/digital-life/haeftlinge-erhacken-sich-guthaben-im-wer… ∗∗∗ NetSpectre liest RAM via Netzwerk aus ∗∗∗ --------------------------------------------- NetSpectre greift ohne ausführbaren Schadcode an – zwar fließen nur wenige Bytes pro Stunde, aber ungeschützte Server und Storage-Systeme sind angreifbar. --------------------------------------------- http://heise.de/-4121831 ∗∗∗ State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China ∗∗∗ --------------------------------------------- Heres a timely reminder that email isnt the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned. This particular ruse, while crude and simplistic, preys on the curiosity .. --------------------------------------------- https://krebsonsecurity.com/2018/07/state-govts-warned-of-malware-laden-cd-… ===================== = Vulnerabilities = ===================== ∗∗∗ Bugtraq: [CORE-2018-0009] - SoftNAS Cloud OS Command Injection ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/542187 ∗∗∗ Vuln: Apache Kafka CVE-2017-12610 User Impersonation Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/104899 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2018
by Daily end-of-shift report 26 Jul '18

26 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-07-2018 18:00 − Donnerstag 26-07-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A mining multitool ∗∗∗ --------------------------------------------- Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. --------------------------------------------- https://securelist.com/a-mining-multitool/86950/ ∗∗∗ Attack inception: Compromised supply chain within a supply chain poses new risks ∗∗∗ --------------------------------------------- A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case. Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the apps legitimate installer the unsuspecting carrier of a Read more --------------------------------------------- https://cloudblogs.microsoft.com/microsoftsecure/2018/07/26/attack-inceptio… ∗∗∗ New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel ∗∗∗ --------------------------------------------- We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads. Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera. Underminer transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/6eLtSVD7Bqc/ ∗∗∗ Zwei Jahre alter Mac-Trojaner kursiert wieder ∗∗∗ --------------------------------------------- Die Malware Calisto soll Vorläufer des Proton-Schädlings sein, der sich über gefälschte Apps verbreitete. --------------------------------------------- http://heise.de/-4120597 ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory 274 - Linux: Uninitialized state in PV syscall return path ∗∗∗ --------------------------------------------- A rogue user-space program could crash a guest kernel. Privilege escalation cannot be ruled out. --------------------------------------------- https://lists.xenproject.org/archives/html/xen-announce/2018-07/msg00004.ht… ∗∗∗ Sicherheitslücken in ClamAV: Angreifer können Rechner lahmlegen ∗∗∗ --------------------------------------------- Der Open-Souce-Virenscanner ermöglicht Denial-of-Service-Angriffe aus der Ferne. Das BSI rät zum umgehenden Update. --------------------------------------------- http://heise.de/-4120917 ∗∗∗ Vulnerability Spotlight: Multiple Vulnerabilities in Samsung SmartThings Hub ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub. In accordance with our coordinated disclosure policy, Cisco Talos has worked with Samsung to ensure that these issues have been resolved and that a firmware update has been made available for affected customers. --------------------------------------------- https://blog.talosintelligence.com/2018/07/samsung-smartthings-vulns.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (jenkins), CentOS (java-1.8.0-openjdk, openslp, and thunderbird), Fedora (dcraw and httpd), Oracle (java-1.8.0-openjdk and thunderbird), Red Hat (procps), Scientific Linux (thunderbird), SUSE (kernel), and Ubuntu (clamav and tomcat7, tomcat8). --------------------------------------------- https://lwn.net/Articles/760956/ ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by GNU C library (glibc) vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10716377 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK Affect IBM Emptoris Strategic Supply Management Suite of Products and IBM Emptoris Services Procurement ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718395 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerabilty in libidn2 (CVE-2017-14062) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718807 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerabilty in GNU C Library (CVE-2017-12133) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718801 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in NTP ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718877 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in freetype2 (CVE-2017-8287 CVE-2017-8105 CVE-2016-10244) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718879 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in libxml2 (CVE-2017-5130 CVE-2017-15412 CVE-2016-5131) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718881 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerabilty in dhcp (CVE-2017-3144) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718803 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerabilty in ncurses (CVE-2017-13733) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718805 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014442 ∗∗∗ HPESBHF03836 rev.1 - HPE Routers and Switches running Linux-based Comware 5 and Comware 7 Software, Remote Unauthorized Disclosure of Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2018
by Daily end-of-shift report 25 Jul '18

25 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-07-2018 18:00 − Mittwoch 25-07-2018 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Bitdefender Releases Decryption Tool for Older Version of LockCrypt Ransomware ∗∗∗ --------------------------------------------- Romanian antivirus firm Bitdefender released yesterday a decryption tool that can recover files encrypted by an older version of the LockCrypt ransomware, the one that locks files with the .1btc extension. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bitdefender-releases-decrypt… ∗∗∗ VB2017 paper and update: Browser attack points still abused by banking trojans ∗∗∗ --------------------------------------------- At VB2017, ESET researchers Peter Kálnai and Michal Poslušný looked at how banking malware interacts with browsers. Today we publish their paper, share the video of their presentation, and also publish a guest blog post from Peter, in which he summarises the recent developments in this space. --------------------------------------------- https://www.virusbulletin.com:443/blog/2018/07/vb2017-paper-and-update-brow… ∗∗∗ Anmeldung auf Probenheld.de ist nicht empfehlenswert ∗∗∗ --------------------------------------------- Gehäuft gehen Beschwerden zu probenheld.de bei uns ein. Die betroffenen Personen berichten von nicht bestellten Produktzusendungen und Rechnungen für Produktproben, die als gratis ausgewiesen waren. Wir empfehlen InteressentInnen sich nicht bei probenheld.de anzumelden, denn der Anbieter verstößt gegen gesetzliche Vorgaben und ist nicht als vertrauenswürdig einzustufen. Erhaltene Rechnungen, Mahnungen oder Inkassoschreiben sollten nicht bezahlt werden. --------------------------------------------- https://www.watchlist-internet.at/news/anmeldung-auf-probenheldde-ist-nicht… ∗∗∗ DHS Warns of Impending Cyber-Attacks on ERP Systems ∗∗∗ --------------------------------------------- the US Department of Homeland Security (DHS) has issued an alert warning of increased activity from nation-state hackers, criminal groups, and hacktivists against Enterprise Resource Planning (ERP) systems. The warning is based on a joint report published two days ago by threat intelligence firms Digital Shadows and Onapsis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dhs-warns-of-impending-cyber… ===================== = Vulnerabilities = ===================== ∗∗∗ Apache Tomcat: Wichtige Updates schließen Sicherheitslücken ∗∗∗ --------------------------------------------- Neue Versionen der 7er-, 8er- und 9er-Reihe des Anwendungsservers Apache Tomcat bringen unter anderem zwei dringliche Security-Fixes mit. --------------------------------------------- http://heise.de/-4119967 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ant, evolution-data-server, libarchive-zip-perl, mailman, resiprocate, slurm-llnl, and sympa), Mageia (firmware, kernel, microcode, and wesnoth), openSUSE (Chromium), Oracle (openslp and thunderbird), Red Hat (java-1.7.0-oracle, java-1.8.0-oracle, kernel, qemu-kvm-rhev, and thunderbird), SUSE (kernel, nautilus, and xen), and Ubuntu (ant and clamav). --------------------------------------------- https://lwn.net/Articles/760803/ ∗∗∗ Cisco CallManager Express Unauthorized Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Red Hat JBoss Data Virtualization: Eine Schwachstelle ermöglicht einen Clickjacking-Angriff ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1457/ ∗∗∗ Security Advisory - Buffer Overflow Vulnerability on Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180725-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2® ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10713455 ∗∗∗ IBM Security Bulletin: A vulnerability in OpenSSL affect IBM® SDK for Node.js™ in IBM Cloud (CVE-2018-0739) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016251 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (CVE-2017-10356). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016354 ∗∗∗ BIG-IP APM per-request policy object vulnerability CVE-2018-5536 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27391542 ∗∗∗ TMM vulnerability CVE-2018-5530 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45611803 ∗∗∗ BIG-IP ASM vulnerability CVE-2018-5539 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K75432956 ∗∗∗ HTTPS monitor vulnerability CVE-2018-5542 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05112543 ∗∗∗ TMM vulnerability CVE-2018-5537 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K94105051 ∗∗∗ DNS Express vulnerability CVE-2018-5538 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45435121 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2018
by Daily end-of-shift report 24 Jul '18

24 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Montag 23-07-2018 18:00 − Dienstag 24-07-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Subdomain Takeover: Verwaiste Domains einfach übernehmen ∗∗∗ --------------------------------------------- Subdomain Takeover wird in der IT-Security- und Hacker-Szene immer beliebter. Denn mit der einfachen Übernahme einer verwaisten Subdomain lassen sich schöne Angriffe durchführen oder Bug Bountys von Unternehmen einstreichen. (Sicherheitslücke, Web Service) --------------------------------------------- https://www.golem.de/news/subdomain-takeover-verwaiste-domains-einfach-uebe… ∗∗∗ Vulnerability in Hangouts Chat a.k.a. how Electron makes open redirect great again ∗∗∗ --------------------------------------------- [...] It may therefore seem that looking for security issues in the Electron app will not differ from the web version. This is mostly true, with one important caveat. The web version, when displayed in a browser, contains an address bar. The address bar is in fact the only place where the user can tell if (s)he trusts the domain or not. --------------------------------------------- https://blog.bentkowski.info/2018/07/vulnerability-in-hangouts-chat-aka-how… ∗∗∗ Förderprogramm der EU zur Stärkung der Cyber-Sicherheit bei KRITIS-Betreibern und Anbietern digitaler Dienste ∗∗∗ --------------------------------------------- Betreiber Kritischer Infrastrukturen (OES) und Anbieter digitaler Dienste (DSP) im Sinne der NIS-Richtlinie haben noch bis zum 22. November 2018 die Möglichkeit, sich um Fördermittel der Europäischen Union im Rahmen des "2018 CEF Telecom Call - Cyber Security" (CEF-TC-2018-3) zu bewerben. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/EU-Foerderung_KRI… ∗∗∗ Recent Emotet activity ∗∗∗ --------------------------------------------- So far in 2018, Ive seen a great deal of malicious spam (malspam) pushing Emotet malware. Its probably the most common malspam threat Ive seen so far in 2018. Within the past week, the some good posts about Emotet have been published: [...] --------------------------------------------- https://isc.sans.edu/forums/diary/Recent+Emotet+activity/23908/ ∗∗∗ Bluetooth-Lücke in Millionen Geräten entdeckt ∗∗∗ --------------------------------------------- Eine Nachlässigkeit beim Pairing erlaubt es Angreifer, sich in die Verbindung einzuklinken. Betroffen sind etliche Hersteller, darunter Apple und Qualcomm. --------------------------------------------- http://heise.de/-4118968 ∗∗∗ CPU-Lücken ret2spec und SpectreRSB entdeckt ∗∗∗ --------------------------------------------- Forscher der Uni Saarland und der Uni Kalifornien enttarnen neue Sicherheitslücken, die zu bekannten und erwarteten Spectre- und Spectre-NG-Bugs hinzukommen. --------------------------------------------- http://heise.de/-4119197 ∗∗∗ Chinesische Domainregistrierung mit Unternehmensname ∗∗∗ --------------------------------------------- Unternehmen erhalten eine E-Mail, in der es heißt, dass Dritte ihren Unternehmensnamen für eine chinesische Domainregistrierung nutzen wollen. Aus diesem Grund macht ihnen chinaregistriy.net.cn das Angebot, sich die Domain rechtzeitig zu sichern. Die Preise dafür sind weit überhöht. Eine Notwendigkeit für die Registrierung gibt es nicht. --------------------------------------------- https://www.watchlist-internet.at/news/chinesische-domainregistrierung-mit-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (network-manager-vpnc), Fedora (haproxy, mailman, and NetworkManager-vpnc), Mageia (clamav, ffmpeg, rust, thunderbird, and wireshark), Oracle (java-1.8.0-openjdk and openslp), Red Hat (rh-ror42-rubygem-sprockets and rh-ror50-rubygem-sprockets), Scientific Linux (java-1.8.0-openjdk and openslp), SUSE (ImageMagick, libofx, php53, and python-dulwich), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux-hwe, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/760685/ ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server in IBM Cloud April 2018 CPU ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10718297 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10717631 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Jackson-databind affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016016 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects FlashCopy Manager shipped with IBM® Db2® LUW (CVE-2017-3738, CVE-2017-3737). ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10716907 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718419 ∗∗∗ Binutils vulnerabilities CVE-2018-8945, CVE-2018-12697, CVE-2018-12698, CVE-2018-12699, and CVE-2018-12700 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01152385 ∗∗∗ Binutils vulnerability CVE-2018-13033 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20503360 ∗∗∗ Multiple BinUtils vulnerabilities ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52513065 ∗∗∗ BinUtils vulnerabilities CVE-2018-6759 and CVE-2018-6872 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52513065 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2018
by Daily end-of-shift report 23 Jul '18

23 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-07-2018 18:00 − Montag 23-07-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Half a Billion IoT Devices Vulnerable to DNS Rebinding Attacks ∗∗∗ --------------------------------------------- Armis, the cyber-security firm that discovered the BlueBorne vulnerabilities in the Bluetooth protocol, warns that nearly half a billion of todays "smart" devices are vulnerable to a decade-old attack known as DNS rebinding. --------------------------------------------- https://www.bleepingcomputer.com/news/security/half-a-billion-iot-devices-v… ∗∗∗ Academics Announce New Protections Against Spectre and Rowhammer Attacks ∗∗∗ --------------------------------------------- Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/academics-announce-new-prote… ∗∗∗ Weblogic Exploit Code Made Public (CVE-2018-2893), (Fri, Jul 20th) ∗∗∗ --------------------------------------------- [UPDATE] We do see first exploit attempts. The exploit attempts to download additional code from %%ip:185.159.128.200%% . We are still looking at details, but it looks like the code attempts to install a backdoor. The initial exploit came from %%ip:5.8.54.27%%. --------------------------------------------- https://isc.sans.edu/diary/rss/23896 ∗∗∗ Maldoc analysis with standard Linux tools, (Sun, Jul 22nd) ∗∗∗ --------------------------------------------- I received a malicious Word document (Richiesta.doc MD5 2f87105fea2d4bae72ebc00efc6ede56) with heavily obfuscated VBA code: just a few functional lines of code, the rest is junk code. --------------------------------------------- https://isc.sans.edu/diary/rss/23900 ∗∗∗ TA18-201A: Emotet Malware ∗∗∗ --------------------------------------------- Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA18-201A ∗∗∗ TeamViewer reagiert auf Passwort-Leck ∗∗∗ --------------------------------------------- Das Fernwartungs-Tool TeamViewer wird vergesslich: Künftig merkt es sich Passwörter nur noch fünf Minuten, um Angriffe zu erschweren. --------------------------------------------- http://heise.de/-4118201 ∗∗∗ Erpressung durch Passwortdiebstahl und Masturbationsvideo ∗∗∗ --------------------------------------------- InternetuserInnen erhalten momentan vermehrt E-Mails in denen sie dazu aufgefordert werden, Geld dafür zu bezahlen, dass ein heimlich per Webcam aufgenommenes Masturbationsvideo von ihnen nicht veröffentlicht wird. Um zu einer Zahlung zu bewegen, wird auch ein altes Passwort der betroffenen Personen in der Mail angegeben. EmpfängerInnen der Nachricht sollten ihre Passwörter ändern aber das Geld auf keinen Fall bezahlen, denn die Masturbationsvideos existieren nicht. --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-durch-passwortdiebstahl-u… ∗∗∗ Nicht im Fake-Shop fitolino.net einkaufen ∗∗∗ --------------------------------------------- Der Online-Shop fitolino.net vertreibt günstige Produkte für den Haushalt und den Garten. Konsument/innen, die bei dem Anbieter einkaufen, verlieren ihr Geld, denn trotz Bezahlung gibt es keine Ware. Darüber hinaus verfügen Kriminelle über Daten ihrer Opfer, die sie für Verbrechen unter fremden Namen nützen können. --------------------------------------------- https://www.watchlist-internet.at/news/nicht-im-fake-shop-fitolinonet-einka… ===================== = Vulnerabilities = ===================== ∗∗∗ National Instruments Linux Driver Remote Code Injection ∗∗∗ --------------------------------------------- Topic: National Instruments Linux Driver Remote Code Injection Risk: High Text:Hello folks, ive recently discovered a critical vulnerability in the National Instruments Linux driver package, which open [...] --------------------------------------------- https://cxsecurity.com/issue/WLB-2018070204 ∗∗∗ OpenSSL vulnerability CVE-2018-0732 ∗∗∗ --------------------------------------------- OpenSSL vulnerability CVE-2018-0732. Security Advisory. Security Advisory Description. During key agreement in a TLS [...] --------------------------------------------- https://support.f5.com/csp/article/K21665601 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, networkmanager-vpnc, and znc), Debian (gosa, opencv, and slurm-llnl), Fedora (evolution, evolution-data-server, evolution-ews, gnome-bluetooth, libtomcrypt, podman, python-cryptography, and rust), Gentoo (passenger), Red Hat (java-1.8.0-openjdk and openslp), Slackware (php), SUSE (openssl-1_1, procps, python, rsyslog, rubygem-passenger, and xen), and Ubuntu (mutt). --------------------------------------------- https://lwn.net/Articles/760583/ ∗∗∗ Synology-SA-18:37 Photo Station ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to hijack web sessions via a susceptible version of Synology Photo Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_37 ∗∗∗ VU#304725: Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/304725 ∗∗∗ Bugtraq: Sourcetree - Remote Code Execution vulnerabilities - CVE-2018-11235 ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/542174 ∗∗∗ Apache Tomcat: Mehrere Schwachstellen ermöglichen u. a. das Erlangen von Benutzerrechten ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1443/ ∗∗∗ Apple macOS: Mehrere Schwachstellen ermöglichen u. a. die komplette Systemübernahme ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1059/ ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10716653 ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM® Cloud Private (‪CVE-2018-8012)‬‬‬ ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10716659 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private (‪CVE-2017-3738, CVE-2017-3736)‬‬‬ ∗∗∗ --------------------------------------------- https://www-prd-trops.events.ibm.com/node/716657 ∗∗∗ IBM Security Bulletin: Rational Software Architect Design Manager is vulnerable to cross-site scripting (CVE-2018-1400) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10717617 ∗∗∗ RSA Archer Flaws Let Remote Authenticated Users Conduct Cross-Site Scripting Attacks and Gain Elevated Privileges via a REST API ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041359 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2018
by Daily end-of-shift report 20 Jul '18

20 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-07-2018 18:00 − Freitag 20-07-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Calisto Trojan for macOS ∗∗∗ --------------------------------------------- As researchers we interesting in developmental prototypes of malware that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto. --------------------------------------------- https://securelist.com/calisto-trojan-for-macos/86543/ ∗∗∗ Reporting Malicious Websites in 2018, (Thu, Jul 19th) ∗∗∗ --------------------------------------------- Back in 2010 I wrote up a quick diary on how to report malicious websites at the end of your incident reponse process (https://isc.sans.edu/forums/diary/How+Do+I+Report+Malicious+Websites/8719/). John C, a reader, asked for an update. Let's see how munch has changed in the past 8 years... --------------------------------------------- https://isc.sans.edu/diary/rss/23892 ∗∗∗ Sicherheitsupdates: VMware Horizon View Agent könnte Anmeldeinformationen leaken ∗∗∗ --------------------------------------------- Wichtige Patches schließen Sicherheitslücken in verschiedenen Anwendungen von VMware. --------------------------------------------- http://heise.de/-4116871 ∗∗∗ TLS 1.2: Client-Zertifikate als Tracking-Falle ∗∗∗ --------------------------------------------- Kombiniert mit TLS 1.2 lassen sich Client-Zertifikate zum Tracking missbrauchen. So ließen sich etwa die Aktivitäten von Millionen iPhone-Nutzern mitverfolgen. --------------------------------------------- http://heise.de/-4117357 ∗∗∗ The danger of third parties: ads, pipelines, and plugins ∗∗∗ --------------------------------------------- We take a look at the perils of the tools and services embedded into the websites you use on a daily basis, thanks to the development help of third parties. --------------------------------------------- https://blog.malwarebytes.com/101/2018/07/third-party-dangers-ads-pipelines… ∗∗∗ Hunting for Bad Apples — Part 2 ∗∗∗ --------------------------------------------- In the previous post in this series, I introduced the use case of an attacker persisting via a LaunchAgent/Daemon, and a few osquery queries to detect such activity. In this post, I will discuss hunting for activity resulting from attackers using the tactic of defense evasion on MacOS systems, and corresponding techniques. --------------------------------------------- https://posts.specterops.io/hunting-for-bad-apples-part-2-6f2d01b1f7d3 ===================== = Vulnerabilities = ===================== ∗∗∗ AVEVA InduSoft Web Studio and InTouch Machine Edition ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for a stack-based buffer overflow vulnerability in AVEVAs InduSoft Web Studio and InTouch Machine Edition. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-200-01 ∗∗∗ AVEVA InTouch ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for a stack-based buffer overflow vulnerability in AVEVAs InTouch HMI software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-200-02 ∗∗∗ Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600 ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for information exposure, authentication bypass using an alternate path or channel, unprotected storage of credentials, cleartext transmission of sensitive information vulnerabilities in the Echelon SmartServer 1, SmartServer 2, i.LON 100, i.LON 600 products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03 ∗∗∗ HPESBHF03864 rev.1 - HPE Intelligent Management Center (iMC PLAT), Remote Code Execution ∗∗∗ --------------------------------------------- A security vulnerability in HPE Intelligent Management Center (iMC) PLAT 7.3 E0506P07. The vulnerability could be exploited to allow remote execution of code. --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03864en_us ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dnsmasq, linux-base, and openjpeg2), Fedora (libgit2, libtomcrypt, openslp, and perl-Archive-Zip), and openSUSE (gdk-pixbuf, libopenmpt, mercurial, perl, php7, polkit, and rsyslog). --------------------------------------------- https://lwn.net/Articles/760450/ ∗∗∗ Sophos UTM: Mehrere Schwachstellen ermöglichen u. a. einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1441/ ∗∗∗ Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u. a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1434/ ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in Libidn2 (CVE-2017-14062) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10717427 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in GNU C Library (CVE-2017-12133) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10717425 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSH affects IBM SAN Volume Controller, IBM Storwize and IBM FlashSystem products (CVE-2016-10708) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10717661 ∗∗∗ IBM Security Bulletin: Malformed message headers could cause message transmission to be blocked through channels resulting in denial of service in IBM MQ(CVE-2018-1503) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015617 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerabilities in GNU C Library ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10717429 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerabilities in libxml/libxml2 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10717431 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerabilities in dhcp ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10717433 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in Ncurses (CVE-2017-13733) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10717423 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in cURL/libcURL (CVE-2016-7141) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10717421 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2018
by Daily end-of-shift report 19 Jul '18

19 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-07-2018 18:00 − Donnerstag 19-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Adult Site Blackmail Spammers made Over $50K in One Week ∗∗∗ --------------------------------------------- After examining 42 bitcoin addresses associated with a current extortion scam, it was discovered that over $50,000 USD in payments have been made. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adult-site-blackmail-spammer… ∗∗∗ Security: OpenBSD versteckt und enthüllt Dateisystemzugriffe ∗∗∗ --------------------------------------------- Zusätzlich zum Filtern von Systemaufrufen erstellt das Team von OpenBSD eine Technik, um Dateisystemzugriffe einer Anwendung weitgehend zu beschränken. Beide Techniken sollen sich ergänzen und das Ausführen von Anwendungen sicherer machen. --------------------------------------------- https://www.golem.de/news/security-openbsd-versteckt-und-enthuellt-dateisys… ∗∗∗ Credential Stuffing: 90 Prozent der Onlineshop-Logins kommen von Unbefugten ∗∗∗ --------------------------------------------- Obwohl es 2017 weniger Fälle geleakter Zugangsdaten gab, blüht der Handel mit E-Mail-Adressen und Passwörtern wie eh und je. Das funktioniert auch deswegen so gut, weil Nutzer noch immer ein und dasselbe Passwort für verschiedene Konten verwenden. --------------------------------------------- https://www.golem.de/news/credential-stuffing-90-prozent-der-onlineshop-log… ∗∗∗ Hiding Malware Inside Images on GoogleUserContent ∗∗∗ --------------------------------------------- If you have been following our blog for a long time, you might remember us writing about malware that used EXIF data to hide its code. This technique is still in use. Let us show you a recent example. Contaminated Pac-Man This code was found at the beginning of a malicious script that steals PayPal security tokens. As you .. --------------------------------------------- https://blog.sucuri.net/2018/07/hiding-malware-inside-images-on-googleuserc… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Webex Teams Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Cisco Webex Teams could allow an unauthenticated, remote attacker to execute arbitrary code on the user’s device, possibly with elevated privileges.The vulnerability occurs .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Network Recording Players Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager IM And Presence Service Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web framework of the Cisco Unified Communications Manager IM and Presence Service software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Cisco Unified Contact Center Express ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DSA-4250 wordpress - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4250 ∗∗∗ DSA-4251 vlc - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4251 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2018
by Daily end-of-shift report 18 Jul '18

18 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-07-2018 18:00 − Mittwoch 18-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Open MongoDB Database Exposes Mobile Games Money Laundering Operation ∗∗∗ --------------------------------------------- The US Department of Justice, Apple, and game maker Supercell, have been warned of a money laundering ring that uses fake Apple accounts and gaming profiles to make transactions with stolen credit/debit .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/open-mongodb-database-expose… ∗∗∗ Microsoft launches Identity Bounty program ∗∗∗ --------------------------------------------- Modern security depends today on collaborative communication of identities and identity data within and across domains. A customer’s digital identity is often the key to accessing services and interacting across the internet. Microsoft .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2018/07/17/microsoft-launches-iden… ∗∗∗ The SIM Hijackers ∗∗∗ --------------------------------------------- Lorenzo Franceschi-Bicchierai of Motherboard has a chilling story on how hackers flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their .. --------------------------------------------- https://yro.slashdot.org/story/18/07/18/0554224/the-sim-hijackers ∗∗∗ How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape:The Growth of Miners ∗∗∗ --------------------------------------------- Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing .. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2018/07/cryptocurrencies-cyber-… ∗∗∗ Critical Patch Update: Oracle wirft Paket mit 334 Sicherheitspatches ab ∗∗∗ --------------------------------------------- In Software von Oracle klaffen unter anderem kritische Sicherheitslücken. Das Quartalsupdate bringt jede Menge Sicherheitspatches. --------------------------------------------- http://heise.de/-4113523 ∗∗∗ TeamViewer hält Zugangspasswort im Speicher vor ∗∗∗ --------------------------------------------- Das Fernwartungs-Tool TeamViewer soll es Angreifern leichter machen als nötig. Forschern zufolge hält es in seinem Speicher das Passwort im Klartext vor. --------------------------------------------- http://heise.de/-4115023 ===================== = Vulnerabilities = ===================== ∗∗∗ ABB Panel Builder 800 ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for an improper input validation vulnerability in the ABB Panel Builder 800. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-198-01 ∗∗∗ DSA-4248 blender - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4248 ∗∗∗ Critical Patch Update - July 2018 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html ∗∗∗ Oracle Linux Bulletin - July 2018 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2018-4956… ∗∗∗ Oracle VM Server for x86 Bulletin - July 2018 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2018-495645… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2018
by Daily end-of-shift report 17 Jul '18

17 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Montag 16-07-2018 18:00 − Dienstag 17-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication ∗∗∗ --------------------------------------------- Blackgear (also known as Topgear and Comnie) is a cyberespionage campaign dating back to 2008, at least based on the Protux backdoor used by its operators. It targets organizations in Japan, South Korea, and Taiwan, leveling its attacks on public sector agencies and telecommunications and other high-technology industries. In 2016, for instance, we .. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/6Rxca1hyaeA/ ∗∗∗ Sicherheitsupdates: Angreifer könnte Passwörter in Typo3 überschreiben ∗∗∗ --------------------------------------------- Im freien Content Management System Typo3 klaffen mitunter kritische Sicherheitslücken. Patches schließen mehrere Schwachstellen. --------------------------------------------- http://heise.de/-4111640 ∗∗∗ 007: Schutzsoftware mit der Lizenz zum Töten von Spectre-Code ∗∗∗ --------------------------------------------- Eine neue, nach James Bond benannte Schutztechnik, soll Spectre-Schwachstellen mit nur 2 Prozent Performance-Einbußen in Programmcode erkennen und eliminieren. --------------------------------------------- http://heise.de/-4112150 ∗∗∗ A deep dive down the Vermin RAThole ∗∗∗ --------------------------------------------- ESET researchers have analyzed remote access tools cybercriminals have been using in an ongoing espionage campaign to systematically spy on Ukrainian government institutions .. --------------------------------------------- https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4247 ruby-rack-protection - security update ∗∗∗ --------------------------------------------- A timing attack was discovered in the function for CSRF token validationof the Ruby rack protection framework. --------------------------------------------- https://www.debian.org/security/2018/dsa-4247 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2018
by Daily end-of-shift report 16 Jul '18

16 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-07-2018 18:00 − Montag 16-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TLS: Mozilla, Cloudflare und Apple wollen verschlüsselte SNI ∗∗∗ --------------------------------------------- Mit der TLS-Erweiterung SNI können beliebig viele Webseiten samt eigenen Zertifikaten auf einer IP gehostet werden. Dabei könnte jedoch der Name der Domain von Dritten belauscht werden. Ein .. --------------------------------------------- https://www.golem.de/news/tls-mozilla-cloudflare-und-apple-wollen-verschlue… ∗∗∗ Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111) ∗∗∗ --------------------------------------------- Unit 42 shares their analysis of the DHCP Client Script Code Execution .. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2018/07/unit42-analysis-dhcp-cl… ∗∗∗ Red Alert v2.0: Misadventures in Reversing Android Bot Malware ∗∗∗ --------------------------------------------- It all started with a spam message, which curiously had an Android App attachment. The spam email vaguely claims that the attachment was a dating app for finding .. --------------------------------------------- https://trustwave.com/Resources/SpiderLabs-Blog/Red-Alert-v2-0--Misadventur… ∗∗∗ GitHub to Pythonistas: Let us save you from vulnerable code ∗∗∗ --------------------------------------------- Third language added to security scanner GitHubs added Python to the list of programming languages it can auto-scan for known vulnerabilities. --------------------------------------------- www.theregister.co.uk/2018/07/16/github_to_pythonistas_let_us_save_you_from… ∗∗∗ Does malware based on Spectre exist? ∗∗∗ --------------------------------------------- The Spectre attack has received massive coverage since the beginning of 2018, and by now, it is likely that everyone in computer science has at least heard about .. --------------------------------------------- https://www.virusbulletin.com/virusbulletin/2018/07/does-malware-based-spec… ∗∗∗ Fernwartungs-Tool hatte Trojaner im Gepäck ∗∗∗ --------------------------------------------- Die Remote-Admin-Software Ammyy Admin wurde offenbar erneut über die Herstellerseite mit einem Trojaner verteilt. --------------------------------------------- http://heise.de/-4111069 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4246 mailman - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4246 ∗∗∗ DSA-4245 imagemagick - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4245 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2018
by Daily end-of-shift report 13 Jul '18

13 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-07-2018 18:00 − Freitag 13-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with coders ∗∗∗ --------------------------------------------- Tokens killed after eslint-scope JavaScript utility compromised An unfortunate chain reaction was averted today after miscreants tampered with a widely used JavaScript programming tool to steal other developers NPM login tokens.… --------------------------------------------- www.theregister.co.uk/2018/07/12/npm_eslint/ ∗∗∗ Cryptominers and stealers – malware edition ∗∗∗ --------------------------------------------- It all started in 2008 with a paper on the first decentralized digital currency, Bitcoin, created by an unknown person or persons referred to as Satoshi Nakamoto. Bitcoin is a peer-to-peer currency based on cryptography .. --------------------------------------------- https://www.zscaler.com/blogs/research/cryptominers-and-stealers-malware-ed… ∗∗∗ Patchday: Kritische Lücke in SAP Business Client ∗∗∗ --------------------------------------------- Im Juli hat SAP 11 neue Sicherheitswarnungen veröffentlicht. Davon gilt aber nur eine als kritisch. Sicherheitsupdates sind verfügbar. --------------------------------------------- http://heise.de/-4108062 ∗∗∗ Advanced Mobile Malware Campaign in India uses Malicious MDM ∗∗∗ --------------------------------------------- Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At this time, we dont know how the attacker .. --------------------------------------------- https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Mal… ∗∗∗ Heres Why Your Static Website Needs HTTPS ∗∗∗ --------------------------------------------- It was Jan last year that I suggested HTTPS adoption had passed the "tipping point", that is, it had passed the moment of critical mass and as I said at the time, "will very shortly become the norm". Since that time, .. --------------------------------------------- https://www.troyhunt.com/heres-why-your-static-website-needs-https/ ∗∗∗ Gefälschte World4You-Phishingmail im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte World4You-Phishingmail. Darin fordern sie Empfänger/innen dazu auf, dass sie sich auf einer Website als echte Kontoinhaber/innen ausweisen. Geben Kund/innen ihre persönlichen Daten bekannt, übermitteln sie diese an Datendiebe. Verbrechen unter ihrem Namen sind möglich. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-world4you-phishingmail-i… ∗∗∗ IT-Security - Erpresser verschicken Drohmails mit echten Passwörtern ∗∗∗ --------------------------------------------- Wollen Nutzer beim Besuch von Pornoportalen gefilmt haben und verlangen "Schweigegeld" --------------------------------------------- https://derstandard.at/2000083434963/Erpresser-verschicken-Drohmails-mit-ec… ===================== = Vulnerabilities = ===================== ∗∗∗ Eaton 9000X Drive ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for a stack-based buffer overflow vulnerability in the Eaton 9000X Drive. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-193-01 ∗∗∗ JSA10864 - 2018-07 Security Bulletin: Junos OS: Junos OS: MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2), PTX3K-FPC3 and PTX1K: Line card may crash upon receipt of specific MPLS packet (CVE-2018-0030) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10864&actp=RSS ∗∗∗ Critical Patch Update - July 2018 - Pre-Release Announcement ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2018
by Daily end-of-shift report 12 Jul '18

12 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-07-2018 18:00 − Donnerstag 12-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis ∗∗∗ --------------------------------------------- Much of cybercrime today is fueled by underground markets where malware and cybercriminal services are available for purchase. These markets in the deep web commoditize malware operations. Even novice cybercriminals can buy malware toolkits and other services they .. --------------------------------------------- https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogg… ∗∗∗ Ransomware is so 2017, its all cryptomining now among the script kiddies ∗∗∗ --------------------------------------------- Plus: Hackers take crack at cloud, phones come pre-pwned, malwares going multi-plat The number of organisations affected by cryptomining malware in the first half of 2018 ramped up to 42 per cent, compared to 20.5 per cent .. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/malware_sit… ∗∗∗ Mitigating Spectre with Site Isolation in Chrome ∗∗∗ --------------------------------------------- Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, were excited to announce that Chrome 67 has enabled a security .. --------------------------------------------- https://security.googleblog.com/2018/07/mitigating-spectre-with-site-isolat… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Web Security Appliance Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ TYPO3-CORE-SA-2018-003: Privilege Escalation & SQL Injection in TYPO3 CMS ∗∗∗ --------------------------------------------- It has been discovered, that TYPO3 CMS is vulnerable to Privilege Escalation and SQL Injection. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2018-003/ ∗∗∗ TYPO3-CORE-SA-2018-002: Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS ∗∗∗ --------------------------------------------- It has been discovered, that TYPO3 CMS is vulnerable to Insecure Deserialization & Arbitrary Code Execution. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2018-002/ ∗∗∗ TYPO3-CORE-SA-2018-001: Authentication Bypass in TYPO3 CMS ∗∗∗ --------------------------------------------- It has been discovered, that TYPO3 CMS is vulnerable to Authentication Bypass. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2018-001/ ∗∗∗ EU Cookie Compliance - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-047 ∗∗∗ Remote Code Execution and Local File Disclosure in Zeta Producer Desktop CMS ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-… ∗∗∗ Synology-SA-18:35 File Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_35 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2018
by Daily end-of-shift report 11 Jul '18

11 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-07-2018 18:00 − Mittwoch 11-07-2018 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ CoinRocket GmbH sucht Finanzverwalter für strafbare Arbeit ∗∗∗ --------------------------------------------- Die CoinRocket GmbH mit Sitz in Hard in der Steiermark betreibt die Website coinrocket.at. Auf Jobportalen inseriert die angebliche Firma Stellenausschreibungen für die Position eines/r FinanzverwaltungsassistentIn in Heimarbeit. InteressentInnen müssen bei dieser Arbeit ihre Kontodaten bekannt geben und sollen eingehende Zahlungen weiterleiten. Das Geld stammt dabei von Verbrechen und die FinanzverwalterInnen machen sich durch ihr Zutun strafbar. --------------------------------------------- https://www.watchlist-internet.at/news/coinrocket-gmbh-sucht-finanzverwalte… ∗∗∗ New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed ∗∗∗ --------------------------------------------- Two security researchers have revealed details about two new Spectre-class vulnerabilities, which theyve named Spectre 1.1 and Spectre 1.2. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-spectre-11-and-spectre-1… ∗∗∗ Internet: Viele ISPs geben BGP-Probleme einfach weiter ∗∗∗ --------------------------------------------- Immer wieder kommt es per BGP-Hijacking zum Umleiten von Internetverkehr. Ebenso werden falsche BGP-Routen auch einfach weitergeleitet. Eine Auswertung zeigt, dass die großen ISPs hier zu wenig agieren. Es gibt aber auch Abhilfe gegen besonders bösartige Akteure. (BGP, DE-CIX) --------------------------------------------- https://www.golem.de/news/internet-viele-isps-geben-bgp-probleme-einfach-we… ∗∗∗ July 2018 Security Update Release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found on the Security Update Guide. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2018/07/10/july-2018-security-upda… ∗∗∗ Department of Commerce Report on the Botnet Threat ∗∗∗ --------------------------------------------- Last month, the US Department of Commerce released a report on the threat of botnets and what to do about it. I note that it explicitly said that the IoT makes the threat worse, and that the solutions are largely economic.T --------------------------------------------- https://www.schneier.com/blog/archives/2018/07/department_of_c.html ∗∗∗ Intel, Microsoft, Adobe release a swarm of bug fixes to ruin your week ∗∗∗ --------------------------------------------- Massive patch dump with 112 fixes... and thats just for the Photoshop giant IT admins face a busy week ahead as Microsoft, Intel, and Adobe have issued bundles of scheduled security fixes addressing more than 150 CVE-listed vulnerabilities.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/07/11/july_patch_… ∗∗∗ Spectre-NG: Intel dokumentiert "spekulativen Buffer Overflow" ∗∗∗ --------------------------------------------- Wie sich jetzt herausstellt, können Spectre-NG-Exploits nicht nur geschützten Speicher auslesen, sondern auch schreiben, wo sie wollen – vorläufig zumindest. --------------------------------------------- http://heise.de/-4108008 ===================== = Vulnerabilities = ===================== ∗∗∗ Arch Linux PDF reader package poisoned ∗∗∗ --------------------------------------------- Trust nobody: abandoned code was adopted by a miscreant Arch Linux has pulled a user-provided AUR (Arch User Repository) package, because it contained malware. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/07/11/someone_mod… ∗∗∗ Patchday: Kritische Lücke in SAP Bussines Client ∗∗∗ --------------------------------------------- Im Juli hat SAP 11 neue Sicherheitswarnungen veröffentlicht. Davon gilt aber nur eine als kritisch. Sicherheitsupdates sind verfügbar. --------------------------------------------- http://heise.de/-4108062 ∗∗∗ SSA-635129 (Last Update: 2018-07-11): Denial-of-Service Vulnerabilities in EN100 Ethernet Communication Module and SIPROTEC 5 relays ∗∗∗ --------------------------------------------- The EN100 Ethernet communication module and SIPROTEC 5 relays are affected by security vulnerabilities which could allow an attacker to conduct a Denial-of-Service attack over the network.Siemens has released updates for several affected products, is working on updates for the remaining affected products, and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-635129.pdf ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups), Oracle (kernel and qemu-kvm), Red Hat (ansible, kernel, kernel-rt, and qemu-kvm), Scientific Linux (kernel and qemu-kvm), Slackware (thunderbird), and Ubuntu (curl, firefox, imagemagick, and xapian-core). --------------------------------------------- https://lwn.net/Articles/759525/ ∗∗∗ IBM Security Bulletin: Vulnerability in IPSec-Tools affects IBM Integrated Management Module II (IMM2) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10716865 ∗∗∗ IBM Security Bulletin: IBM BladeCenter Virtual Fabric 10Gb Switch Module is affected by vulnerabilites in libxml2 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10715837 ∗∗∗ IBM Security Bulletin: Vulnerability in bind affects IBM Integrated Management Module II (IMM2) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10716769 ∗∗∗ IBM Security Bulletin: FileNet Content Management Interoperability Services (CMIS), which ships with IBM Content Navigator, is affected by the ability to parse untrusted XML input containing a reference to an external entity ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22017354 ∗∗∗ IBM Security Bulletin: Multiple Security Issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016643 ∗∗∗ IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016869 ∗∗∗ HPESBHF03856 rev.1 - Comware v7 and Intelligent Management Center Products, Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2018
by Daily end-of-shift report 10 Jul '18

10 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Montag 09-07-2018 18:00 − Dienstag 10-07-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ APT Trends Report Q2 2018 ∗∗∗ --------------------------------------------- These summaries are a representative snapshot of what has been discussed in greater detail in our private reports during Q2 2018. They aim to highlight the significant events and findings that we feel people should be aware of. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2018/86487/ ∗∗∗ Researchers Reveal Bypass for Apple’s USB Restricted Mode ∗∗∗ --------------------------------------------- Researchers released a workaround for Apples USB Restricted Mode security feature the same day it was rolled out. --------------------------------------------- https://threatpost.com/researchers-reveal-bypass-for-apples-usb-restricted-… ∗∗∗ Apple Patches Everything Again., (Tue, Jul 10th) ∗∗∗ --------------------------------------------- As usual for Apple patches, vulnerabilities tend to affect all/most Apple operating systems. One notable security issue that was addressed, but is not listed here, is the "USB accessory unlock" issue. This allowed systems like Greylock to unlock phones by brute forcing the passcode via the lightning port / USB. iOS 11.4.1 only allows USB devices to connect within 1 hour after the phone/tablet is locked. This is enabled by default but can be disabled by the user. OS X also fixes the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/23852 ∗∗∗ Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555/tcp), (Tue, Jul 10th) ∗∗∗ --------------------------------------------- Today, I noticed a marked increase in %%port:5555%% scans. --------------------------------------------- https://isc.sans.edu/diary/rss/23856 ∗∗∗ What’s New in the Xen Project Hypervisor 4.11 ∗∗∗ --------------------------------------------- This release contains mitigations for the Meltdown and Spectre vulnerabilities. It is worth noting that we spent a significant amount of time on completing and optimizing fixes for Meltdown and Spectre vulnerabilities. --------------------------------------------- https://blog.xenproject.org/2018/07/10/whats-new-in-the-xen-project-hypervi… ∗∗∗ Betrügerische Urlaubsnachricht von Kriminellen ∗∗∗ --------------------------------------------- Internet-Nutzer/innen erhalten von ihren Kontakten die Nachricht, dass sie im Ausland seien und Hilfe benötigen, denn sie haben ihre "Tasche verloren samt Reispass und kreditkarte". Aus diesem Grund sollen Empfänger/innen Geld mit Western Union ins Ausland überweisen. Es wird für ein "ticket und die hotelrechnungen" benötigt. In Wahrheit stammt die Nachricht von Kriminellen. Das Geld ist bei einer Auslandsüberweisung verloren. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-urlaubsnachricht-von-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB18-21), Adobe Connect (APSB18-22), Adobe Experience Manager (APSB18-23) and Adobe Flash Player (APSB18-24). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1581 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-sprockets), Red Hat (ansible and rh-git29-git), Scientific Linux (firefox), SUSE (ceph), and Ubuntu (libjpeg-turbo, ntp, and openslp-dfsg). --------------------------------------------- https://lwn.net/Articles/759436/ ∗∗∗ [webapps] D-Link DIR601 2.02 - Credential Disclosure ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/45002/?rss ∗∗∗ IBM Security Bulletin: Vulnerabilities in ntp affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10716319 ∗∗∗ IBM Security Bulletin: OpenSSL vulnerabilties affect IBM NeXtScale Fan Power Controller (FPC) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10716741 ∗∗∗ IBM Security Bulletin: Vulnerability in Apache CXF affects IBM TRIRIGA Application Platform (CVE-2017-12624) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10716291 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10715747 ∗∗∗ WAGO Multiple vulnerabilities in e!DISPLAY products ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2018-010 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2018
by Daily end-of-shift report 09 Jul '18

09 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-07-2018 18:00 − Montag 09-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker stehlen 2300 Liter Benzin von Tankstelle ∗∗∗ --------------------------------------------- Eine Zapfsäule einer Tankstelle in den USA wurde so manipuliert, dass sie kostenlos Sprit ausgab. --------------------------------------------- https://futurezone.at/digital-life/hacker-stehlen-2300-liter-benzin-von-tan… ∗∗∗ In cryptoland, trust can be costly ∗∗∗ --------------------------------------------- While the legal status of cryptocurrencies and laws to regulate them continue to be hammered out, scammers are busy exploiting the digital gold rush. Besides hacking cryptocurrency exchanges, exploiting smart-contract .. --------------------------------------------- https://securelist.com/in-cryptoland-trust-can-be-costly/86367/ ∗∗∗ PROPagate Code Injection Seen in the Wild ∗∗∗ --------------------------------------------- Last year, researchers wrote about a new Windows code injection technique called PROPagate. Last week, it was first seen in malware:This technique abuses the SetWindowsSubclass function -- a process used to install or update subclass windows running on the system -- and can be used to modify the properties of windows running in the same .. --------------------------------------------- https://www.schneier.com/blog/archives/2018/07/propagate_code_.html ∗∗∗ Stolen D-Link Certificate Used to Digitally Sign Spying Malware ∗∗∗ --------------------------------------------- Digitally signed malware has become much more common in recent years to mask malicious intentions. Security researchers have discovered a new malware campaign misusing stolen valid digital certificates from .. --------------------------------------------- https://thehackernews.com/2018/07/digital-certificate-malware.html ∗∗∗ Domain Factory confirms January 2018 data breach ∗∗∗ --------------------------------------------- German name n hosting outfit tells customers told to reset passwords after hacker taunts German hosting company Domainfactory has taken down its forums after someone posted messages alleging to have compromised the compa .. --------------------------------------------- www.theregister.co.uk/2018/07/09/domainfactory_in_germany_confirms_brdata_b… ∗∗∗ The Worst Cybersecurity Breaches of 2018 So Far ∗∗∗ --------------------------------------------- There havent been as many hacks and attacks compared to this time last year, but thats where the good news ends. --------------------------------------------- https://www.wired.com/story/2018-worst-hacks-so-far ∗∗∗ Jetzt patchen! Exploit-Code für extrem kritische Lücke in HPE iLO4 öffentlich ∗∗∗ --------------------------------------------- Sendet ein Angreifer eine cURL-Anfrage mit „AAAAAAAAAAAAAAAAAAAAAAAAAAAAA“ an verwundbare HP-Proliant-Server, könnte er diese übernehmen. --------------------------------------------- http://heise.de/-4104590 ∗∗∗ iTunes und iCloud für Windows: Update dringend angeraten ∗∗∗ --------------------------------------------- Die jüngsten Versionen von Apples Medienabpieler und der Cloud-Unterstützung für den PC beheben problematische Sicherheitslücken. --------------------------------------------- http://heise.de/-4104663 ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2018-0016 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, and Fusion updates address multiple out-of-bounds read vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0016.html ∗∗∗ VMSA-2018-0011.1 ∗∗∗ --------------------------------------------- Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0011.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bouncycastle and ca-certificates), Fedora (cantata, cinnamon, php-symfony3, and transifex-client), openSUSE (ghostscript, openssl, openvpn, php7, rubygem-yard, thunderbird, ucode-intel, and unzip), and SUSE (libqt4, nodejs8, and openslp). --------------------------------------------- https://lwn.net/Articles/759361/ ∗∗∗ VLC: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2018/07/warn… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2018
by Daily end-of-shift report 06 Jul '18

06 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-07-2018 18:00 − Freitag 06-07-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ HNS Botnet Recent Activities ∗∗∗ --------------------------------------------- Author: Rootkiter, yegenshenHNS is an IoT botnet (Hide and Seek) originally discovered by BitDefender in January this year. In that report, the researchers pointed out that HNS used CVE-2016-10401, and other vulnerabilities to propagate malicious code and stole user information. The HNS communicates through the P2P mechanism, which is [...] --------------------------------------------- http://blog.netlab.360.com/hns-botnet-recent-activities-en/ ∗∗∗ CoinImp Cryptominer and Fully Qualified Domain Names ∗∗∗ --------------------------------------------- We are all familiar with the conventional domain name notation, where different levels are concatenated with the full stop character (period). E.g. "www.example.com", where "www" is a subdomain, "example" is a second level domain, and "com" is a top level domain. However, very few know that there is also a DNS root domain and it can be also specified in the fully qualified domain names. --------------------------------------------- https://blog.sucuri.net/2018/07/coinimp-cryptominer-and-fully-qualified-dom… ∗∗∗ Schädlinge unterminieren Windows-Zertifikats-System ∗∗∗ --------------------------------------------- Immer mehr Trojaner installieren eigene Root-CAs in Windows, um damit ihre Schadprogramme signieren oder Web-Seiten-Aufrufe manipulieren zu können. --------------------------------------------- http://heise.de/-4100993 ∗∗∗ Apple stopft WLAN-Lücken auf Macs unter Windows ∗∗∗ --------------------------------------------- Mit einem Update sollen zwei Angriffspunkte in den Boot-Camp-Treibern behoben werden, mit denen Macs das Microsoft-Betriebssystem nutzen. --------------------------------------------- http://heise.de/-4102490 ∗∗∗ Datenleck bei Domainfactory: Hacker knackt Systeme, lässt Kundendaten mitgehen ∗∗∗ --------------------------------------------- Die Systeme des Hosters Domainfactory wurden offensichtlich von einem Hacker kompromittiert, der nun Zugang zu sensiblen Daten der Kunden hat. --------------------------------------------- http://heise.de/-4102881 ∗∗∗ IT-Sicherheit - Elektronikhändler e-tec und Ditech wurden Kundendaten gestohlen ∗∗∗ --------------------------------------------- Altes Passwort ist abgelaufen und muss neu gesetzt werden, Zahlungsdaten zu Kreditkarten und Kontoverbindungen nicht betroffen --------------------------------------------- https://derstandard.at/2000082932960/Elektronikhaendler-e-tec-und-Ditech-wu… ∗∗∗ What is it that Makes a Microsoft Executable a Microsoft Executable? ∗∗∗ --------------------------------------------- What exactly is it that separates arbitrary code from code that originates from Microsoft? I would wager that the reaction of most people would be to claim, "well... if it's signed by Microsoft, then it comes from Microsoft. What else is there to talk about?" --------------------------------------------- https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco 5000 Series Enterprise Network Compute System and Cisco UCS E-Series Servers BIOS Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in BIOS authentication management of Cisco 5000 Series Enterprise Network Compute System and Cisco Unified Computing (UCS) E-Series Servers could allow an unauthenticated, local attacker to bypass the BIOS authentication and execute actions as an unprivileged user. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ WordPress 4.9.7 Security and Maintenance Release ∗∗∗ --------------------------------------------- WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory. --------------------------------------------- https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance… ∗∗∗ Stored XSS under CA and CRL certificate view page ∗∗∗ --------------------------------------------- Javascript code and HTML tags can be injected into the CN value of CA and CRL certificates via the import CA and CRL certificates feature of the GUI. The injected code may be executed when the GUI administrator views the CA certificate details and browses CRL certificates when CN values are rendered. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-17-305 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dokuwiki, libsoup2.4, mercurial, php7.0, and phpmyadmin), Fedora (ant, gnupg, libgit2, and libsoup), openSUSE (cairo, git-annex, postgresql95, and zsh), Scientific Linux (firefox), Slackware (mozilla), SUSE (nodejs6 and rubygem-yard), and Ubuntu (AMD microcode, devscripts, and firefox). --------------------------------------------- https://lwn.net/Articles/759212/ ∗∗∗ 2018-07-06: Vulnerability in Panel Builder 800 - Improper Input Validation ∗∗∗ --------------------------------------------- http://search-ext.abb.com/library/Download.aspx?DocumentID=3BSE092089&Langu… ∗∗∗ IBM Security Bulletin: IBM API Connect is impacted by a resource leakage vulnerability (CVE-2018-1548) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22017136 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities vulnerabilities ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22017003 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016892 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016895 ∗∗∗ IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10716005 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015940 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM® Java SDK affects IBM SPSS Analytic Server (CVE-2018-2602, CVE-2018-2634) ∗∗∗ --------------------------------------------- https://www-prd-trops.events.ibm.com/node/715345 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=ibm10713469 ∗∗∗ PEPPERL+FUCHS Security advisory for MELTDOWN and SPECTRE attacks in ecom mobile Devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2018-009 ∗∗∗ PEPPERL+FUCHS Remote Code Execution Vulnerability in HMI Devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2018-008 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2018
by Daily end-of-shift report 05 Jul '18

05 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-07-2018 18:00 − Donnerstag 05-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ First-Ever Person Sentenced for Malicious Use of Coinhive Library ∗∗∗ --------------------------------------------- Authorities in Japan have sentenced a man for the first time for using the Coinhive JavaScript library for malicious purposes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/first-ever-person-sentenced-… ∗∗∗ Analysis: Downloader with a twist ∗∗∗ --------------------------------------------- In this latest analysis, we will stay on the topic of fileless malware. Having dissected the Rozena backdoor in the last article, we have taken a peek into another malware that uses “fileless” techniques. Case in point: a downloader. --------------------------------------------- https://www.gdatasoftware.com/blog/07/30876-analysis-downloader-with-a-twist ∗∗∗ How to Check App Permissions on iOS, Android, Windows, and macOS ∗∗∗ --------------------------------------------- Its never a bad time to audit your app permissions. In fact, its more important than ever. --------------------------------------------- https://www.wired.com/story/how-to-check-app-permissions-ios-android-macos-… ∗∗∗ NSO-Mitarbeiter bietet iOS-Spyware Pegasus im Darknet an ∗∗∗ --------------------------------------------- Der geheimnisumwitterten israelischen Sicherheitsfirma NSO Group sind mächtige Spyware-Tools abhanden gekommen. Ein Insider wollte sie im Darknet verkaufen. --------------------------------------------- http://heise.de/-4101187 ∗∗∗ Gentoos GitHub mirror compromise incident report ∗∗∗ --------------------------------------------- LWN reported on June 29 that Gentoos GitHub mirror had been compromised. Gentoo now considers the incident resolved and the full report is available. "An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make .. --------------------------------------------- https://lwn.net/Articles/759046/ ∗∗∗ Warnung vor gefälschtem Microsoft-Sicherheitshinweis ∗∗∗ --------------------------------------------- Konsument/innen sehen in ihrem Browser eine gefälschte Microsoft-Sicherheitswarnung. Darin heißt es, dass ihr Computer mit Schadsoftware befallen sei. Aus diesem Grund sollen sie einen technischen Support anrufen und ein Programm auf ihrem Computer installieren. Es ermöglicht Kriminellen, bei Bezahlung von Rechnungen die Kreditkartendaten ihrer Opfern zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-gefaelschtem-microsoft-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Custom Tokens - Moderately critical - Arbitrary Code Execution - SA-CONTRIB-2018-046 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-046 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2018
by Daily end-of-shift report 04 Jul '18

04 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-07-2018 18:00 − Mittwoch 04-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware Authors Seem Intent on Weaponizing Windows SettingContent-ms Files ∗∗∗ --------------------------------------------- Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June. The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-authors-seem-intent-… ∗∗∗ Lücken in Provider-Routern entdeckt ∗∗∗ --------------------------------------------- Durch Lücken in Routern des Herstellers ADB kann sich ein Angreifer Root-Rechte verschaffen. Das kann auch für die Provider zum Problem werden. --------------------------------------------- http://heise.de/-4099449 ∗∗∗ Phishing tales: Microsoft Access Macro (.MAM) shortcuts ∗∗∗ --------------------------------------------- Previously, I blogged about the ability to create malicious .ACCDE Microsoft Access Database files and using them as a phishing vector. This post expands on using the ACCDE format and will be introducing Microsoft Access Macro “MAM” .. --------------------------------------------- https://posts.specterops.io/phishing-tales-microsoft-access-macro-mam-short… ===================== = Vulnerabilities = ===================== ∗∗∗ Rockwell Automation Allen-Bradley Stratix 5950 ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper input validation, improper certificate validation, and resource management error vulnerabilities in the Allen-Bradley Stratix 5950 security appliance. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-184-01 ∗∗∗ Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-lin… ∗∗∗ Authorization Bypass in all ADB Broadband Gateways / Routers ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-… ∗∗∗ Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways / Routers ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-net… ∗∗∗ Security vulnerabilities fixed in Thunderbird 52.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2018
by Daily end-of-shift report 03 Jul '18

03 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Montag 02-07-2018 18:00 − Dienstag 03-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware lockt mit Fortnite-Cheats ∗∗∗ --------------------------------------------- Die Beliebtheit von Fortnite ruft vermehrt auch Kriminelle auf den Plan. --------------------------------------------- https://futurezone.at/games/malware-lockt-mit-fortnite-cheats/400060664 ∗∗∗ Akute Gefahr für Überwachungs-Software Nagios XI ∗∗∗ --------------------------------------------- Ein MetaSploit-Modul nutzt mehrere Schwachstellen in Nagios XI so geschickt aus, dass ein Angreifer den Monitoring-Server übernehmen kann. --------------------------------------------- http://heise.de/-4096379 ∗∗∗ Patchday: Google schließt teils kritische Android-Lücken ∗∗∗ --------------------------------------------- Die monatlich von Google veröffentlichten Sicherheits-Patches für Android betreffen im Juli ausnahmslos Lücken mit hohem bis kritischem Schweregrad. --------------------------------------------- http://heise.de/-4096435 ∗∗∗ Mac malware targets cryptomining users ∗∗∗ --------------------------------------------- A new Mac malware called OSX.Dummy is being distributed on cryptomining chat groups that, even after being removed, leaves behind remnants for future malware to find. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2018/07/mac-malware-targets… ∗∗∗ Smoking Guns - Smoke Loader learned new tricks ∗∗∗ --------------------------------------------- This post is authored by Ben Baker and Holger Unterbrink OverviewCisco Talos has been tracking a new version of Smoke Loader — a malicious application that can be used to .. --------------------------------------------- https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learne… ∗∗∗ Kontrolle erlangt - Hacker integrierten bei Gentoo Linux gefährlichen Löschbefehl ∗∗∗ --------------------------------------------- Github-Repo übernommen und Befehl untergejubelt – mittlerweile haben die Entwickler aber wieder Kontrolle --------------------------------------------- https://derstandard.at/2000082722326/Hacker-integrierten-bei-Gentoo-Linux-g… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (drupal7-backup_migrate, firefox, and podman), Red Hat (python), Scientific Linux (glibc, kernel, libvirt, pcs, samba, samba4, sssd and ding-libs, and zsh), and Ubuntu (kernel, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-aws, linux-oem, and zziplib). --------------------------------------------- https://lwn.net/Articles/758940/ ∗∗∗ Multiple vulnerabilities from IBM Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ DSA-2018-122: RSA Certificate Manager Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://www.securitytracker.com/id/1041211 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2018
by Daily end-of-shift report 02 Jul '18

02 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-06-2018 18:00 − Montag 02-07-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Clipboard Hijacker Malware Monitors 2.3 Million Bitcoin Addresses ∗∗∗ --------------------------------------------- While we have covered cryptocurrency clipboard hijackers in the past, most of the previous samples monitored for 400-600 thousand cryptocurrency addresses. This week BleepingComputer noticed a sample of this type of malware that monitors for a over 2.3 million cryptocurrency addresses! --------------------------------------------- https://www.bleepingcomputer.com/news/security/clipboard-hijacker-malware-m… ∗∗∗ DNS Poisoning or BGP Hijacking Suspected Behind Trezor Wallet Phishing Incident ∗∗∗ --------------------------------------------- The team behind the Trezor multi-cryptocurrency wallet service has discovered a phishing attack against some of its users that took place over the weekend. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dns-poisoning-or-bgp-hijacki… ∗∗∗ Newer Diameter Telephony Protocol Just As Vulnerable As SS7 ∗∗∗ --------------------------------------------- Security researchers say the Diameter protocol used with todays 4G (LTE) telephony and data transfer standard is vulnerable to the same types of vulnerabilities as the older SS7 standard used with older telephony standards such as 3G, 2G, and earlier. --------------------------------------------- https://www.bleepingcomputer.com/news/security/newer-diameter-telephony-pro… ∗∗∗ Taking apart a double zero-day sample discovered in joint hunt with ESET ∗∗∗ --------------------------------------------- In late March 2018, I analyzed an interesting PDF sample found by ESET senior malware researcher Anton Cherpanov. The sample was initially reported to Microsoft as a potential exploit for an unknown Windows kernel vulnerability. During my investigation in parallel with ESET researchers, I was surprised to discover two new zero-day exploits in the same Read more --------------------------------------------- https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-… ∗∗∗ Boffins want to stop Network Time Protocols time-travelling exploits ∗∗∗ --------------------------------------------- Ancient protocols key vulnerability is fixable Among the many problems that exist in the venerable Network Time Protocol is its vulnerability to timing attacks: turning servers into time-travellers can play all kinds of havoc with important systems. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/07/02/ntp_revisio… ∗∗∗ The principle of least privilege: A strategy of limiting access to what is essential ∗∗∗ --------------------------------------------- The principle of least privilege is a security strategy applicable to different areas, which is based on the idea of only granting those permissions that are necessary for the performance of a certain activity --------------------------------------------- https://www.welivesecurity.com/2018/07/02/principle-least-privilege-strateg… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium-browser, mosquitto, python-pysaml2, simplesamlphp, tiff, and tomcat7), Fedora (kernel, libgxps, nodejs, and phpMyAdmin), Mageia (ansible, firefox, java-1.8.0-openjdk, libcrypt, libgcrypt, ncurses, phpmyadmin, taglib, and webkit2), openSUSE (GraphicsMagick, ImageMagick, mailman, Opera, and rubygem-sprockets), and SUSE (ImageMagick, kernel, mariadb, and python-paramiko). --------------------------------------------- https://lwn.net/Articles/758845/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2018
by Daily end-of-shift report 29 Jun '18

29 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-06-2018 18:00 − Freitag 29-06-2018 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ File-Wiping Malware Placed Inside Gentoo Linux Code After GitHub Account Hack ∗∗∗ --------------------------------------------- An unknown hacker has temporarily taken control over the GitHub account of the Gentoo Linux organization and embedded malicious code inside the operating systems distributions that would delete user files. --------------------------------------------- https://www.bleepingcomputer.com/news/linux/file-wiping-malware-placed-insi… ∗∗∗ Samsung-Smartphones schicken unbemerkt Fotos an Kontakte ∗∗∗ --------------------------------------------- Ein Fehler in Samsung-Handys schickt zufällig verschiedene Fotos an im Telefonbuch gespeicherte Kontakte. --------------------------------------------- https://futurezone.at/produkte/samsung-smartphones-schicken-unbemerkt-fotos… ∗∗∗ Überwachungskameras schickten Videos an falsche Nutzer ∗∗∗ --------------------------------------------- Bereits zum zweiten Mal wird ein Fall bekannt, in denen Kameras des Herstellers Swann Security Videobilder an die falschen Nutzer senden. --------------------------------------------- https://futurezone.at/digital-life/ueberwachungskameras-schickten-videos-an… ∗∗∗ RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique ∗∗∗ --------------------------------------------- Through FireEye Dynamic Threat Intelligence (DTI), we observed RIG Exploit Kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner (similar activity has been reported by Trend Micro). Apart from leveraging a relatively lesser known injection technique, the attack chain has some other interesting properties that we will touch on in this blog post. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2018/06/rig-ek-delivering-moner… ∗∗∗ Rampage: Neuer Rowhammer-Angriff betrifft alle Android-Handys seit 2011 ∗∗∗ --------------------------------------------- Mit einer neuen Technik lässt sich der Speicher von Android-Geräten manipulieren. Der Angreifer wird so auf die harte Art zum Admin. --------------------------------------------- http://heise.de/-4094782 ===================== = Vulnerabilities = ===================== ∗∗∗ Medtronic MyCareLink Patient Monitor ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for hard-coded password and exposed dangerous method or function vulnerabilities reported in Medtronics MyCareLink Patient Monitors. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01 ∗∗∗ VMSA-2018-0016 ∗∗∗ --------------------------------------------- VMware ESXi, and Workstation updates address multiple out-of-bounds read vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0016.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox), Debian (firefox-esr, lava-server, libgcrypt20, mariadb-10.0, and zendframework), Fedora (firefox, podman, webkitgtk4, and xen), openSUSE (procps and unixODBC), Oracle (pki-core), Red Hat (firefox), SUSE (kernel, procps, and tomcat6), and Ubuntu (file and nasm). --------------------------------------------- https://lwn.net/Articles/758656/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2018
by Daily end-of-shift report 28 Jun '18

28 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-06-2018 18:00 − Donnerstag 28-06-2018 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows Defender Detecting Legitimate Files as Trojan:Win32/Bluteal.B!rfn ∗∗∗ --------------------------------------------- Recently there have been a lot of reports of Windows Defender suddenly detecting files as Trojan:Win32/Bluteal.B!rfn. The detected files range from CPU miners, which would make sense, to legitimate Windows files, which do not. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-defender-detecting-l… ∗∗∗ Schneller Mobilfunk: Sicherheitslücken in LTE ∗∗∗ --------------------------------------------- Um die Lücken auszunutzen, braucht man viel Know-how und ausgeklügelte Hardware. Aber mit hinreichend Aufwand könnten darüber Geheimnisträger attackiert werden. --------------------------------------------- http://heise.de/-4093507 ∗∗∗ Jetzt patchen! Exploit für Cisco ASA im Umlauf ∗∗∗ --------------------------------------------- In Ciscos System für unter anderem Firewalls Adaptive Security Aplliance klafft eine Sicherheitslücke, die Angreifer bald ausnutzen könnten. --------------------------------------------- http://heise.de/-4093948 ∗∗∗ Spectre-Sicherheitslücken: Browser trotz Patches nicht sicher ∗∗∗ --------------------------------------------- Die Patches, die Chrome, Edge und Safari gegen Spectre V1 bekamen, verhindern Angriffe auf die Lücke nicht vollständig. Lediglich Firefox ist im Moment sicher. --------------------------------------------- http://heise.de/-4094014 ∗∗∗ UPnP als Tarnung: Verwundbare Router helfen DDoS-Angreifern ∗∗∗ --------------------------------------------- Der neueste Trick von DDoS-Angreifern ist das Tarnen von Traffic mithilfe unachtsamer Heim-Router und deren UPnP-Möglichkeiten. --------------------------------------------- http://heise.de/-4094140 ∗∗∗ Datendiebstahl mit angeblichen Deutsche Bahn-Gewinnspiel ∗∗∗ --------------------------------------------- Konsument/innen erhalten eine angebliche Benachrichtigung der Deutschen Bahn. Darin heißt es, dass sie ein Einjahresticket 1. Klasse für 2 Personen gewinnen können. Die Teilnahme am Gewinnspiel setzt die Bekanntgabe von persönlichen Daten voraus. Sie soll auf einer gefälschten Deutsche Bahn-Website erfolgen. Gewinnspiel-Teilnehmer/innen übermitteln ihre Angaben an Kriminelle. Das Gewinnspiel gibt es nicht. --------------------------------------------- https://www.watchlist-internet.at/news/datendiebstahl-mit-angeblichen-deuts… ∗∗∗ Efail: HTML Mails have no Security Concept and are to blame ∗∗∗ --------------------------------------------- I recently wrote down my thoughts about why I think deprecated cryptographic standards are to blame for the Efail vulnerability in OpenPGP and S/MIME. However I promised that Ill also cover the other huge part that made a bug like Efail possible: HTML mails. --------------------------------------------- https://blog.hboeck.de:443/archives/894-Efail-HTML-Mails-have-no-Security-C… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exiv2, firefox-esr, graphicsmagick, php-horde-crypt, ruby-passenger, tomcat7, and xen), Fedora (dcraw, file, kernel-tools, and mupdf), openSUSE (firefox and tiff), Oracle (kernel, libvirt, pki-core, and qemu-kvm), Red Hat (patch), SUSE (jpeg, python-Django, tiff, and unixODBC), and Ubuntu (jasper). --------------------------------------------- https://lwn.net/Articles/758550/ ∗∗∗ Linux kernel vulnerability CVE-2012-6701 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13213573 ∗∗∗ Linux kernel vulnerability CVE-2017-7889 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K80440915 ∗∗∗ TMM vulnerability CVE-2018-5528 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27044729 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2018
by Daily end-of-shift report 27 Jun '18

27 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-06-2018 18:00 − Mittwoch 27-06-2018 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ NSA Exploit "DoublePulsar" Patched to Work on Windows IoT Systems ∗∗∗ --------------------------------------------- An infosec researcher who uses the online pseudonym of Capt. Meelo has modified an NSA hacking tool known as DoublePulsar to work on the Windows IoT operating system (formerly known as Windows Embedded). --------------------------------------------- https://www.bleepingcomputer.com/news/security/nsa-exploit-doublepulsar-pat… ∗∗∗ Codeausführung: Wordpress schließt Sicherheitslücke nicht ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Wordpress erlaubt angemeldeten Nutzern, die Installation zu übernehmen und Code auszuführen. Wordpress wusste von dem Problem seit November 2017, hat es aber bisher nicht gefixt. (Wordpress, PHP) --------------------------------------------- https://www.golem.de/news/codeausfuehrung-wordpress-schliesst-sicherheitslu… ∗∗∗ Datenleck bei FastBooking: Hacker klauen Daten von über 124.000 Hotelgästen ∗∗∗ --------------------------------------------- Hacker haben Daten vom Server eines Booking-Providers kopiert. Die Firma schweigt zum Ausmaß – eine Hotelkette warnte derweil fast 125.000 betroffene Gäste. --------------------------------------------- http://heise.de/-4093080 ∗∗∗ Top Tools for Security Analysts in 2018 ∗∗∗ --------------------------------------------- Last spring, after discussing the tools and tech used by our team, we published a list of 51 Tools for Security Analysts. The article was well-received, and the comments offered some great suggestions to top it all off. In the spirit of that list we’d like to offer our updated 2018 edition, featuring the Defiant [...] --------------------------------------------- https://www.wordfence.com/blog/2018/06/top-tools-for-security-analysts-in-2… ∗∗∗ Achtung vor Apple-ID Phishing-Versuch ∗∗∗ --------------------------------------------- InternetnutzerInnen erhalten vermehrt Nachrichten per E-Mail, in denen sie darüber informiert werden, dass angeblich ihre Apple-ID in China für einen Zugriff auf die iCloud verwendet wurde. Die EmpfängerInnen werden in weiterer Folge dazu aufgefordert einem Link zu folgen, sofern sie nicht selbst in China auf ihr Konto zugegriffen haben. Betroffene sollten der Aufforderung auf keinen Fall nachkommen, denn die Versender sind hinter ihren Daten her. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-apple-id-phishing-versuc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (cantata and qutebrowser), Debian (imagemagick, php5, and redis), Fedora (cri-o and libgxps), Oracle (glibc, kernel, libvirt, samba, samba4, sssd and ding-libs, and zsh), Red Hat (ansible, dpdk, kernel, kernel-alt, kernel-rt, libvirt, pki-core, podman, qemu-kvm, and qemu-kvm-rhev), Scientific Linux (kernel, libvirt, pki-core, and qemu-kvm), SUSE (firefox, gcc43, and kernel), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/758442/ ∗∗∗ TMM vulnerability CVE-2018-5528 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27044729 ∗∗∗ SSL Forward Proxy vulnerability CVE-2018-5527 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20134942 ∗∗∗ HPESBHF03844 rev.1 - HPE Integrated Lights-Out 4, 5 (iLO 4, 5), Remote Unauthorized Modification of Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2018
by Daily end-of-shift report 26 Jun '18

26 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Montag 25-06-2018 18:00 − Dienstag 26-06-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WPA3: Neuer WLAN-Verschlüsselungsstandard verabschiedet ∗∗∗ --------------------------------------------- Die Wi-Fi Alliance hat mit WPA3 einen neuen Verschlüsselungsstandard für drahtlose Netze vorgestellt. Darin werden einige Macken von früheren Standards ausgebessert, wie etwa Offline-Passwort-Angriffe unterbunden und Forward Secrecy eingeführt. --------------------------------------------- https://www.golem.de/news/wpa3-neuer-wlan-verschluesselungsstandard-verabsc… ∗∗∗ Sicherheit von Industrieanlagen: BSI veröffentlicht Snort-Regeln für SIS-Netzwerke ∗∗∗ --------------------------------------------- Zum besseren Schutz vor Cyber-Angriffen mit Schadsoftware wie "Triton/Trisis/HatMan" hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) sogenannte Snort-Regeln für das TriStation-Kommunikationsprotokoll der Firma Schneider Electric veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/RAPSN_SETS_… ∗∗∗ Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor ∗∗∗ --------------------------------------------- This blog post was authored by Edmund Brumaghin, Earl Carter and Andrew Williams.Executive summaryCisco Talos has analyzed Thanatos, a ransomware variant that is being distributed via multiple malware campaigns that have been conducted over the past few months. As a result of our research, we have released a new, free decryption tool to help victims recover from this malware. --------------------------------------------- http://feedproxy.google.com/~r/feedburner/Talos/~3/_YSxzYWrMgs/ThanatosDecr… ===================== = Vulnerabilities = ===================== ∗∗∗ [20180602] - Core - XSS vulnerability in language switcher module ∗∗∗ --------------------------------------------- Severity: Low Versions: 1.6.0 through 3.8.8 Exploit type: XSS Number: CVE-2018-12711 In some cases the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page url. Affected Installs Joomla! CMS versions 1.6.0 through 3.8.8 Solution: Upgrade to version 3.8.9 --------------------------------------------- https://developer.joomla.org/security-centre/740-20180602-core-xss-vulnerab… ∗∗∗ [20180601] - Core - Local File Inclusion with PHP 5.3 ∗∗∗ --------------------------------------------- Severity: Low Versions: 2.5.0 through 3.8.8 Exploit type: LFI CVE Number: CVE-2018-12712 Our autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3 this function validates invalid names as valid, which can result in a Local File Inclusion. Affected Installs: Joomla! CMS versions 2.5.0 through 3.8.8 Solution: Upgrade to version 3.8.9 --------------------------------------------- https://developer.joomla.org/security-centre/741-20180601-core-local-file-i… ∗∗∗ Bugtraq: KL-001-2018-008 : HPE VAN SDN Unauthenticated Remote Root Vulnerability ∗∗∗ --------------------------------------------- A hardcoded service token can be used to bypass authentication. Built-in functionality can be exploited to deploy and execute a malicious deb file containing a backdoor. A weak sudoers configuration can then be abused to escalate privileges to root. --------------------------------------------- http://www.securityfocus.com/archive/1/542101 ∗∗∗ SSA-159860 (Last Update: 2018-06-26): Access Control Vulnerability in IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC ∗∗∗ --------------------------------------------- IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC products are affected by a security vulnerability which could allow an attacker to either exfiltrate limited data from the system or to execute code with operating system user permissions.Siemens has released updates for several affected products, and recommends that customers update to the new version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-159860.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Slackware (firefox), SUSE (gpg2 and zlib), and Ubuntu (openssl, openssl1.0). --------------------------------------------- https://lwn.net/Articles/758310/ ∗∗∗ Security Advisory - Side-Channel Vulnerability Variants 3a and 4 ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180615-… ∗∗∗ HPESBHF03843 rev.1 - HPE Moonshot Provisioning Manager, Remote Bypass of Security Restrictions, Local Arbitrary File Modification ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2018
by Daily end-of-shift report 25 Jun '18

25 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-06-2018 18:00 − Montag 25-06-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Changes in WebAssembly Could Render Meltdown and Spectre Browser Patches Useless ∗∗∗ --------------------------------------------- "Once Wasm gets support for threads with shared memory (which is already on the Wasm roadmap), very accurate [JavaScript] timers can be created," Bergbom says, "that may render browser mitigations of certain CPU side channel attacks non-working." --------------------------------------------- https://www.bleepingcomputer.com/news/security/changes-in-webassembly-could… ∗∗∗ ST18-001: Securing Network Infrastructure Devices ∗∗∗ --------------------------------------------- Network infrastructure devices are ideal targets for malicious cyber actors. Most or all organizational and customer traffic must traverse these critical devices.An attacker with presence on an organization’s gateway router can monitor, modify, and deny traffic to and from the organization.An attacker with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key --------------------------------------------- https://www.us-cert.gov/ncas/tips/ST18-001 ∗∗∗ iOS: Verwirrung um Brute-Force-Hack der Gerätesperre ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher behauptet, einen Trick gefunden zu haben, mit dem sich iPhone und iPad knacken lassen. Apple widerspricht dem. --------------------------------------------- http://heise.de/-4090901 ∗∗∗ Offene Firebase-Datenbanken: Tausende Apps leaken Passwörter, Nutzerdaten etc. ∗∗∗ --------------------------------------------- Dritte könnten mit vergleichsweise wenig Aufwand private Daten von Millionen App-Nutzern einsehen, warnen Sicherheitsforscher. --------------------------------------------- http://heise.de/-4090963 ∗∗∗ Leck in Intel-Prozessoren: TLBleed-Lücke verrät geheime Schlüssel ∗∗∗ --------------------------------------------- Forscher nutzen Hyper-Threading und den Transaction Lookaside Buffer (TLB) von Intel-Prozessoren, um geschützte Informationen per Seitenkanal abzuschöpfen. --------------------------------------------- http://heise.de/-4091114 ∗∗∗ Aufgepasst: Phishing-Mails schüren WannaCry-Panik ∗∗∗ --------------------------------------------- Aktuell gehen E-Mails um, die behaupten, der Rechner des Empfängers sei mit einem Verschlüsselungstrojaner infiziert. --------------------------------------------- http://heise.de/-4091746 ∗∗∗ Gefälschte Pichler Werkzeug GmbH-Rechnung verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Unternehmen erhalten per E-Mail eine gefälschte Bestellbestätigung der Pichler Werkzeug GmbH aus Innsbruck. Darin heißt es, dass sie ein unterzeichnetes Formular zurück an die Absenderin retournieren sollen. Das Formular befindet sich angeblich in einer GZ-Datei. In Wahrheit verbirgt sie Schadsoftware. Empfänger/innen dürfen den Dateianhang nicht öffnen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-pichler-werkzeug-gmbh-re… ===================== = Vulnerabilities = ===================== ∗∗∗ [20180507] - Core - Session deletion race condition ∗∗∗ --------------------------------------------- CVE Number: CVE-2018-11324 A long running background process, such as remote checks for core or extension updates, could create a race condition where a session which was expected to be destroyed would be recreated. Affected Installs: Joomla! CMS versions 3.0.0 through 3.8.7 Solution: Upgrade to version 3.8.8 --------------------------------------------- https://developer.joomla.org/security-centre/735-20180507-core-session-dele… ∗∗∗ Bluetooth-Lücke: Patch für "smartes" Vorhängeschloss Tapplock ∗∗∗ --------------------------------------------- Sicherheitsforscher knacken das Schloss Tapplock über Bluetooth in wenigen Sekunden. Auch rohe Gewalt kann das Schloss unter Umständen öffnen. --------------------------------------------- http://heise.de/-4091406 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (git), Debian (bouncycastle and lava-server), Fedora (ansible, epiphany, kernel, kernel-tools, matrix-synapse, mingw-podofo, pass, podofo, python-prometheus_client, redis, rubygem-sinatra, and thunderbird-enigmail), Gentoo (file and pnp4nagios), Mageia (file, glibc, kernel, librsvg, and libvorbis), openSUSE (go1.9, mariadb, phpMyAdmin, and redis), and SUSE (firefox, kernel modules packages, and python). --------------------------------------------- https://lwn.net/Articles/758211/ ∗∗∗ Synology-SA-18:33 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote authenticated users to execute arbitrary OS commands or obtain sensitive information via a susceptible version of Synology Diskstation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_33 ∗∗∗ FortiOS SSL VPN webportal user credentials present in plain text in client side javascript file ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/%20FG-IR-18-027 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2018
by Daily end-of-shift report 22 Jun '18

22 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-06-2018 18:00 − Freitag 22-06-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New GZipDe Malware Drops Metasploit Backdoor ∗∗∗ --------------------------------------------- Security researchers from AlienVault have discovered a new malware strain named GZipDe that appears to be part of a targeted attack â€”most likely a cyber-espionage campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-gzipde-malware-drops-met… ∗∗∗ FIRST Releases Training to Help Companies Respond to Product Vulnerabilities ∗∗∗ --------------------------------------------- The Forum of Incident Security Response Teams, Inc. (FIRST) is pleased to release the final Product Security Incident Response Teams (PSIRT) Services Framework (PDF) and accompanying training video course. This framework and training video course were developed by a global team of PSIRT practitioners from FIRST members and relevant subject matter experts. --------------------------------------------- https://www.first.org/newsroom/releases/20180621 ∗∗∗ Detecting Kernel Memory Disclosure – Whitepaper ∗∗∗ --------------------------------------------- Since early 2017, we have been working on Bochspwn Reloaded – a piece of dynamic binary instrumentation built on top of the Bochs IA-32 software emulator, designed to identify memory disclosure vulnerabilities in operating system kernels. Over the course of the project, we successfully used it to discover and report over 70 previously unknown security issues in Windows, and more than 10 bugs in Linux. --------------------------------------------- https://googleprojectzero.blogspot.com/2018/06/detecting-kernel-memory-disc… ∗∗∗ Financial Services Sector Rife with Hidden Tunnels ∗∗∗ --------------------------------------------- Attackers use the approach to look like legitimate traffic and hide data exfiltration in plain sight. --------------------------------------------- https://threatpost.com/financial-services-sector-rife-with-hidden-tunnels/1… ∗∗∗ Wie Sie eine Baby-Cam erfolgreich hacken (Gwelltimes P2P Cloud) ∗∗∗ --------------------------------------------- Vor einiger Zeit wurde in den USA ein Fall bekannt, bei dem ein W-LAN-fähiges Babyphone gehackt worden sei. Jemand hätte die Mutter und ihr Baby überwacht. SEC Consult hat sich den Fall nun aus der technischen Perspektive angesehen. --------------------------------------------- https://www.sec-consult.com/blog/2018/06/wie-sie-eine-babycam-erfolgreich-h… ∗∗∗ Documenting and Attacking a Windows Defender Application Control Feature the Hard Way - A Case Study in Security Research Methodology ∗∗∗ --------------------------------------------- As is typically the case for me, whenever a new Windows build is released, I diff the Windows Defender Application Control (WDAC, formerly Device Guard) code integrity policy schema (located in %windir%\schemas\CodeIntegrity\cipolicy.xsd) to see if there are any new, interesting features. I resort to doing this because new WDAC features are seldom documented [...] --------------------------------------------- https://posts.specterops.io/documenting-and-attacking-a-windows-defender-ap… ∗∗∗ Why You Should Care about Website Security on Your Small Site ∗∗∗ --------------------------------------------- Most people assume that if their website has been compromised, there must have been an attacker evaluating their site and looking for a specific vulnerability to hack. Under most circumstances however, bad actors don’t manually hand-pick websites to attack since it’s a tedious and time consuming process. Instead, they rely on automation to identify vulnerable websites and execute their attacks. --------------------------------------------- https://blog.sucuri.net/2018/06/why-you-should-care-about-website-security-… ===================== = Vulnerabilities = ===================== ∗∗∗ Delta Electronics Delta Industrial Automation COMMGR ∗∗∗ --------------------------------------------- This advisory includes mitigations for a stack-based buffer overflow vulnerability in the Delta Electronics Delta Industrial Automation COMMGR software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01 ∗∗∗ Rockwell Automation Allen-Bradley CompactLogix and Compact GuardLogix ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for an improper input validation vulnerability reported in Rockwell Automation Allen-Bradley CompactLogix and Compact GuardLogix controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-172-02 ∗∗∗ PMASA-2018-4 ∗∗∗ --------------------------------------------- File inclusion and remote code execution attackAffected VersionsphpMyAdmin 4.8.0 and 4.8.1 are affected.CVE ID(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12613, uCVE-2018-12613) --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2018-4/ ∗∗∗ PMASA-2018-3 ∗∗∗ --------------------------------------------- XSS in Designer featureAffected VersionsphpMyAdmin versions prior to 4.8.2.CVE ID(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12581, uCVE-2018-12581) --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2018-3/ ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- There is Factory Reset Protection (FRP) bypass vulnerability in some Huawei smart phones. An attacker gets some users smart phone and performs some special operations in the guide function. The attacker may exploit the vulnerability to bypass FRP function and use the phone normally. (Vulnerability ID: HWPSIRT-2018-04051) --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180622-01-by… ∗∗∗ Security Advisory - Bluetooth Unlock Bypassing Vulnerability in Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- Some Huawei mobile phones have a Bluetooth unlock bypassing vulnerability due to the lack of validation on Bluetooth devices. If a user has enabled the smart unlock function, an attacker can impersonate the users Bluetooth device to unlock the users mobile phone screen. (Vulnerability ID: HWPSIRT-2017-01088) --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170323-01-sm… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-horde-image), openSUSE (kernel), Scientific Linux (git), SUSE (bluez, kernel, mariadb, and mariadb, mariadb-connector-c, xtrabackup), and Ubuntu (openjdk-7). --------------------------------------------- https://lwn.net/Articles/758024/ ∗∗∗ Lazy FP state restore vulnerability CVE-2018-3665 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21344224 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2018
by Daily end-of-shift report 21 Jun '18

21 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-06-2018 18:00 − Donnerstag 21-06-2018 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Downloading 3rd Party OpenVPN Configs May Be Dangerous. Here’s Why. ∗∗∗ --------------------------------------------- If an actor wanted to cause the OpenVPN configuration file to execute a command they would add the "script-security 2" line, which allows user defined scripts to be executed, and a "up" entry, which contains the command that is executed after after a connection has been made. --------------------------------------------- https://www.bleepingcomputer.com/news/security/downloading-3rd-party-openvp… ∗∗∗ Beginner’s Guide to Pentesting IoT Architecture/Network and Setting Up IoT Pentesting Lab – Part 1 ∗∗∗ --------------------------------------------- In this post, I will explain how to pentest an IoT Network/Architecture. Also, I will explain how to set up an IoT Pentesting lab for getting started with IoT Pentesting. Since the post is too long, to make it digestible, it will be split into two parts. --------------------------------------------- https://resources.infosecinstitute.com/beginners-guide-to-pentesting-iot-ar… ∗∗∗ Google Developer Discovers a Critical Bug in Modern Web Browsers ∗∗∗ --------------------------------------------- Chrome and Safari already have a policy in place to reject such cross-origin requests as soon as they see any redirection after the underlying content appears to have changed between requests, their users are already protected. ... FireFox and Edge browsers that were found vulnerable to this issue have also patched the vulnerability in their latest versions after Archibald responsibly reported it to their security teams. Therefore, FireFox and Edge browser users are highly recommended to make sure that they are running the latest version of these browsers. --------------------------------------------- https://thehackernews.com/2018/06/browser-cross-origin-vulnerability.html ∗∗∗ Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware ∗∗∗ --------------------------------------------- We were able to observe a series of network attacks exploiting CVE-2018-7602, a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots. Of note are its ways of hiding behind the Tor network to elude detection and how it checks the affected system first before infecting it with a cryptocurrency-mining malware. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/0C5nXsg4wxQ/ ∗∗∗ Warnung vor gefälschter Finanzonline.at-Nachricht ∗∗∗ --------------------------------------------- Internet-Nutzer/innen erhalten eine gefälschte E-Mail des Finanzministeriums. Sie hat das Betreff „Ihre Steuerrückzahlung“. Darin heißt es, dass eine kürzlich erfolgte Steuerrückzahlung an Empfänger/innen fehlgeschlagen sei. Aus diesem Grund sollen sie auf einer unbekannten Website persönliche Bankdarten bekannt geben. Nutzer/innen übermitteln diese an Kriminelle und werden Opfer eines Datendiebstahls. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-gefaelschter-finanzonlin… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA TX1 Boot ROM Vulnerability ∗∗∗ --------------------------------------------- On April 24, 2018, researchers disclosed a vulnerability that takes advantage of a buffer overflow vulnerability in NVIDIA TX1 BootROM when Recovery Mode (RCM) is active. This vulnerability could allow an unprivileged, local attacker to bypass secure boot and execute unverified code on an affected system. The vulnerability has been identified by CVE-2018-6242. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Nextcloud Server: Mehrere Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- er Hersteller stellt die Nextcloud Server Versionen 12.0.8 und 13.0.3 zur Behebung der Schwachstellen CVE-2018-3761 und CVE-2018-3762 zur Verfügung. Zur Behebung der Schwachstellen CVE-2018-3763 und CVE-2018-3764 stehen Sicherheitsupdates für die Apps 'Contacts' auf Version 2.1.2 und 'Calendar' auf Version 1.6.1 bzw. 1.5.8 zur Verfügung. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1204/ ∗∗∗ Security Advisory für Microsoft Exchange Server ∗∗∗ --------------------------------------------- Microsoft hat anlässlich des Quartals-Updates für Microsoft Exchange Server ein Security Advisory sowie Sicherheitsupdates für Elemente der "Outside In" Libraries von Oracle veröffentlicht, die in Microsoft Exchange Server enthalten sind. Durch diese Patches werden drei Schwachstellen geschlossen. --------------------------------------------- https://www.cert.at/warnings/all/20180620.html ∗∗∗ Sicherheitslücken (teils kritisch) in Cisco FXOS und NX-OS Software - Patches verfügbar ∗∗∗ --------------------------------------------- Cisco hat mehrere Security Advisories zu teils kritischen Sicherheitslücken in Cisco FXOS und Cisco NX-OS Software veröffentlicht. Fünf der Schwachstellen werden mit einem CVSS Base Score von 9.8 als kritisch eingestuft: [...] --------------------------------------------- https://www.cert.at/warnings/all/20180621.html ∗∗∗ Symantec Endpoint Protection Multiple Issues ∗∗∗ --------------------------------------------- Symantec has released a set of updates to address issues that were discovered in the Symantec Endpoint Protection product. --------------------------------------------- https://support.symantec.com/en_US/article.SYMSA1454.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (cobbler and matrix-synapse), Oracle (git), Red Hat (git), SUSE (java-1_7_1-ibm, nagios-nrpe, and ntp), and Ubuntu (AMD microcode). --------------------------------------------- https://lwn.net/Articles/757971/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2018
by Daily end-of-shift report 20 Jun '18

20 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-06-2018 18:00 − Mittwoch 20-06-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ZeroFont Technique Lets Phishing Emails Bypass Office 365 Security Filters ∗∗∗ --------------------------------------------- Cyber-criminals are currently using a trick that allows them to bypass Microsofts security filters and deliver spam and phishing emails to Office 365 email accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zerofont-technique-lets-phis… ∗∗∗ Verschlüsselung: TLS 1.0 und 1.1 sollen "sterben, sterben, sterben" ∗∗∗ --------------------------------------------- Ein aktueller Entwurf der IETF sieht vor, dass die alten TLS-Versionen 1.0 und 1.1 künftig nicht mehr benutzt werden dürfen. Ein Fallback ist explizit nicht vorgesehen. (TLS, Verschlüsselung) --------------------------------------------- https://www.golem.de/news/verschluesselung-tls-1-0-und-1-1-sollen-sterben-s… ∗∗∗ Perverse Vulnerability from Interaction between 2-Factor Authentication and iOS AutoFill ∗∗∗ --------------------------------------------- Apple is rolling out an iOS security usability feature called Security code AutoFill. The basic idea is that the OS scans incoming SMS messages for security codes and suggests them in AutoFill, so that people can use them without having to memorize or type them.Sounds like a really good idea, but Andreas Gutmann points out an application where this could become a vulnerability: when authenticating transactions:Transaction authentication, as opposed to user authentication, is used to attest the [...] --------------------------------------------- https://www.schneier.com/blog/archives/2018/06/perverse_vulner.html ∗∗∗ Magento Credit Card Stealer Reinfector ∗∗∗ --------------------------------------------- In the past few months, we have frequently seen how attackers are infecting Magento installations to scrape confidential information such as credit cards, logins, and PayPal credentials. That is why we have reported on a credit card stealer reinfector of Magento websites in one of our recent Labs Notes. --------------------------------------------- https://blog.sucuri.net/2018/06/magento-credit-card-stealer-reinfector.html ∗∗∗ Malware Olympic Destroyer ist zurück und zielt auch auf Deutschland ∗∗∗ --------------------------------------------- Olympic Destroyer hat es auf europäische Einrichtungen zur chemischen und biologischen Gefahrenabwehr abgesehen, warnen Sicherheitsforscher. --------------------------------------------- http://heise.de/-4086654 ∗∗∗ Spectre-NG-Lücken: OpenBSD schaltet Hyper-Threading ab ∗∗∗ --------------------------------------------- Um das Risiko für Angriffe über Spectre-Lücken zu mindern, schaltet das Betriebssystem OpenBSD bei Intel-Prozessoren Multi-Threading jetzt standardmäßig ab. --------------------------------------------- http://heise.de/-4087035 ∗∗∗ Bawag P.S.K.-KundInnen dürfen keine angebliche Sicherheits-App installieren! ∗∗∗ --------------------------------------------- Kriminelle verfassen eine gefälschte Bawag P.S.K.-Nachricht und versenden diese massenhaft. In der Nachricht werden die EmpfängerInnen wegen einer vermeintlichen Einschränkung des Kontos dazu aufgefordert eine Sicherheits-App zu installieren, um ihr Konto wieder nutzen zu können. Achtung: Es handelt sich um Schadsoftware und einen Versuch an fremde Bankdaten zu gelangen. Wer die Applikation installiert gewährt den Kriminellen Zugriff auf das eigene Bankkonto. --------------------------------------------- https://www.watchlist-internet.at/news/bawag-psk-kundinnen-duerfen-keine-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (pass), Debian (xen), Fedora (chromium, cobbler, gnupg, kernel, LibRaw, mariadb, mingw-libtiff, nikto, and timidity++), Gentoo (chromium, curl, and transmission), Mageia (gnupg, gnupg2, librsvg, poppler, roundcubemail, and xdg-utils), Red Hat (ansible and glusterfs), Slackware (gnupg), SUSE (cobbler, dwr, java-1_8_0-ibm, kernel, microcode_ctl, pam-modules, salt, slf4j, and SMS3.1), and Ubuntu (libgcrypt11, libgcrypt11, libgcrypt20, and mozjs52). --------------------------------------------- https://lwn.net/Articles/757876/ ∗∗∗ QNAP QTS LDAP Server Command Injection Flaw Lets Remote Users Execute Arbitrary Commands on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041141 ∗∗∗ Splunk REST Endpoint Lets Remote Users Obtain Potentially Sensitive Information on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041148 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.06.2018
by Daily end-of-shift report 19 Jun '18

19 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Montag 18-06-2018 18:00 − Dienstag 19-06-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 75% of Malware Uploaded on "No-Distribute" Scanners Is Unknown to Researchers ∗∗∗ --------------------------------------------- Three-quarters of malware samples uploaded to "no-distribute scanners" are never shared on "multiscanners" like VirusTotal, and hence, they remain unknown to security firms and researchers for longer periods of time. --------------------------------------------- https://www.bleepingcomputer.com/news/security/75-percent-of-malware-upload… ∗∗∗ Over 22,000 Container Orchestration Systems Connected to the Internet ∗∗∗ --------------------------------------------- The admin consoles of over 22,000 container orchestration and API management systems are currently exposed online, according to a report published on Monday by Lacework, a company specialized in cloud security. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-22-000-container-orches… ∗∗∗ FIRST releases 2017-2018 Annual Report ∗∗∗ --------------------------------------------- The Forum of Incident Response and Security Teams releases its second annual report, covering the scope of its activities from the 2017 conference in Puerto Rico, through its 2018 annual event in Kuala Lumpur. --------------------------------------------- https://www.first.org/newsroom/releases/20180619 ∗∗∗ macOS-Fehler macht verschlüsselte Bilder und Texte zugänglich ∗∗∗ --------------------------------------------- Ein Bug in der QuickLook-Schnellansicht speichert auch geschützte Dateien im Dateisystem, so Sicherheitsforscher. --------------------------------------------- http://heise.de/-4084698 ∗∗∗ Flightradar24 gehackt: Daten von 230.000 Nutzern abgezogen ∗∗∗ --------------------------------------------- Einige Mitglieder von Flightradar24 erhalten derzeit E-Mails mit Warnungen über einen Server-Einbruch. Die Betreiber haben Passwörter zurückgesetzt. --------------------------------------------- http://heise.de/-4084911 ∗∗∗ Warnung vor thermomix-outlet.com ∗∗∗ --------------------------------------------- Auf thermomix-outlet.com können Konsument/innen den Thermomix TM5 mit Cook-Key um 879,00 Euro kaufen. Die Bezahlung der Ware ist nur im Voraus möglich. Interessent/innen, die den Kaufpreis überweisen, verlieren ihr Geld an Kriminelle und werden Opfer eines Datendiebstahls. Von einem Einkauf auf thermomix-outlet.com ist daher dringend abzuraten! --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-thermomix-outletcom/ ∗∗∗ Vermeintliche Geschäftsführung drängt zu Geldüberweisung ∗∗∗ --------------------------------------------- Verrechnungs- und Buchhaltungsabteilungen in Firmen sowie KassierInnen in Vereinen werden gezielt von Betrügern adressiert. Die E-Mails werden im Namen der Geschäftsführung der jeweiligen Firma bezehungsweise des jeweiligen Vereins verschickt. Darin werden die MitarbeiterInnen dazu aufgefordert hohe Geldbeträge ins Ausland zu überweisen. Wird die Überweisung durchgeführt, ist das Geld verloren. --------------------------------------------- https://www.watchlist-internet.at/news/vermeintliche-geschaeftsfuehrung-dra… ∗∗∗ Netzpolitik - Sicherheitsdefizit bei Chromecast und Google Home erlaubt exakte Ortung der Nutzer ∗∗∗ --------------------------------------------- Google verspricht Update – Forscher warnt generell vor falschem Vertrauen in das lokale Netzwerk --------------------------------------------- https://derstandard.at/2000081833170/Sicherheitsdefizit-bei-Chromecast-und-… ===================== = Vulnerabilities = ===================== ∗∗∗ ADV180010 | June 2018 Oracle Outside In Library Security Update ∗∗∗ --------------------------------------------- Microsoft Exchange Server contains some elements of the Oracle Outside In libraries. The June 19, 2018 releases of Microsoft Exchange Server contain fixes to the following vulnerabilities, [...] --------------------------------------------- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180010 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (libgcrypt), Fedora (bouncycastle, nodejs, and perl-Archive-Tar), openSUSE (aubio), and Red Hat (chromium-browser, glibc, kernel, kernel-rt, libvirt, pcs, samba, samba4, sssd and ding-libs, and zsh). --------------------------------------------- https://lwn.net/Articles/757811/ ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012400 ∗∗∗ HPESBMU03837 rev.1 - HPE CentralView Fraud Risk Management - Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBGN03853 rev.1 - HPE Network Function Virtuallization Director (NFVD), Remote Unauthorized Access to Sensitive Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2018
by Daily end-of-shift report 18 Jun '18

18 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-06-2018 18:00 − Montag 18-06-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives ∗∗∗ --------------------------------------------- Apples macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to Wojciech Reguła and Patrick Wardle, two macOS security experts. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/macos-breaks-your-opsec-by-cach… ∗∗∗ Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US ∗∗∗ --------------------------------------------- Security researchers from Romania-based antivirus vendor Bitdefender have detailed the operations of an adware strain named Zacinlo that uses a rootkit component to gain persistence across OS reinstalls, a rootkit component thats even effective against Windows 10 installations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rootkit-based-adware-wreaks-… ∗∗∗ Vendor Patches Seven Vulnerabilities Across 392 Camera Models ∗∗∗ --------------------------------------------- Axis Communications AB, a Swedish manufacturer of network cameras for physical security and video surveillance, has patched seven security flaws across nearly 400 security camera models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vendor-patches-seven-vulnera… ∗∗∗ Betrügerische Pfändungstermine ignorieren ∗∗∗ --------------------------------------------- Kriminelle versenden gefälschte Inkassoschreiben und erklären den Empfänger/innen, dass sie ein Mahnverfahren erwirkt haben und ein Gerichtsvollzieher die vermeintlichen Schuldner/innen besuchen werde. Das könne einzig und allein eine Geldzahlung verhindern. Konsument/innen können die E-Mail ignorieren und müssen keine Geldzahlung leisten. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-pfaendungstermine-ign… ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory CVE-2018-3665 / XSA-267 ∗∗∗ --------------------------------------------- Speculative register leakage from lazy FPU context switching --------------------------------------------- https://xenbits.xen.org/xsa/advisory-267.html ∗∗∗ MFSBGN03809 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF ∗∗∗ --------------------------------------------- A potential vulnerability has been identified in UCMDB Browser. This vulnerability could be exploited to Deserialization & Cross-site Request forgery (CSRF). --------------------------------------------- https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM0… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (libgcrypt20, redis, and strongswan), Fedora (epiphany, freedink-dfarc, gnupg, LibRaw, nodejs-JSV, nodejs-uri-js, singularity, strongswan, and webkit2gtk3), Mageia (flash-player-plugin, freedink-dfarc, and imagemagick), openSUSE (enigmail, gpg2, java-1_7_0-openjdk, java-1_8_0-openjdk, poppler, postgresql96, python-python-gnupg, and samba), Oracle (kernel), SUSE (gpg2 and xen), and Ubuntu (gnupg and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/757758/ ∗∗∗ BlackBerry powered by Android Security Bulletin – June 2018 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ FFmpeg: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1177/ ∗∗∗ IBM Security Bulletin: IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru is affected by vulnerability in OpenSLP (CVE-2017-17833) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099813 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL Affect Sterling Connect:Direct for HP NonStop (CVE-2018-0739) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016399 ∗∗∗ IBM Security Bulletin: Vulnerabilities in cURL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru (CVE-2017-8816 CVE-2017-8817 CVE-2017-8818) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099811 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru (CVE-2017-3737 CVE-2017-3738) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099812 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2018
by Daily end-of-shift report 15 Jun '18

15 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-06-2018 18:00 − Freitag 15-06-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kaspersky Halts Europol and NoMoreRansom Project Coop After EU Parliament Vote ∗∗∗ --------------------------------------------- Kaspersky Lab announced it was temporarily halting its cooperation with Europol following the voting of a controversial motion in the European Parliament today. --------------------------------------------- https://www.bleepingcomputer.com/news/government/kaspersky-halts-europol-an… ∗∗∗ Decryptor Released for the Everbe Ransomware ∗∗∗ --------------------------------------------- A decryptor for the Everbe Ransomware was released by Michael Gillespie that allows victims to get their files back for free. It is not known how this ransomware is currently being distributed, but as long as victims have an unencrypted version of an encrypted file, they can use them to brute force the decryption key. --------------------------------------------- https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-e… ∗∗∗ Mechanics Behind Ransomware-as-a-Service ∗∗∗ --------------------------------------------- Ransomware is an increasingly serious concern, and this problem is getting worse over time. Initially, this malware began to compromise fixed targets such as individuals, but now the focus has changed and became much broader — from individuals to organizations. --------------------------------------------- https://resources.infosecinstitute.com/mechanics-behind-ransomware-as-a-ser… ∗∗∗ Old Botnets never Die, and DDG REFUSE to Fade Away ∗∗∗ --------------------------------------------- DDG is a mining botnet that specializes in exploiting SSH, Redis database and OrientDB database servers. We first caught it on October 25, 2017, at that time, DDG used version number 2020 and 2021, and we noticed that the botnet has two internally reserved domain names that had not been [...] --------------------------------------------- http://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-awa… ∗∗∗ Spectre-NG: Harte Kritik von OpenBSD-Entwickler Theo de Raadt ∗∗∗ --------------------------------------------- Die Veröffentlichung des jüngsten Spectre-NG-Bugs wurde hektisch vorgezogen, nachdem Theo de Raadt die Informationspolitik von Intel kritisierte. --------------------------------------------- http://heise.de/-4078903 ∗∗∗ 5 Millionen Mal heruntergeladen: Bösartige Docker-Container schürfen Monero ∗∗∗ --------------------------------------------- Zehn Monate lang waren Docker-Images mit Hintertür über Docker Hub verfügbar, obwohl die Verantwortlichen längst über den Schadcode informiert waren. --------------------------------------------- http://heise.de/-4079414 ∗∗∗ Unintended Clipboard Paste Function in Windows 10 Leads to Information Leak in RS1 ∗∗∗ --------------------------------------------- The McAfee Labs Advanced Threat Research team has been investigating the Windows 10 platform. We have submitted several vulnerabilities already and have disclosed our research to Microsoft. Please refer to our vulnerability disclosure policy for further details or the post from earlier this week on Windows 10 Cortana vulnerabilities. --------------------------------------------- https://securingtomorrow.mcafee.com/mcafee-labs/unintended-clipboard-paste-… ∗∗∗ Fake Font Dropper ∗∗∗ --------------------------------------------- A website owner reached out to us to investigate a weird behavior on their site. It was randomly showing a popup window for a missing font and telling the visitors that they are unable to view the content of the site because their own computers are missing a required font by the website called "HoeflerText", [...] --------------------------------------------- http://labs.sucuri.net/?note=2018-06-14 ∗∗∗ Totally Pwning the Tapplock (the API way) ∗∗∗ --------------------------------------------- An awesome researcher contacted us on the back of our recent Tapplock pwnage. We had been looking at the local BLE unlock mechanism, however he focussed instead on the mobile app API. Vangelis Stykas (@evstykas) has found a way to unlock any lock, plus scrape users PII and home addresses. --------------------------------------------- https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Natus Xltek NeuroWorks ∗∗∗ --------------------------------------------- This medical device advisory includes mitigations for stack-based buffer overflow and out-of-bounds read vulnerabilities in the Natus Xltek NeuroWorks software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-165-01 ∗∗∗ Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for a permissions, privileges, and access controls vulnerability reported in Siemens SCALANCE X switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-165-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (plexus-archiver), Fedora (chromium, kernel, and plexus-archiver), Mageia (firefox, gifsicle, jasper, leptonica, patch, perl-DBD-mysql, qt3, and scummvm), openSUSE (opencv), Oracle (kernel), Red Hat (kernel), Scientific Linux (kernel), SUSE (gpg2, nautilus, and postgresql96), and Ubuntu (gnupg2 and linux-raspi2). --------------------------------------------- https://lwn.net/Articles/757610/ ∗∗∗ Cisco IP Phone 7800 Series and 8800 Series Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ [R1] Nessus Agent 7.1.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-09 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2018
by Daily end-of-shift report 14 Jun '18

14 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-06-2018 18:00 − Donnerstag 14-06-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SigSpoof: Signaturen fälschen mit GnuPG ∗∗∗ --------------------------------------------- In bestimmten Situationen lässt sich die Signaturprüfung von GnuPG in den Plugins für Thunderbird und Apple Mail austricksen. Der Grund: Über ungefilterte Ausgaben lassen sich Statusmeldungen des Kommandozeilentools fälschen. Doch der Angriff funktioniert nur unter sehr speziellen Bedingungen. (GPG, E-Mail) --------------------------------------------- https://www.golem.de/news/sigspoof-signaturen-faelschen-mit-gnupg-1806-1349… ∗∗∗ Lazy FPU: Intels Floating Point Unit kann geheime Daten leaken ∗∗∗ --------------------------------------------- Register der Floating Point Unit in Core I und wohl auch von einigen Xeon-Prozessoren können Ergebnisse vertraulicher Berechnungen verraten. Dazu ist jedoch ein lokaler Angriff mit Malware erforderlich, außerdem ein veraltetes Betriebssystem. (Intel, Amazon) --------------------------------------------- https://www.golem.de/news/lazy-fpu-intels-floating-point-unit-kann-geheime-… ∗∗∗ Microsoft Reveals Which Bugs It Won’t Patch ∗∗∗ --------------------------------------------- A draft document lays out its criteria for addressing various flaws and notes the exceptions. --------------------------------------------- https://threatpost.com/microsoft-reveals-which-bugs-it-wont-patch/132817/ ∗∗∗ A Bunch of Compromized Wordpress Sites, (Wed, Jun 13th) ∗∗∗ --------------------------------------------- A few days ago, one of our readers contacted reported an incident affecting his website based on Wordpress. He performed quick checks by himself and found some pieces of evidence: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/23764 ∗∗∗ Tapplock Smart locks found to be physically and digitally vulnerable ∗∗∗ --------------------------------------------- Tapplock Smart locks contain several physical and digital vulnerabilities, each of which could allow an attacker to crack the lock with some attacks taking as little as two seconds to execute. --------------------------------------------- https://www.scmagazine.com/tapplock-smart-locks-found-to-be-physically-and-… ∗∗∗ Malspam Campaigns Using IQY Attachments to Bypass AV Filters and Install RATs ∗∗∗ --------------------------------------------- Malspam campaigns, such as ones being distributed by Necurs, are utilizing a new attachment type that is doing a good job in bypassing antivirus and mail filters. These IQY attachments are called Excel Web Query files and when opened will attempt to pull data from external sources. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malspam-campaigns-using-iqy-… ∗∗∗ Mac-Malware kann Sicherheits-Tools austricksen ∗∗∗ --------------------------------------------- Mit einer vermeintlichen Apple-Signatur ist es Schadsoftware möglich, bekannte Security-Tools zu umgehen. Das Problem besteht offenbar seit Jahren. --------------------------------------------- http://heise.de/-4077945 ∗∗∗ Ecos Secure Boot Stick: Forscher warnen vor Schwachstellen ∗∗∗ --------------------------------------------- Tests mit dem SBS-Stick 5.6.5 und der System-Management-Software 5.2.68 haben mehrere Angriffspunkte offenbart. Updates stehen bereit. --------------------------------------------- http://heise.de/-4078344 ∗∗∗ Schadcode per Git: Xcode-Update soll Schwachstelle beheben ∗∗∗ --------------------------------------------- Apple hat die Programmierumgebung aktualisiert, um Sicherheitslücken auszuräumen. Git-Nutzer sollten das Update zügig einspielen. --------------------------------------------- http://heise.de/-4078821 ∗∗∗ New CryptoMiner hijacks your Bitcoin transaction. Over 300,000 computers have been attacked. ∗∗∗ --------------------------------------------- Recently, 360 Security Center discovered a new type of actively spreading CryptoMiner, ClipboardWalletHijacker. The Trojan monitors clipboard activity to detect if it contains the account [...] --------------------------------------------- https://blog.360totalsecurity.com/en/new-cryptominer-hijacks-your-bitcoin-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and gnupg), Debian (spip), Fedora (pdns-recursor), Gentoo (adobe-flash, burp, quassel, and wget), openSUSE (bouncycastle and taglib), Oracle (kernel), SUSE (java-1_7_0-openjdk, java-1_8_0-openjdk, poppler, and samba), and Ubuntu (file, perl, and ruby1.9.1, ruby2.0, ruby2.3). --------------------------------------------- https://lwn.net/Articles/757531/ ∗∗∗ Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-041 ∗∗∗ OpenSSL, Libgcrypt, LibreSSL: Zwei Schwachstellen ermöglichen u.a. einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1138/ https://www.openssl.org/news/secadv/20180612.txt ∗∗∗ Enigmail: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1155/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22017118 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM® SPSS Statistics Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016900 ∗∗∗ IBM Security Bulletin: A privilege escalation vulnerability in nzhwinfo that affects IBM Netezza Platform Software clients. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015701 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM HTTP Server affects Netezza Performance Portal ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016809 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Virtualization Engine TS7700 – October 2017, January 2018 and April 2018 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012379 ∗∗∗ IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Tomcat vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22017032 ∗∗∗ SigSpoof: Spoofing signatures in GnuPG, Enigmail, GPGTools and python-gnupg (CVE-2018-12020) ∗∗∗ --------------------------------------------- https://neopg.io/blog/gpg-signature-spoof/ ∗∗∗ SigSpoof 2: More ways to spoof signatures in GnuPG (CVE-2018-12019) ∗∗∗ --------------------------------------------- https://neopg.io/blog/enigmail-signature-spoof/ ∗∗∗ SigSpoof 3: Breaking signature verification in pass (Simple Password Store) (CVE-2018-12356) ∗∗∗ --------------------------------------------- https://neopg.io/blog/pass-signature-spoof/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2018
by Daily end-of-shift report 13 Jun '18

13 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-06-2018 18:00 − Mittwoch 13-06-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ June 2018 Security Update Release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2018/06/12/june-2018-security-upda… ∗∗∗ Windows NTFS Tricks von und für Pentester ∗∗∗ --------------------------------------------- Das SEC Consult Vulnerability Lab hat einen neuen Blogeintrag veröffentlicht, in welchem verschiedene NTFS-Dateisystemtricks aufgezeigt werden. Diese wurden in den letzten Jahren aus verschiedenen Quellen zusammengetragen bzw. vom SEC Consult Vulnerability Lab entdeckt sowie weiterentwickelt. Die Tricks führen .. --------------------------------------------- https://www.sec-consult.com/blog/2018/06/windows-ntfs-tricks-von-und-fuer-p… ∗∗∗ Subtle change could see a reduction in installation of malicious Chrome extensions ∗∗∗ --------------------------------------------- Google has made a subtle change to its Chrome browser, banning the inline installation of new extensions, thus .. --------------------------------------------- https://www.virusbulletin.com:443/blog/2018/06/subtle-change-could-see-redu… ∗∗∗ Feds Bust Dozens of Nigerian Email Scammers, but Your Inbox Still Isn’t Safe ∗∗∗ --------------------------------------------- The arrest of dozens of alleged Nigerian email scammers and their associates is a small, but important, .. --------------------------------------------- https://www.wired.com/story/feds-bust-nigerian-email-scammers ∗∗∗ Patchday: Microsoft verarztet 50 Sicherheitslücken ∗∗∗ --------------------------------------------- In vielen Windows-Versionen klafft unter anderem eine kritische Lücke in der DNS-Programmierschnittstelle. Sicherheitsupdates stehen bereit. --------------------------------------------- http://heise.de/-4077270 ∗∗∗ Botnetz "Trik": C&C-Server leakt Millionen von E-Mail-Adressen ∗∗∗ --------------------------------------------- Ein Forscher ist auf eine Spammer-Datenbank mit mehr als 43 Millionen Mail-Adressen gestoßen. Noch ist unklar, wie viele von ihnen schon zuvor geleakt wurden. --------------------------------------------- http://heise.de/-4077371 ∗∗∗ Exploit kits: Spring 2018 review ∗∗∗ --------------------------------------------- In this Spring 2018 snapshot, we review the top exploit kits .. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2018/06/exploit-kits-spring-2018-r… ∗∗∗ June 2018 Office Update Release ∗∗∗ --------------------------------------------- The June 2018 Public Update releases for Office are now available! This month, there .. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2018/06/12… ===================== = Vulnerabilities = ===================== ∗∗∗ HPESBHF03850 rev.1 - HPE ProLiant, Synergy, and Moonshot Systems: Local Disclosure of Information, CVE-2018-3639 – Speculative Store Bypass and CVE-2018-3640 – Rogue System Register Read ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Schneider Electric U.motion Builder ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-163-01 ∗∗∗ Siemens SCALANCE X Switches ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-163-02 ∗∗∗ Local File Inclusion vulnerability in Zenphoto ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN33124193/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2018
by Daily end-of-shift report 12 Jun '18

12 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Montag 11-06-2018 18:00 − Dienstag 12-06-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Unprotected Server Exposes Weight Watchers Internal IT Infrastructure ∗∗∗ --------------------------------------------- Researchers found that a critical Weight Watchers server revealed its IT internal infrastructure. --------------------------------------------- https://threatpost.com/unprotected-server-exposes-weight-watchers-internal-… ∗∗∗ Hacker überfällt Linuxforums.org und erbeutet Daten von 276.000 Accounts ∗∗∗ --------------------------------------------- Ein Unbekannter hat Zugriff auf Interna von Linuxforums.org bekommen und dabei Nutzerdaten inklusive Passwörtern kopiert. --------------------------------------------- http://heise.de/-4076540 ∗∗∗ Android-Malware schürft Kryptogeld auf Fire-TV-Geräten ∗∗∗ --------------------------------------------- Ruckelnde Video-Streams und seltsame weiße Pop-Ups können Anzeichen für eine Schadcode-Infektion auf Fire TV und Fire TV Sticks sein. --------------------------------------------- http://heise.de/-4076706 ∗∗∗ IT-Security - Security-Fail: OnePlus 6 nicht gegen modifizierte Firmware abgesichert ∗∗∗ --------------------------------------------- Auch bei gesperrtem Bootloader kann ein beliebiges Image übertragen werden – Hersteller kündigt Patch an --------------------------------------------- https://derstandard.at/2000081439178/Security-Fail-OnePlus-6-nicht-gegen-mo… ∗∗∗ IT-Security - Bei Trump-Kim-Gipfel verteilt: Spionagebedenken um USB-Ventilatoren ∗∗∗ --------------------------------------------- Aufgrund der Hitze wurden Sackerl mit USB-Ventilatoren und Wasser verteilt – die könnten mit Malware infiziert sein --------------------------------------------- https://derstandard.at/2000081443928/Bei-Trump-Kim-Gipfel-verteilt-Bedenken… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco WebEx Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web framework of the https://try.webex.com page of Cisco WebEx could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system.The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2018-0015 - VMware AirWatch Agent updates resolve remote code execution vulnerability. ∗∗∗ --------------------------------------------- The VMware AirWatch Agent for Android and Windows Mobile devices contain a remote code execution vulnerability in real time File Manager capabilities. This vulnerability may allow for unauthorized creation and execution of .. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0015.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2018
by Daily end-of-shift report 11 Jun '18

11 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-06-2018 18:00 − Montag 11-06-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Chile: Swift-Angriff hinter Wiper-Malware versteckt ∗∗∗ --------------------------------------------- Wenn ein Unternehmen mit Ransomware attackiert wird, geht es nicht immer um Erpressung. Bei einem Angriff auf die Banco de Chile soll die Software vor allem als Ablenkung eingesetzt worden sein. --------------------------------------------- https://www.golem.de/news/chile-swift-angriff-hinter-wiper-malware-versteck… ∗∗∗ Lenovo Finally Patches Ancient BlueBorne Bugs in Tab and Yoga Tablets ∗∗∗ --------------------------------------------- Lenovo patches several popular tablet models to protect against BlueBorne vulnerabilities first identified in September 2017. --------------------------------------------- https://threatpost.com/lenovo-finally-patches-ancient-blueborne-bugs-in-tab… ∗∗∗ Paper: EternalBlue: a prominent threat actor of 2017–2018 ∗∗∗ --------------------------------------------- We publish a paper by researchers from Quick Heal Security Labs in India, who study the EternalBlue and DoublePulsar exploits in full detail. --------------------------------------------- https://www.virusbulletin.com:443/blog/2018/06/paper-eternalblue-prominent-… ∗∗∗ Verschlüsselung: GnuPG verschärft Integritäts-Checks ∗∗∗ --------------------------------------------- Als Folge der Efail-Probleme erzwingt GnuPG 2.2.8 jetzt die Verwendung von Prüfcodes. Außerdem beseitigt das Update ein neu entdecktes Sicherheitsproblem. --------------------------------------------- http://heise.de/-4075908 ∗∗∗ Magento CC stealer reinfector ∗∗∗ --------------------------------------------- We have seen many times in the past few months how attackers are infecting Magento installations to scrape confidential information such as credit cards, logins, and PayPal credentials, but we haven’t .. --------------------------------------------- http://labs.sucuri.net/?note=2018-06-08 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4225 openjdk-7 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4225 ∗∗∗ DSA-4220 firefox-esr - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4220 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2018
by Daily end-of-shift report 08 Jun '18

08 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-06-2018 18:00 − Freitag 08-06-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Gitea: Account von Github-Alternative kurzzeitig übernommen ∗∗∗ --------------------------------------------- Das Projekt Gitea erstellt eine leichtgewichtige Open-Source-Alternative zu Github. Ein Bot-Account des Projekts auf Github ist nun offenbar kurzzeitig übernommen worden, um Cryptominer zu verbreiten. Quellcode und Infrastruktur sollen nicht betroffen sein. --------------------------------------------- https://www.golem.de/news/gitea-account-von-github-alternative-kurzzeitig-u… ∗∗∗ Adobe: Flash-Exploit wird über Office-Dokumente verteilt ∗∗∗ --------------------------------------------- Flash-Exploits werden mittlerweile immer häufiger über Office-Dokumente verteilt, weil Browser die Inhalte kaum noch anzeigen. In einem aktuellen Fall werden Nutzer im arabischen Raum angegriffen. --------------------------------------------- https://www.golem.de/news/adobe-flash-exploit-wird-ueber-office-dokumente-v… ∗∗∗ Combo aus drei Sicherheitslücken bricht IP-Kameras von Foscam ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene IP-Kameras von Foscam. --------------------------------------------- http://heise.de/-4074308 ===================== = Vulnerabilities = ===================== ∗∗∗ Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway ∗∗∗ --------------------------------------------- This advisory contains mitigation recommendations for an unquoted search path or element vulnerability in the Rockwell Automation RSLinix Classic software platform. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-158-01 ∗∗∗ Update: "Zero-Day" Sicherheitslücke in Adobe Flash Player - aktiv ausgenützt - Patches verfügbar ∗∗∗ --------------------------------------------- Update: "Zero-Day" Sicherheitslücke in Adobe Flash Player - aktiv ausgenützt - Patches verfügbar 7. Juni 2018 Update: 8. Juni 2018 Beschreibung Adobe hat bekanntgegeben, dass es aktuell eine kritische Sicherheitslücke in Adobe Flash Player gibt, die auch bereits aktiv ausgenützt wird. CVE-Nummer: CVE-2018-5002 Update: 8. Juni 2018 CVE-Nummern: CVE-2018-4945, CVE-2018-5000, CVE-2018-5001, CVE-2018-5002 Adobe hat ein entsprechendes Update [...] --------------------------------------------- http://www.cert.at/warnings/all/20180607.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (radare2), Debian (jruby), Fedora (elfutils and wireless-tools), openSUSE (glibc, mariadb, and xdg-utils), Oracle (kernel), Red Hat (chromium-browser and java-1.7.1-ibm), SUSE (ceph, icu, kernel-firmware, memcached, and xen), and Ubuntu (unbound). --------------------------------------------- https://lwn.net/Articles/756950/ ∗∗∗ Security vulnerabilities fixed in Firefox 60.0.2, ESR 60.0.2, and ESR 52.8.1 ∗∗∗ --------------------------------------------- critical - CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/ ∗∗∗ Synology-SA-17:79 SRM ∗∗∗ --------------------------------------------- This vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Synology Router Manager --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_17_79 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2018
by Daily end-of-shift report 07 Jun '18

07 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-06-2018 18:00 − Donnerstag 07-06-2018 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Prowli Malware Targeting Servers, Routers, and IoT Devices ∗∗∗ --------------------------------------------- After the discovery of massive VPNFilter malware botnet, security researchers have now uncovered another giant botnet that has already compromised more than 40,000 servers, modems and internet-connected devices belonging to a wide number of organizations across the world. Dubbed Operation Prowli, the campaign has been spreading malware and injecting malicious code ... --------------------------------------------- https://thehackernews.com/2018/06/prowli-malware-botnet.html ∗∗∗ Crappy IoT on the high seas: Holes punched in hull of maritime security ∗∗∗ --------------------------------------------- Researchers: We can nudge ships off course Infosec Europe Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking, and worse. --------------------------------------------- https://www.theregister.co.uk/2018/06/06/infosec_europe_maritime_security/ ∗∗∗ Cyber Europe 2018 – Get prepared for the next cyber crisis ∗∗∗ --------------------------------------------- EU Cybersecurity Agency ENISA organised an international cybersecurity exercise --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/cyber-europe-2018-get-prepared-… ∗∗∗ Retefe check ∗∗∗ --------------------------------------------- Check if your computer is infected with the Retefe banking trojan. --------------------------------------------- http://retefe-check.ch/ ∗∗∗ A Totally Tubular Treatise on TRITON and TriStation ∗∗∗ --------------------------------------------- Introduction In December 2017, FireEyes Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques where the threat actors used only what is necessary to succeed in their mission. For both INDUSTROYER and TRITON, the attackers moved from the IT network to the OT (operational technology) network through systems that were accessible to both environments. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatis… ∗∗∗ Sicherheitsupdates: Kritische Lücken in Cisco IOS und Prime ∗∗∗ --------------------------------------------- In verschiedenen Netzwerkgeräten und -Software von Cisco klaffen teils kritische Lücken. Betroffene Admins sollten die verfügbaren Patches zügig installieren. --------------------------------------------- http://heise.de/-4072861 ===================== = Vulnerabilities = ===================== ∗∗∗ "Zero-Day" Sicherheitslücke in Adobe Flash Player - aktiv ausgenützt - Patches verfügbar ∗∗∗ --------------------------------------------- "Zero-Day" Sicherheitslücke in Adobe Flash Player - aktiv ausgenützt - Patches verfügbar 7. Juni 2018 Beschreibung Adobe hat bekanntgegeben, dass es aktuell eine kritische Sicherheitslücke in Adobe Flash Player gibt, die auch bereits aktiv ausgenützt wird. CVE-Nummer: CVE-2018-5002 Adobe hat ein entsprechendes Update veröffentlicht, die Details befinden sich unter https://helpx.adobe.com/security/products/flash-player/apsb18-19.html. --------------------------------------------- http://www.cert.at/warnings/all/20180607.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (memcached), Fedora (java-1.8.0-openjdk-aarch32, sqlite, and xen), Mageia (corosync, gimp, qtpass, and SDL_image), openSUSE (zziplib), Slackware (mozilla), SUSE (git and libvorbis), and Ubuntu (liblouis). --------------------------------------------- https://lwn.net/Articles/756853/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware (CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2633, CVE-2018-2783) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016041 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016028 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities have been fixed in IBM Security Identity Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013617 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015304 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily