Daily

daily@lists.cert.at

1 participants
3154 discussions

Tageszusammenfassung - 23.04.2018
by Daily end-of-shift report 23 Apr '18

23 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-04-2018 18:00 − Montag 23-04-2018 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Datenleck bei Sicherheitskonferenz ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der App zur RSA Sicherheitskonferenz ermöglichte es, die Namen von Konferenzteilnehmern auszulesen. --------------------------------------------- https://futurezone.at/digital-life/datenleck-bei-sicherheitskonferenz/40002… ∗∗∗ UMCI: Project Zero veröffentlicht Windows-10-Sicherheitslücke ∗∗∗ --------------------------------------------- Wieder einmal haben sich Google und Microsoft über die Veröffentlichung einer Sicherheitslücke gestritten. Der Fehler in .Net ermöglicht es einem Angreifer, trotz enger Beschränkungen Code unter Windows 10 S oder auf UMCI-Systemen auszuführen. (Project Zero, Google) --------------------------------------------- https://www.golem.de/news/umci-project-zero-veroeffentlicht-windows-10-sich… ∗∗∗ Chinese web giant finds Windows zero-day, stays shtum on specifics ∗∗∗ --------------------------------------------- Quihoo 360 plays the responsible disclosure game Chinese company Quihoo 360 says its found a Windows zero-day in the wild, but because its notified Microsoft, its not telling anyone else how it works. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/04/23/quihoo_360_… ∗∗∗ Monero-Mining RETADUP Worm Goes Polymorphic, Gets an AutoHotKey Variant ∗∗∗ --------------------------------------------- We came across a new version of a cryptocurrency-mining RETADUP worm (detected by Trend Micro as WORM_RETADUP.G) through feedback from our managed detection and response-related monitoring. This new variant is coded in AutoHotKey, an open-source scripting language used in Windows for creating hotkeys (i.e., keyboard shortcuts, macros, software automation). AutoHotKey is relatively similar to the script automation utility AutoIt, from which RETADUP’s earlier variants were based on and used [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/3PgT2t0-HwE/ ∗∗∗ Loading Kernel Shellcode ∗∗∗ --------------------------------------------- In the wake of recent hacking tool dumps, the FLARE team saw a spike in malware samples detonating kernel shellcode. Although most samples can be analyzed statically, the FLARE team sometimes debugs these samples to confirm specific functionality. Debugging can be an efficient way to get around packing or obfuscation and quickly identify the structures, system routines, and processes that a kernel shellcode sample is accessing. This post begins a series centered on kernel software analysis, and [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2018/04/loading-kernel-shellcod… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gunicorn, libreoffice, libsdl2-image, ruby1.8, and ruby1.9.1), Fedora (java-1.8.0-openjdk, jgraphx, memcached, nghttp2, perl, perl-Module-CoreList, and roundcubemail), Gentoo (clamav, librelp, mbedtls, quagga, tenshi, and unadf), Mageia (freeplane, libcdio, libtiff, thunderbird, and zsh), openSUSE (cfitsio, chromium, mbedtls, and nextcloud), and Red Hat (chromium-browser, kernel, and rh-perl524-perl). --------------------------------------------- https://lwn.net/Articles/752544/ ∗∗∗ FortiClient insecure VPN credential storage and encryption ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-214 ∗∗∗ IBM Security Bulletin: IBM Content Manager Enterprise Edition Resource Manager is affected by a Remote Code Execution Cross-site Scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=swg22014917 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affect IBM Cloud Application Performance Management Private 8.1.4. and IBM Cloud Application Performance Management ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015278 ∗∗∗ Multiple Stored XSS Vulnerabilities in WSO2 Carbon and WSO2 Dashboard Server ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-stored-xss-vulnerab… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2018
by Daily end-of-shift report 20 Apr '18

20 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-04-2018 18:00 − Freitag 20-04-2018 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Patschn am Patscherkofel ∗∗∗ --------------------------------------------- Nachdem einige Medien über einen Vorfall berichten, bei dem auch wir involviert waren, will ich hier ein paar Fakten klarstellen: Wir bekommen immer wieder von Researchern - und da ist die "Internetwache" nur einer unter vielen - Hinweise zu konkreten Sicherheitsproblemen im österreichischen Internet. Unsere Rolle hier ist, diese Meldungen (auf Wunsch anonymisiert) an die Betroffenen weiterzuleiten und dort für die entsprechende [...] --------------------------------------------- http://www.cert.at/services/blog/20180420131015-2180.html ∗∗∗ Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training ∗∗∗ --------------------------------------------- Booz Allen survey shows most organizations' answer to the security skills shortage may be unsustainable. --------------------------------------------- https://www.darkreading.com/careers-and-people/firms-more-likely-to-tempt-s… ∗∗∗ First Public Demo of Data Breach via IoT Hack Comes to RSAC ∗∗∗ --------------------------------------------- At RSA Conference, senior researchers will show how relatively unskilled attackers can steal personally identifiable information without coming into contact with endpoint security tools. --------------------------------------------- https://www.darkreading.com/vulnerabilities---threats/first-public-demo-of-… ∗∗∗ Doctor Web: a Trojan on Google Play subscribes users to paid services ∗∗∗ --------------------------------------------- April 16, 2018 Doctor Web virus analysts have detected a Trojan Android.Click.245.origin on Google Play. When ordered by cybercriminals, it loads websites where users are tricked into subscribing to paid content services. In some cases the subscription is executed automatically when users click on a fake "download program" button. Cybercriminals distributed Android.Click.245.origin on behalf of developer Roman Zencov and disguised the Trojan as popular applications. --------------------------------------------- https://news.drweb.com/show/?i=12540&lng=en&c=9 ∗∗∗ Introducing Windows Defender System Guard runtime attestation ∗∗∗ --------------------------------------------- At Microsoft, we want users to be in control of their devices, including knowing the security health of these devices. If important security features should fail, users should be aware. Windows Defender System Guard runtime attestation, a new Windows platform security technology, fills this need. In Windows 10 Fall Creators Update, we reorganized all system [...] --------------------------------------------- https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-win… ∗∗∗ NCSC publishes factsheet on considerations and preconditions for the deployment of TLS interception ∗∗∗ --------------------------------------------- TLS interception makes encrypted connections within the network of an organisation accessible for inspection. The use of this technical measure should be carefully considered in the light of additional risks and should meet a number of important preconditions. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-on… ∗∗∗ Botnet Muhstik is Actively Exploiting Drupal CVE-2018-7600 in a Worm Style ∗∗∗ --------------------------------------------- On March 28, 2018, drupal released a patch for CVE-2018-7600. Drupal is an open-source content management system written in PHP, quite popular in many sites to provide web service. This vulnerability exists in multiple drupal versions, which may be exploited by an attacker to take full control of the target. --------------------------------------------- http://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve… ∗∗∗ XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing ∗∗∗ --------------------------------------------- We have been detecting a new wave of network attacks since early March, which, for now, are targeting Japan, Korea, China, Taiwan, and Hong Kong. The attacks use Domain Name System (DNS) cache poisoning/DNS spoofing, possibly through infringement techniques such as brute-force or dictionary attacks, to distribute and install malicious Android apps. Trend Micro detects these as ANDROIDOS_XLOADER.HRX. These malware pose as legitimate Facebook or Chrome applications. They are distributed from [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/a9ANfAHCd0c/ ∗∗∗ iPhone-Unlock-Tool GrayKey: Apple streicht Gegenmittel aus iOS 11.3 ∗∗∗ --------------------------------------------- iOS 11.3 sollte es eigentlich schwerer machen, iPhone-Daten über eine Kabelverbindung auszulesen. Die wichtige Sicherheitsfunktion fehlt jedoch in der finalen Fassung, sodass sich Entsperr-Tools wie GrayKey offenbar weiter ungehindert einsetzen lassen. --------------------------------------------- https://www.heise.de/-4027793 ∗∗∗ Android: Google Safe Browsing schützt nun auch WebView in Apps ∗∗∗ --------------------------------------------- Google Safe Browsing schützt Chrome-Nutzer vor schädlichen Webseiten, Malware und Phishing-Attacken. Künftig ist der Schutzmechanismus auch in Android-WebView standardmäßig aktiv. --------------------------------------------- https://www.heise.de/-4028504 ∗∗∗ When BEC scammers specialize ∗∗∗ --------------------------------------------- A group of BEC scammers has been focusing its efforts on the global maritime shipping industry, compromising emails accounts and attempting to trick targets into delivering considerable sums to bank accounts set up by the group. Secureworks researchers have been tracking the group's activities for quite a while and have been warning the targets. They estimate that between June 2017 and January 2018, the scammers attempted to steal a minimum of $3.9 million U.S. dollars [...] --------------------------------------------- https://www.helpnetsecurity.com/2018/04/20/bec-scammers-specialize/ ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens SIMATIC WinCC OA Operator IOS App ∗∗∗ --------------------------------------------- This advisory includes mitigations for a file and directory information exposure vulnerability identified in the Siemens WinCC OA iOS App. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-109-01 ∗∗∗ Cisco Adaptive Security Appliance WebVPN Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Login screen of the Clientless SSL VPN (WebVPN) portal of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2018-0010 ∗∗∗ --------------------------------------------- Horizon DaaS update addresses a broken authentication issue --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0010.html ∗∗∗ Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader ∗∗∗ --------------------------------------------- Talos is disclosing five vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available. Update to the current version of Foxit PDF Reader. --------------------------------------------- https://blog.talosintelligence.com/2018/04/multiple-vulns-foxit-pdf-reader.… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice and mysql-5.5), Fedora (corosync), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/752405/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2018
by Daily end-of-shift report 19 Apr '18

19 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-04-2018 18:00 − Donnerstag 19-04-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Data Firm Left Profiles of 48 Million Users on a Publicly Accessible AWS Server ∗∗∗ --------------------------------------------- LocalBlox, a company that scrapes data from public web profiles, has left the details of over 48 million users on a publicly accessible Amazon Web Services (AWS) S3 bucket, according to an UpGuard security researcher who discovered the data on February 28, this year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/data-firm-left-profiles-of-4… ∗∗∗ Relieve Stress Paint Tool: Mal-Malware kopiert Facebook-Zugangsdaten ∗∗∗ --------------------------------------------- Eine Malware tarnt sich mit gefälschten Unicode-Domains und sucht gezielt nach Facebook-Zugangsdaten. Nutzern wird hingegen ein Anti-Stress-Malprogramm versprochen. (Malware, Virus) --------------------------------------------- https://www.golem.de/news/relieve-stress-paint-tool-mal-malware-kopiert-fac… ∗∗∗ Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege ∗∗∗ --------------------------------------------- Previously I presented a technique to exploit arbitrary directory creation vulnerabilities on Windows to give you read access to any file on the system. In the upcoming Spring Creators Update (RS4) the abuse of mount points to link to files as I exploited in the previous blog post has been remediated. This is an example of a long term security benefit from detailing how vulnerabilities might be exploited, giving a developer an incentive to find ways of [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-… ∗∗∗ Trustjacking exploit abuses iTunes feature to spy on iOS devices ∗∗∗ --------------------------------------------- Researchers presenting at RSA 2018 on Wednesday disclosed how attackers can gain persistent remote control over iOS devices by abusing a weakness in iTunes Wi-Fi sync, a feature that allows users to sync up iTunes content and data between Apple devices. --------------------------------------------- https://www.scmagazine.com/trustjacking-exploit-abuses-itunes-feature-to-sp… ∗∗∗ From Baidu to Google's Open Redirects ∗∗∗ --------------------------------------------- Last week, we described how an ongoing massive malware campaign began using Baidu search result links to redirect people to various ad and scam pages. It didn't last long. Soon after the publication of that article, the bad actors changed the links to use compromised third-party sites and a couple of day later they began using Google's goo.gl URL shortening service. This is a snippet from their decoded script: The Redirect Chain If you check Google's own information about that [...] --------------------------------------------- https://blog.sucuri.net/2018/04/from-baidu-to-googles-open-redirects.html ∗∗∗ Surprise! Wireless brain implants are not secure, and can be hijacked to kill you or steal thoughts ∗∗∗ --------------------------------------------- Science-fiction horror trope now a reality in 2018 Scientists in Belgium have tested the security of a wireless brain implant called a neurostimulator – and found that its unprotected signals can be hacked with off-the-shelf equipment. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/04/18/boffins_bre… ∗∗∗ New paper: Powering the distribution of Tesla stealer with PowerShell and VBA macros ∗∗∗ --------------------------------------------- Since their return four years ago, Office macros have been one of the most common ways to spread malware. Today, we publish a research paper which looks in detail at a campaign in which VBA macros are used to execute PowerShell code, which in turn downloads the Tesla information-stealing trojan. --------------------------------------------- https://www.virusbulletin.com:443/blog/2018/04/new-paper-powering-distribut… ∗∗∗ Microsoft veröffentlicht "Windows Defender" als Chrome-Erweiterung ∗∗∗ --------------------------------------------- Microsoft hat seinen Echtzeitschutz als Chrome-Erweiterung veröffentlicht: Die "Windows Defender Browser Protection" verspricht "besseren Schutz" vor betrügerischen Phishing-Seiten und Malware. --------------------------------------------- https://heise.de/-4027458 ∗∗∗ Sicherheitsupdates: Flash-Datei kann Ciscos WebEx Client kompromittieren ∗∗∗ --------------------------------------------- Cisco hat zahlreiches Patches veröffentlicht und schließt mitunter kritische Sicherheitslücken. Zudem geben sie Tipps, wie Admins Netzwerke absichern sollten. --------------------------------------------- https://www.heise.de/-4027370 ∗∗∗ Gefälschte UPC-Phishingmail im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte UPC-Nachricht. Darin erklären sie, dass das E-Mailkonto von Kund/innen gesperrt worden sei. Damit diese es weiterhin nützen können, sollen sie eine externe Website aufrufen und ihre persönlichen Zugangsdaten bekannt geben. Konsument/innen, die der Aufforderung nachkommen, übermitteln ihr UPC-Passwort an Datendiebe. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-upc-phishingmail-im-umla… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003 ∗∗∗ --------------------------------------------- Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses). --------------------------------------------- https://www.drupal.org/sa-core-2018-003 ∗∗∗ Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019 ∗∗∗ --------------------------------------------- Project: Display SuiteVersion: 7.x-2.147.x-1.9Date: 2018-April-18Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scripting (XSS)Description: Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. The module doesnt sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack. --------------------------------------------- https://www.drupal.org/sa-contrib-2018-019 ∗∗∗ PMASA-2018-2 ∗∗∗ --------------------------------------------- CSRF vulnerability allowing arbitrary SQL executionAffected VersionsVersion 4.8.0 is affectedCVE ID(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188, uCVE-2018-10188) --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2018-2/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (opencv and wireshark), Fedora (corosync and pcs), Oracle (firefox, kernel, libvncserver, and libvorbis), Slackware (gd), SUSE (kernel), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/752324/ ∗∗∗ Cisco WebEx Connect IM Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco WebEx Clients Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Shell Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Industrial Ethernet Switches Device Manager Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client SAML Authentication Session Fixation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Adaptive Security Appliance Virtual Private Network SSL Client Certificate Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015077 ∗∗∗ IBM Security Bulletin: IBM API Connect is affected by an Apache HTTP Server vulnerability (CVE-2014-0226) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015233 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server for IBM Cloud January 2018 CPU ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015289 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects Liberty for Java for IBM Cloud January 2018 CPU ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015290 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027494 ∗∗∗ IBM Security Bulletin: OpenSSL Vulnerability affects IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix (CVE-2017-3737) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013612 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect the GSKit component of IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015424 ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to a memory leak in pubsub (CVE-2017-1786) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22013023 ∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Analytical Components, Watson Explorer Foundational Components Annotation Administration Console and Watson Content Analytics ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22011118 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015635 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities Impact IBM Predictive Insights ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015539 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2018
by Daily end-of-shift report 18 Apr '18

18 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-04-2018 18:00 − Mittwoch 18-04-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Android: Google integriert sichere DNS-Abfrage in Android P ∗∗∗ --------------------------------------------- In der kommenden Android-Version mit dem Anfangsbuchstaben P führt Google DNS over TLS ein. Damit würden DNS-Abfragen über einen sicheren Kanal erfolgen. Nutzer können in den Einstellungen auch einen eigenen Hostnamen eingeben oder die Funktion abstellen. --------------------------------------------- https://www.golem.de/news/android-google-integriert-sichere-dns-abfrage-in-… ∗∗∗ Leaking ads ∗∗∗ --------------------------------------------- We found that because of third-party SDKs many popular apps are exposing user data to the internet, with advertising SDKs usually to blame. They collect user data so they can show relehttps://www.heise.de/security/meldung/Critical-Patch-Update-Oracle-will-mit-254-Updates-die-Sicherheit-steigern-4026726.htmlvant ads, but often fail to protect that data when sending it to their servers. --------------------------------------------- http://securelist.com/leaking-ads/85239/ ∗∗∗ Malicious Activities with Google Tag Manager ∗∗∗ --------------------------------------------- If I were to ask if you could trust a script from Google that is loading on your website, the majority of users would say "yes" or even "absolutely". But when malicious behavior ensues, everything should be double-checked and suspected, even assets that come from "trusted sources" like Google, Facebook, and Youtube. In the past, we saw how adsense was abused with a malvertising campaign. Even more recently, we saw how attackers injected malware that called [...] --------------------------------------------- https://blog.sucuri.net/2018/04/malicious-activities-google-tag-manager.html ∗∗∗ Critical Patch Update: Oracle will mit 254 Updates die Sicherheit steigern ∗∗∗ --------------------------------------------- Oracle hangelt sich durch sein Software-Portfolio und schließt zum Teil äußerst kritische Sicherheitslücken. Admins sollten jetzt handeln. --------------------------------------------- https://heise.de/-4026726 ∗∗∗ Chrome 66 warnt vor Webseiten mit Symantec-Zertifikaten ∗∗∗ --------------------------------------------- Die aktuelle Version des Webbrowser Chrome vertraut ab sofort einigen TLS-Zertifikaten von Symantec nicht mehr. Das ist ein weiterer Schritt von Google gegen die Zertifizierungsstelle. --------------------------------------------- https://www.heise.de/-4026854 ∗∗∗ Erpressungstrojaner XiaoBa verwandelt sich in Krypto-Miner ∗∗∗ --------------------------------------------- Die Malware-Autoren des Verschlüsselungstrojaners XiaoBa schwenken um und wollen statt der Erpressung von Lösegeld nun Kryptogeld auf infizierten Computern schürfen. Doch dabei läuft noch nicht alles rund. --------------------------------------------- https://www.heise.de/-4026455 ∗∗∗ Cryptominers displace ransomware as the number one threat ∗∗∗ --------------------------------------------- During the first three months of 2018, cryptominers surged to the top of detected malware incidents, displacing ransomware as the number one threat, Comodo's Global Malware Report Q1 2018 has found. Another surprising finding: Altcoin Monero became the leading target for cryptominers' malware, replacing Bitcoin. The surge of cryptominers For years, Comodo Cybersecurity has tracked the rise of cryptominer attacks, malware that hijacks users' computers to mine cryptocurrencies --------------------------------------------- https://www.helpnetsecurity.com/2018/04/18/q1-2018-malware-trends/ ∗∗∗ PBot: a Python-based adware ∗∗∗ --------------------------------------------- Recently, we came across a Python-based sample dropped by an exploit kit. Although it arrives under the disguise of a MinerBlocker, it has nothing in common with miners. In fact, it seems to be PBot: a Python-based adware. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2018/04/pbot-python-based-adw… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeplane and jruby), Fedora (kernel and python-bleach), Gentoo (evince, gdk-pixbuf, and ncurses), openSUSE (kernel), Oracle (gcc, glibc, kernel, krb5, ntp, openssh, openssl, policycoreutils, qemu-kvm, and xdg-user-dirs), Red Hat (corosync, glusterfs, kernel, and kernel-rt), SUSE (openssl), and Ubuntu (openssl and perl). --------------------------------------------- https://lwn.net/Articles/752183/ ∗∗∗ Abbott Laboratories Defibrillator ∗∗∗ --------------------------------------------- This medical advisory includes mitigations for improper authentication and improper restriction of power consumption vulnerabilities identified in Abbott Laboratories defibrillators. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-107-01 ∗∗∗ Schneider Electric Triconex Tricon ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper restriction of operations within the bounds of a memory buffer vulnerabilities in Schneider Electrics Triconex Tricon safety instrumented system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02 ∗∗∗ Rockwell Automation Stratix Services Router ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper input validation, improper restriction of operations, and use of externally-controlled format string vulnerabilities in the Rockwell Automation Stratix 5900 router. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-03 ∗∗∗ Rockwell Automation Stratix and ArmorStratix Switches ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper improper input validation, resource management, memory buffer and externally-controlled format string vulnerabilities in Rockwell Automations Allen-Bradley Stratix and ArmorStratix Switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04 ∗∗∗ Rockwell Automation Stratix Industrial Managed Ethernet Switch ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper imput validation, resource managment, 7PK, memory buffer and externally-controlled format string vulnerabilities in Rockwell Automations Stratix Industrial Managed Switch. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05 ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Inputhub Driver of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180418-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2018
by Daily end-of-shift report 17 Apr '18

17 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Montag 16-04-2018 18:00 − Dienstag 17-04-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Cisco Best Practices to Harden Devices Against Cyber Attacks Targeting Network Infrastructure ∗∗∗ --------------------------------------------- Cisco is aware of the recent joint technical alert from US-CERT (TA18-106A) that details known issues which require customers take steps to protect their networks against cyber-attacks. Providing transparency and guidance to help customers best protect their network is a top priority. Cisco security teams have been actively informing customers about the .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Wichtige Sicherheitsupdates für VMware vRealize Automation ∗∗∗ --------------------------------------------- Aktualisierte Versionen von vRealize Automation schließen mehrere Sicherheitslücken. Davon gilt keine als kritisch. --------------------------------------------- https://www.heise.de/meldung/Wichtige-Sicherheitsupdates-fuer-VMware-vReali… ∗∗∗ Kreditkartenklau, DDoS-Angriffe: Facebook löscht 117 Cybercrime-Gruppen ∗∗∗ --------------------------------------------- Von Forscher gemeldet – Waren teils seit vielen Jahren aktiv, größter Auftritt hatte 47.000 Mitglieder --------------------------------------------- http://derstandard.at/2000078122065 ===================== = Vulnerabilities = ===================== ∗∗∗ 2018-04-17: Vulnerability in Relion® 630 series version 1.3 and earlier - MMS Path Traversal ∗∗∗ --------------------------------------------- 2018-04-17: Vulnerability in Relion® 630 series version 1.3 and earlier - MMS Path Traversal --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=1MRS758878&LanguageC… ∗∗∗ 2018-04-17: Vulnerability in Relion® 630 series version 1.3 and earlier - Weak Database Encryption ∗∗∗ --------------------------------------------- 2018-04-17: Vulnerability in Relion® 630 series version 1.3 and earlier - Weak Database Encryption --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=1MRS758877&LanguageC… ∗∗∗ SSA-845879 (Last Update: 2018-04-17): Firmware Downgrade Vulnerability in EN100 Ethernet Communication Module for SIPROTEC 4, SIPROTEC Compact and Reyrolle ∗∗∗ --------------------------------------------- The EN100 Ethernet communication module, which is an optional extension for SIPROTEC 4, SIPROTEC Compact and Reyrolle devices, allows an unauthenticated upload of firmware updates to the communication module in affected versions.Siemens has released updates for several affected products, is working on updates for the remaining affected products, and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf ∗∗∗ SSA-203306 (Last Update: 2018-04-17): Password Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Relay Families ∗∗∗ --------------------------------------------- SIPROTEC 4 and SIPROTEC Compact devices could allow access authorization passwords to be reconstructed or overwritten via engineering mechanisms that involve DIGSI 4 and EN100 Ethernet communication modules.Siemens has released updates for several affected products, is working on updates for the remaining affected products, and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf ∗∗∗ IBM Security Bulletin: IBM i is affected by DHCP vulnerabilities CVE-2018-5732 and CVE-2018-5733. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022543 ∗∗∗ IBM Security Bulletin: API Connect Developer Portal is affected by Drupal vulnerability (CVE-2018-7600) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015105 ∗∗∗ IBM Security Bulletin: IBM Lotus Protector for Mail Security has released fixes in response to the public disclosed vulnerability from PHP. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015535 ∗∗∗ IBM Security Bulletin: Security vulnerability affects IBM® Rational® Team Concert ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015454 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2018
by Daily end-of-shift report 16 Apr '18

16 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-04-2018 18:00 − Montag 16-04-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVE-2018-7600: Kritische Drupal-Lücke wird ausgenutzt ∗∗∗ --------------------------------------------- Wer seine Drupal-Installation noch nicht gepatcht hat, soll dies spätestens jetzt nachholen. Nach der Veröffentlichung weiterer Details und einem auf Twitter zirkulierenden Exploit-Code wurden erste Angriffe beobachtet. (Drupal, CMS) --------------------------------------------- https://www.golem.de/news/cve-2018-7600-kritische-drupal-luecke-wird-ausgen… ∗∗∗ The March/April 2018 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- The topics covered in this report are: - The dark side of the Data Force: Facebook, Cambridge Analytica, and the pressing question of who is using whose data for what - News from the world of state trojans: Microsoft’s analysis of FinFisher - Russian APT28 hackers’ month-long infiltration of the computer network of Germany’s federal government - Bitcoin bounty or close encounter: bizarre side-effects of cryptomining The Security Report is available in both English and German. --------------------------------------------- https://securityblog.switch.ch/2018/04/16/switch-security-report-201802/ ===================== = Vulnerabilities = ===================== ∗∗∗ Symantec Advanced Secure Gateway (ASG), ProxySG: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- Zwei Schwachstellen in Symantec Advanced Secure Gateway (ASG) und ProxySG ermöglichen einem einfach authentifizierten Angreifer im benachbarten Netzwerk die Durchführung von Cross-Site-Scripting (XSS)-Angriffen und das Umgehen von Sicherheitsvorkehrungen. Ein nicht authentisierter Angreifer im benachbarten Netzwerk kann eine weitere Schwachstelle zu Denial-of-Service (DoS)-Angriffen ausnutzen. Diese Schwachstellen können nur über die Management-Konsole von ASG und ProxySG ausgenutzt werden. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-0705/ ∗∗∗ Schwachstelle in Intels SPI-Flash: Erste Firmware-Updates veröffentlicht ∗∗∗ --------------------------------------------- Ein Sicherheitsproblem in Intel-Chipsätzen ermöglicht lokalen Angreifern Firmware-Manipulationen bis hin zum Denial-of-Service. Als erster Hersteller stellt nun Lenovo BIOS/UEFI-Updates bereit. --------------------------------------------- https://heise.de/-4024853 ∗∗∗ Micro Focus Universal Configuration Management Database Lets Local Users Gain Elevated Privileges ∗∗∗ --------------------------------------------- A vulnerability was reported in Micro Focus Universal Configuration Management Database (UCMDB). A local user can obtain elevated privileges on the target system. A local user can exploit an installation file access control flaw to gain elevated privileges on the target system. --------------------------------------------- http://www.securitytracker.com/id/1040680 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (lib32-openssl and zsh), Debian (patch, perl, ruby-loofah, squirrelmail, tiff, and tiff3), Fedora (gnupg2), Gentoo (go), Mageia (firefox, flash-player-plugin, nxagent, puppet, python-paramiko, samba, and thunderbird), Red Hat (flash-plugin), Scientific Linux (python-paramiko), and Ubuntu (patch, perl, and ruby). --------------------------------------------- https://lwn.net/Articles/751947/ ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015421 ∗∗∗ OpenSSL vulnerability CVE-2018-0739 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08044291 ∗∗∗ Apache Tomcat vulnerability CVE-2018-1305 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32051722 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2018
by Daily end-of-shift report 13 Apr '18

13 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-04-2018 18:00 − Freitag 13-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploitation of Drupalgeddon2 Flaw Starts After Publication of PoC Code ∗∗∗ --------------------------------------------- The exploitation of a very dangerous Drupal vulnerability has started after the publication of proof-of-concept (PoC) code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploitation-of-drupalgeddon… ∗∗∗ "Early Bird" Code Injection Technique Helps Malware Stay Undetected ∗∗∗ --------------------------------------------- Security researchers have discovered at least three malware strains using a new code injection technique that allowed them to avoid antivirus detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/early-bird-code-injection-te… ∗∗∗ Office Macros ∗∗∗ --------------------------------------------- Eine kleine Bemerkung aus aktuellem Anlass: Ich hab gestern mal wieder meinen üblichen Vortrag zum Thema "Bedrohungslage" gehalten, und dabei auch - wie immer - erwähnt, dass Office-Macros gefährlich sind und eingeschränkt werden müssen. Im Publikum war klar zu erkennen, dass einige das bei sich nicht machen können. Verständlich, weil in so manchen Firmen wichtige Geschäftsprozesse als Excel-Macros implementiert [...] --------------------------------------------- http://www.cert.at/services/blog/20180413094624-2176.html ∗∗∗ Thousands of WP, Joomla and SquareSpace sites serving malicious updates ∗∗∗ --------------------------------------------- Thousands of compromised WordPress, Joomla and SquareSpace-based sites are actively pushing malware disguised as Firefox, Chrome and Flash Player updates onto visitors. This campaign has been going on since at least December 2017 and has been gaining steam. The malicious actors are injecting JavaScript that triggers the download requests into the content management systems' JavaScript files or directly into the sites' homepage. --------------------------------------------- https://www.helpnetsecurity.com/2018/04/13/wp-joomla-squarespace-malicious-… ∗∗∗ Android-Hersteller belügen Nutzer bei Sicherheits-Updates ∗∗∗ --------------------------------------------- Bis auf Google liefert niemand wirklich alle Patches aus – Samsung patzt manchmal, OnePlus, LG und Co. regelmäßig --------------------------------------------- http://derstandard.at/2000077842490 ∗∗∗ Introducing Snallygaster - a Tool to Scan for Secrets on Web Servers ∗∗∗ --------------------------------------------- https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan… ===================== = Vulnerabilities = ===================== ∗∗∗ Yokogawa CENTUM and Exaopc ∗∗∗ --------------------------------------------- This advisory includes mitigations for a permissions, privileges, and access controls vulnerability in the Yokogawa CENTUM series and Exaopc products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-102-01 ∗∗∗ Oracle Critical Patch Update Pre-Release Announcement - April 2018 ∗∗∗ --------------------------------------------- This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for April 2018, which will be released on Tuesday, April 17, 2018. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory. --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html ∗∗∗ VMSA-2018-0009 ∗∗∗ --------------------------------------------- vRealize Automation updates address multiple security issues. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0009.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache), openSUSE (libvirt, openssl, policycoreutils, and zziplib), Oracle (firefox and python-paramiko), and Red Hat (python-paramiko). --------------------------------------------- https://lwn.net/Articles/751780/ ∗∗∗ Bugtraq: [security bulletin] MFSBGN03802 - Virtualization Performance Viewer (vPV) / Cloud Optimizer, Local Disclosure of Information ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541942 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014440 ∗∗∗ IBM Security Bulletin: IBM MQ clients connecting to an MQ queue manager can cause a SIGSEGV in the amqrmppa channel process terminating it. (CVE-2018-1371) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012983 ∗∗∗ IBM Security Bulletin: Open Source OpenSSL Vulnerabilities which is used by IBM PureApplication Systems/Service (CVE-2017-3736 CVE-2017-3738) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014945 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i and Rational Developer for AIX and Linux ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015346 ∗∗∗ IBM Security Bulletin: Content Collector for Email affected by privilege escalation vulnerability in WebSphere Application Server ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22015034 ∗∗∗ IBM Security Bulletin: Content Collector for Email affected by information disclosure vulnerability in Websphere Application Server ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22015032 ∗∗∗ BIG-IP TMM vulnerability CVE-2018-5510 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K77671456 ∗∗∗ BIG-IP IPsec tunnel endpoint vulnerability CVE-2017-6156 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05263202 ∗∗∗ BIG-IP PEM vulnerability CVE-2018-5508 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10329515 ∗∗∗ BIG-IP SOCKS proxy vulnerability CVE-2017-6148 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55225440 ∗∗∗ vCMP Cavium Nitrox SSL hardware accelerator vulnerability CVE-2018-5507 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52521791 ∗∗∗ Apache vulnerability CVE-2018-5506 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K65355492 ∗∗∗ TMUI vulnerability CVE-2018-5511 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30500703 ∗∗∗ BIG-IP TMM vulnerability CVE-2017-6158 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19361245 ∗∗∗ TMM vulnerability CVE-2017-6155 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10930474 ∗∗∗ IP Intelligence Feed List vulnerability CVE-2017-6143 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11464209 ∗∗∗ cURL and libcurl vulnerability CVE-2018-1000120 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22052524 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2018
by Daily end-of-shift report 12 Apr '18

12 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-04-2018 18:00 − Donnerstag 12-04-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android Penetration Tools Walkthrough Series Dex2Jar, JD-GUI, and Baksmali ∗∗∗ --------------------------------------------- In this article, we will be focusing on the Android penetration testing tools such as Dex2Jar, JD-GUI, and Baksmali to work with reverse engineering Android APK files. --------------------------------------------- http://resources.infosecinstitute.com/android-penetration-tools-walkthrough… ∗∗∗ APT Trends report Q1 2018 ∗∗∗ --------------------------------------------- In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018. --------------------------------------------- http://securelist.com/apt-trends-report-q1-2018/85280/ ∗∗∗ New ‘Early Bird’ Code Injection Technique Helps APT33 Evade Detection ∗∗∗ --------------------------------------------- Researchers have identified what they are calling an Early Bird code injection technique used by the Iranian group APT33 to burrow the TurnedUp malware inside infected systems while evading anti-malware tools. --------------------------------------------- http://threatpost.com/new-early-bird-code-injection-technique-helps-apt33-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple Simple DirectMedia Layer Vulnerabilities ∗∗∗ --------------------------------------------- Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layers SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games including Valves award winning catalog ... --------------------------------------------- http://blog.talosintelligence.com/2018/04/simple-direct-media-layer-vulnera… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (poppler), Fedora (koji and libofx), Gentoo (adobe-flash), Oracle (kernel), Red Hat (qemu-kvm-rhev and sensu), and Scientific Linux (firefox). --------------------------------------------- https://lwn.net/Articles/751668/ ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities identified in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013955 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a vulnerability in the Apache Portal Runtime (CVE-2017-12613) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014874 ∗∗∗ IBM Security Bulletin: Security vulnerability has been identified in IBM Spectrum Scale which is used by IBM PureApplication Systems/Service (CVE-2017-1654) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015239 ∗∗∗ IBM Security Bulletin: IBM Cloud Manager is affected by a OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027142 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM HTTP Server (CVE-2017-15710, CVE-2017-15715, CVE-2018-1301) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015344 ∗∗∗ IBM Security Bulletin: IBM Web Experience Factory is Affected by Multiple Vulnerabilities in IBM Java SDK and IBM Java Runtime ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014914 ∗∗∗ JSA10844 - 2018-04 Security Bulletin: Junos OS: Kernel crash upon receipt of crafted CLNP packets (CVE-2018-0016) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10844&actp=RSS ∗∗∗ JSA10845 - 2018-04 Security Bulletin: SRX Series: Denial of service vulnerability in flowd daemon on devices configured with NAT-PT (CVE-2018-0017) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10845&actp=RSS ∗∗∗ JSA10846 - 2018-04 Security Bulletin: SRX Series: A crafted packet may lead to information disclosure and firewall rule bypass during compilation of IDP policies. (CVE-2018-0018) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10846&actp=RSS ∗∗∗ JSA10847 - 2018-04 Security Bulletin: Junos: Denial of service vulnerability in SNMP MIB-II subagent daemon (mib2d) (CVE-2018-0019) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10847&actp=RSS ∗∗∗ JSA10848 - 2018-04 Security Bulletin: Junos OS: rpd daemon cores due to malformed BGP UPDATE packet (CVE-2018-0020) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10848&actp=RSS ∗∗∗ JSA10850 - 2018-04 Security Bulletin: NorthStar: Return Of Bleichenbachers Oracle Threat (ROBOT) RSA SSL attack (CVE-2017-1000385) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10850&actp=RSS ∗∗∗ JSA10851 - 2018-04 Security Bulletin: OpenSSL Security Advisory [07 Dec 2017] ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10851&actp=RSS ∗∗∗ JSA10852 - 2018-04 Security Bulletin: Junos OS: Multiple vulnerabilities in stunnel ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10852&actp=RSS ∗∗∗ JSA10853 - 2018-04 Security Bulletin: NSM Appliance: Multiple vulnerabilities resolved in CentOS 6.5-based 2012.2R12 release ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10853&actp=RSS ∗∗∗ Apache HTTPD vulnerability CVE-2018-1301 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K78131906 ∗∗∗ OpenSSH vulnerability CVE-2016-10708 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32485746 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2018
by Daily end-of-shift report 11 Apr '18

11 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-04-2018 18:00 − Mittwoch 11-04-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android Penetration Tools Walkthrough Series: Apktool ∗∗∗ --------------------------------------------- In this article, we will look at the step by step procedure to setup utility called “Apktool” and its usage in android application penetration testing. Introduction Apktool is a utility that can be used for reverse engineering Android applications resources (APK). --------------------------------------------- http://resources.infosecinstitute.com/android-penetration-tools-walkthrough… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Microsoft kümmert sich um mehr als 60 Lücken in Windows & Co. ∗∗∗ --------------------------------------------- Über Windows Update stehen Sicherheitsptaches bereit. Unter anderem schließen diese eine Lücke, über die Angreifer ein Wireless Keyboard in einen Keylogger verwandeln könnten. --------------------------------------------- https://heise.de/-4016580 ∗∗∗ Sicherheitsforscher: Intel-Modem macht neue iPhones für Schadcode anfällig ∗∗∗ --------------------------------------------- Eine Schwachstelle in Baseband-Prozessoren von Intel erlaubt versierten Angreifern das Einschleusen von Schadcode über das Mobilfunknetz. Betroffen sind laut Sicherheitsforschern neue iPhones bis hin zum iPhone X – iOS 11.3 schließt die Lücke. --------------------------------------------- https://heise.de/-4015828 ∗∗∗ AMD-Prozessoren bekommen Windows-10-Update gegen Spectre-V2-Lücke ∗∗∗ --------------------------------------------- Eine Kombination aus einem Windows-Update mit BIOS-Updates für Mainboards soll Windows-10-Rechner mit AMD-Prozessoren ab der 2011 vorgestellten Bulldozer-Generation schützen. --------------------------------------------- https://heise.de/-4016546 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pcs), Fedora (drupal7), openSUSE (git and mercurial), Red Hat (firefox and qemu-kvm-rhev), SUSE (libvirt and xen), and Ubuntu (patch). --------------------------------------------- https://lwn.net/Articles/751548/ ∗∗∗ Security Advisory - Multiple Vulnerabilities of PEM Module in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171206-… ∗∗∗ Security Advisory - Invalid Memory Access Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180411-… ∗∗∗ Security Advisory - Information Leak Vulnerability in the NFC Module of Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180411-… ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Service Quality Manager is affected by an Open Source Apache Commons FileUpload vulnerability (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015184 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect WebSphere MQ 5.3 and MQ 8 for HPE NonStop Server (CVE-2017-3735) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014367 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by an OpenLDAP vulnerability (CVE-2017-9287) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014873 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by glibc vulnerabilities (CVE-2015-8779, CVE-2015-8776) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014870 ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Service Quality Manager is affected by an Open Source Apache POI vulnerability (CVE-2017-12626) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015185 ∗∗∗ IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Cross-Site Scripting attack ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012660 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by vulnerabilities in the wget package (CVE-2017-13090, CVE-2017-13089) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013885 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22013851 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2018
by Daily end-of-shift report 10 Apr '18

10 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Montag 09-04-2018 18:00 − Dienstag 10-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Advance Persistent Threat – Lateral Movement Detection in Windows Infrastructure – Part II ∗∗∗ --------------------------------------------- In the previous article "Advanced Persistent Threat – Lateral Movement Detection in Windows Infrastructure – Part I," we discussed the advanced threat and common strategies that security professionals practice during targeted attacks in a windows infrastructure, using legitimate binaries. We also learned about the techniques to identify Spawned Processes with the help of the windows [...] --------------------------------------------- http://resources.infosecinstitute.com/advance-persistent-threat-lateral-mov… ∗∗∗ Entwickler warnt vor iOS-Angriffen über Kontakt-Berechtigungen ∗∗∗ --------------------------------------------- Apple unterscheidet aktuell nicht zwischen dem Schreiben und Lesen von Kontakten, wenn Nutzer Apps die Zugriffserlaubnis erteilen. Ein Entwickler schildert nun ein mögliches Szenario zum Abgreifen von Passwörtern. --------------------------------------------- https://heise.de/-4014136 ∗∗∗ Jetzt patchen! Angriffe auf Flash Player leichtgemacht ∗∗∗ --------------------------------------------- Derzeit sind vermehrt Exploits im Umlauf, die es auf eine Lücke in Adobes Flash Player abgesehen haben. Ein Sicherheitspatch erschien bereits im Februar. --------------------------------------------- https://www.heise.de/-4014258 ∗∗∗ BSI stellt Entwicklern Prüf-Tool für digitale Zertifikatsketten zur Verfügung ∗∗∗ --------------------------------------------- Software-Anwendungen wie Browser oder E-Mail-Clients und Hardware-Komponenten wie VPN-Gateways, die auf Grund von Programmierfehlern ungültige Zertifikatsketten akzeptieren, stellen ein Sicherheitsrisiko für die authentisierte und vertrauliche Kommunikation über das Internet dar. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) stellt nun ein Prüf-Tool bereit, das Entwickler bei der korrekten Implementierung dieser Zertifikatspfadvalidierung unterstützt. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/pruef_tool_… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB18-08), Adobe Experience Manager (APSB18-10), Adobe InDesign CC (APSB18-11), Digital Editions (APSB18-13) and the Adobe PhoneGap Push plugin (APSB18-15). Adobe recommends users update their product installations to the latest versions using [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1542 ∗∗∗ Signal Bypass Screen locker ∗∗∗ --------------------------------------------- Signal for iOS, version 2.23.1.1 and prior, is vulnerable to screen lock bypass. The vulnerability, triggered by some click sequence, allows anyone to bypass password and TouchID authentication protections that iOS users can set on their device in order to increase application security and confidentiality. --------------------------------------------- http://nint.en.do/Signal-Bypass-Screen-locker.php ∗∗∗ SAP Security Patch Day - April 2018 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. --------------------------------------------- https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/ ∗∗∗ Update: Sicherheitslücken (teils kritisch) in Cisco IOS, Cisco IOS XE und Cisco IOS XR Software - Detaillierte Sicherheitshinweise für das Cisco IOS und IOS XE Smart Install Feature verfügbar ∗∗∗ --------------------------------------------- [...] Cisco hat ein Security Advisory mit Informationen zu CVE-2018-0171 und weiteren - teils schon älteren - Sicherheitslücken im Smart Install Feature von Cisco IOS und Cisco IOS XE veröffentlicht. Cisco empfiehlt die Umsetzung der im Advisory angeführten Maßnahmen zur Absicherung betroffener Systeme. --------------------------------------------- http://www.cert.at/warnings/all/20180329-2.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (libvorbis and thunderbird), Debian (pjproject), Fedora (compat-openssl10, java-1.8.0-openjdk-aarch32, libid3tag, python-pip, python3, and python3-docs), Gentoo (ZendFramework), Oracle (thunderbird), Red Hat (ansible, gcc, glibc, golang, kernel, kernel-alt, kernel-rt, krb5, kubernetes, libvncserver, libvorbis, ntp, openssh, openssl, pcs, policycoreutils, qemu-kvm, and xdg-user-dirs), SUSE (openssl and openssl1), and Ubuntu (python-crypto, [...] --------------------------------------------- https://lwn.net/Articles/751454/ ∗∗∗ IBM Security Bulletin: eDiscovery Manager is affected by GSKit and GSKit-Crypto vulnerabilities ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014742 ∗∗∗ IBM Security Bulletin: IBM Communications Server for Data Center Deployment, IBM Communications Server for AIX, IBM Communications Server for Linux, and IBM Communications Server for Linux on System z are affected by a vulnerability. gskit ssl ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013978 ∗∗∗ IBM Security Bulletin: IBM Communications Server for Windows is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015200 ∗∗∗ NTP vulnerability CVE-2018-7185 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04912972 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily