=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 06-09-2017 18:00 − Donnerstag 07-09-2017 18:00
Handler: Stefan Lenzhofer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ BlackBerry powered by Android Security Bulletin – September 2017 ∗∗∗
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber…
∗∗∗ Ransomware: What you need to know now | Salted Hash Ep 1, Pt 4 ∗∗∗
---------------------------------------------
Reporters Fahmida Rashid and Steve Ragan talk about the latest ransomware threats, the holes in IT security and the burdens on enterprises.
---------------------------------------------
https://www.csoonline.com/video/81516/ransomware-what-you-need-to-know-now-…
∗∗∗ Microsoft Programming Error is Behind Dangerous Kernel Bug, Researchers Claim ∗∗∗
---------------------------------------------
Researchers say a 18-year-old programming error by Microsoft is creating a kernel bug that can be abused by an attacker.
---------------------------------------------
http://threatpost.com/microsoft-programming-error-is-behind-dangerous-kerne…
∗∗∗ Interesting List of Windows Processes Killed by Malicious Software ∗∗∗
---------------------------------------------
Just a quick blog post about an interesting sample that I found today. Usually, modern pieces of malware implement anti-debugging and anti-VM techniques. They perform some checks against the target and when a positive result is found, they silently exit… Such checks might be testing the screen resolution, the activity[The post Interesting List of Windows Processes Killed by Malicious Software has been first published on /dev/random]
---------------------------------------------
https://blog.rootshell.be/2017/09/06/interesting-list-windows-processes-kil…
∗∗∗ Apache Struts “serialisation” vulnerability – what you need to know ∗∗∗
---------------------------------------------
A bug in Apache Struts, a popular software toolkit for building web services, could let crooks take control of your server.
---------------------------------------------
https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vul…
∗∗∗ Hackers Are Distributing Backdoored Cobian RAT Hacking tool For Free ∗∗∗
---------------------------------------------
Nothing is free in this world. If you are searching for free ready-made hacking tools on the Internet, then beware—most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a hoax. Last year, we reported about one such Facebook hacking tool that actually had the capability to hack a Facebook account, but yours and not the one you desire to hack.
---------------------------------------------
https://thehackernews.com/2017/09/backdoored-hacking-tools.html
∗∗∗ Expired domain names and malvertising - Malwarebytes Labs ∗∗∗
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2017/09/expired-domain-names-…
∗∗∗ Gefälschte Microsoft-Warnung führt zu Datendiebstahl ∗∗∗
---------------------------------------------
Kriminelle fälschen einen Microsoft-Warnhinweis. Darin behaupten sie, dass fremde Computer mit Schadsoftware befallen seien. Vermeintliche Opfer sollen sich deshalb an eine Kundenhotline wenden. In Wahrheit gelangen sie an Verbrecher/innen, die Zugang zum Computer fordern, Dateien kopieren und Zahlungsdaten stehlen.
---------------------------------------------
https://www.watchlist-internet.at/sonstiges/gefaelschte-microsoft-warnung-f…
=====================
= Advisories =
=====================
∗∗∗ DFN-CERT-2017-1567/">IBM Notes: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1567/
∗∗∗ DFN-CERT-2017-1571/">Cisco ASR 5500 Series Routers: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1571/
∗∗∗ DFN-CERT-2017-1574/">Cisco Prime Collaboration Provisioning Tool: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und die Manipulation beliebiger Systemdateien ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1574/
∗∗∗ DFN-CERT-2017-1578/">Cisco ASR 920 Series Router: Zwei Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und die Manipulation von Dateien ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1578/
∗∗∗ DFN-CERT-2017-1579/">Cisco IOS, Cisco IOS XE: Zwei Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1579/
∗∗∗ DFN-CERT-2017-1580/">Cisco IR800 Integrated Services Router: Eine Schwachstelle ermöglicht die komplette Kompromittierung des Systems ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1580/
∗∗∗ Cisco Prime LAN Management Solution Token ID Reuse Lets Remote Authenticated Users Hijack the Target Users Session ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1039285
∗∗∗ Cisco Catalyst 4000 Series Switch Dynamic ACL Bug Lets Remote Users Bypass Port Access Controls on the Target System ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1039284
∗∗∗ TYPO3 API Bug Lets Remote Users Obtain Potentially Sensitive Version Information on the Target System ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1039294
∗∗∗ TYPO3 File Storage Access Control Flaw Lets Remote Authenticated Users Obtain Potentially Sensitive Information ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1039293
∗∗∗ TYPO3 Input Validation Flaw in Backend Forms Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1039292
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 05-09-2017 18:00 − Mittwoch 06-09-2017 18:00
Handler: Stefan Lenzhofer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers Gain ‘Switch-Flipping’ Access to US Power Systems ∗∗∗
---------------------------------------------
Hackers who hit American utilities this summer had the power to cause blackouts, Symantec says.
---------------------------------------------
https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power…
see also: http://derstandard.at/2000063697965
see also: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targ…
see also: https://www.bleepingcomputer.com/news/security/sabotage-warning-issued-on-h…
∗∗∗ SynAck Ransomware Sees Huge Spike in Activity ∗∗∗
---------------------------------------------
Over the past two days, there was an increase in activity from a relatively unknown ransomware strain named SynAck, according to submissions to the ID-Ransomware service and users who complained on the Bleeping Computer ransomware support forums. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-…
∗∗∗ Stop blaming users for security misses ∗∗∗
---------------------------------------------
Does the message to users about security need to change? Or does IT need to rebuild infrastructure so users can worry less about security? Wendy Nather, principal security strategist at Duo Security, talks with CSO senior writer Fahmida Rashid about how organizations can learn to do security right.
---------------------------------------------
https://www.csoonline.com/video/80055/stop-blaming-users-for-security-misse…
∗∗∗ Security and education in the wake of WannaCry, Petya ∗∗∗
---------------------------------------------
Attacks occur for a variety of reasons, and in the wake of the most widespread ransomware attacks, WannaCry and Petya, many organizations are re-evaluating their security practices to figure out what went wrong.While those who were hit are still trying to understand where their security gaps are, others enterprises that rely on legacy systems and cant be patched are looking for ways to prevent being the next victim. No, the vulnerabilities attackers leverage are not new. They prey on systems
---------------------------------------------
https://www.csoonline.com/article/3208384/backup-recovery/security-and-educ…
∗∗∗ The 15 biggest data breaches of the 21st centuryy ∗∗∗
---------------------------------------------
Data breaches happen daily, in too many places at once to keep count, take todays news of another Verizon breach that exposed the personal data of 6 million customers and a somewhat less dire breach at 14 Trump hotels. But what constitutes a huge breach versus a small one? CSO compiled a list of 15 of the biggest or most significant breaches of the 21st century.This list is based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for
---------------------------------------------
https://www.csoonline.com/article/2130877/data-protection/the-15-biggest-da…
∗∗∗ ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month ∗∗∗
---------------------------------------------
The dreaded hacking group ShadowBrokers posted a new message, promising to deliver two data dumps a month as part its monthly dumps. The notorious group ShadowBrokers is back with announcing new interesting changes to their Dump Service. The hackers published a new message on the Steemit platform announcing new changed to their service. “Missing theshadowbrokers? If someone […]The post ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month appeared first on
---------------------------------------------
http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html
∗∗∗ A Critical Apache Struts Security Flaw Makes It Easy To Hack Fortune 100 Firms ∗∗∗
---------------------------------------------
An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers.
---------------------------------------------
https://apache.slashdot.org/story/17/09/05/2053200/a-critical-apache-struts…
∗∗∗ Hacker-Angriffe auf MongoDB treffen fast 27.000 Datenbanken ∗∗∗
---------------------------------------------
Erpresserische Angriffe auf sicherheitsanfällige MongoDB-Datenbanken liegen bei Online-Kriminellen bereits seit Ende letzten Jahres im Trend. Nun geht die Abzocke weiter: Drei neue Hackergruppen fordern Bitcoins im Tausch gegen Datenbankinhalte.
---------------------------------------------
https://heise.de/-3822955
∗∗∗ Security flaw affects 750,000 Estonian ID cards ∗∗∗
---------------------------------------------
An international group of cryptographers has flagged a serious security vulnerability in the chip embedded in Estonian ID cards, the country’s Information System Authority has announced. “Estonian experts assess there to be a possible security vulnerability and we will continue to verify the claims of the researchers,” said Taimar Peterkop, Director-General of the agency. “We have developed the primary solutions to mitigate the risk, and will do our utmost to ensure that
---------------------------------------------
https://www.helpnetsecurity.com/2017/09/06/estonian-id-cards-security-flaw/
=====================
= Advisories =
=====================
∗∗∗ Apache Struts: Jetzt updaten und kritische Lücke schließen ∗∗∗
---------------------------------------------
Eine soeben veröffentlichte Version von Apache Struts schließt eine kritische Lücke. Die Entwickler und der Entdecker der Sicherheitslücke rechnen damit, dass diese bald für Angriffe auf Firmen missbraucht wird. Also ist jetzt zügiges Handeln angesagt.
---------------------------------------------
https://heise.de/-3822948
∗∗∗ Bugtraq: [security bulletin] HPESBUX03772 rev.1 - HP-UX BIND Service Running Named, Multiple Vulnerabilities ∗∗∗
---------------------------------------------
http://www.securityfocus.com/archive/1/541129
∗∗∗ DFN-CERT-2017-1558/">Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1558/
∗∗∗ DFN-CERT-2017-1556/">Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1556/
∗∗∗ DFN-CERT-2017-1563/">Google Chrome, Chromium: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1563/
∗∗∗ DFN-CERT-2017-1561/">IBM AIX, IBM VIOS, IBM Java SDK: Mehrere Schwachstellen ermöglichen u.a. die komplette Kompromittierung des Systems ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1561/
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=swg22008080
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 04-09-2017 18:00 − Dienstag 05-09-2017 18:00
Handler: Olaf Schwarz
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Six-Year-Old "Loop Bug" Re-Discovered to Affect Almost All Major PDF Viewers ∗∗∗
---------------------------------------------
A bug discovered in an obscure PDF parsing library back in 2011 is also present in most of todays top PDF viewers, according to German software developer Hanno Böck.
---------------------------------------------
https://www.bleepingcomputer.com/news/software/six-year-old-loop-bug-re-dis…
∗∗∗ TrustZone Downgrade Attack Opens Android Devices to Old Vulnerabilities ∗∗∗
---------------------------------------------
An attacker can downgrade components of the Android TrustZone technology to older versions that feature known vulnerabilities and use older exploits against smartphones running an up-to-date operating system.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trustzone-downgrade-attack-o…
∗∗∗ The Mirai Botnet: A Look Back and Ahead At Whats Next, (Tue, Sep 5th) ∗∗∗
---------------------------------------------
It is a bit hard to nail down when the Mirai botnet really started. I usually use scans for port:2323 and the use of the password "xc3511" as an indicator. But of course, that isn't perfect. The very first scan using the password "xc3511" was detected by our sensor on February 26th, 2016, well ahead of Mirai.
---------------------------------------------
https://isc.sans.edu/diary/rss/22786
∗∗∗ Hunting Pastebin with PasteHunter ∗∗∗
---------------------------------------------
>From a security analytics and Threat Intelligence perspective Pastebin is a treasure trove of information. All content that is uploaded to pastebin and not explicitly set to private (which requires an account) is listed and can be viewed by anyone.
---------------------------------------------
https://techanarchy.net/2017/09/hunting-pastebin-with-pastehunter/
∗∗∗ Finger weg von SHA-1: 320 Millionen Passwörter geknackt ∗∗∗
---------------------------------------------
Wenn Webseitenbetreiber Passwörter von Kunden nicht sicher verwahren, ist der Super-GAU vorprogrammiert. Daran erinnern abermals Sicherheitsforscher, die in überschaubarer Zeit Millionen Passwörter entschlüsselt haben.
---------------------------------------------
https://heise.de/-3822005
=====================
= Advisories =
=====================
∗∗∗ DFN-CERT-2017-1547/">Liblouis: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1547/
∗∗∗ DFN-CERT-2017-1554/">Apache Software Foundation Struts: Mehrere Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1554/
∗∗∗ Security Notice - Statement About the Bootloader Vulnerabilities in Huawei Mobile Phones Disclosed at the USENIX Conference ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170905-01-…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Jan 2017 – Includes Oracle Jan 2017 CPU affect IBM Content Classification ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=swg22001461
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=swg21996956
∗∗∗ Arbitrary Code Execution in TYPO3 CMS ∗∗∗
---------------------------------------------
https://typo3.org/news/article/arbitrary-code-execution-in-typo3-cms/
∗∗∗ Information Disclosure in TYPO3 CMS ∗∗∗
---------------------------------------------
https://typo3.org/news/article/information-disclosure-in-typo3-cms-1/
∗∗∗ Information Disclosure in TYPO3 CMS ∗∗∗
---------------------------------------------
https://typo3.org/news/article/information-disclosure-in-typo3-cms/
∗∗∗ Cross-Site Scripting in TYPO3 CMS Backend ∗∗∗
---------------------------------------------
https://typo3.org/news/article/cross-site-scripting-in-typo3-cms-backend/
∗∗∗ USN-3409-1: FontForge vulnerabilities ∗∗∗
---------------------------------------------
http://www.ubuntu.com/usn/usn-3409-1/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 01-09-2017 18:00 − Montag 04-09-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ RTP Bleed: Mit Asterisk-Bug Telefonate belauschen ∗∗∗
---------------------------------------------
Ein Bug in der IP-Telefonielösung Asterisk ermöglicht Angreifern, Telefonate mitzuhören. Das Problem liegt in der zugrundeliegenden RTP-Implementierung. Ein erster Patch ist da, aber noch fehlerhaft.
---------------------------------------------
https://www.golem.de/news/rtp-bleed-mit-asterisk-bug-telefonate-belauschen-…
∗∗∗ Malspam pushing Locky ransomware tries HoeflerText notifications for Chrome and FireFox ∗∗∗
---------------------------------------------
2017-09-01 update: A different campaign using HoeflerText popups has been active during the same timeframe. I wrote about it here, but the only thing these two campaigns have in common is that they both used HoeflerText popups.
---------------------------------------------
https://isc.sans.edu/forums/diary/Malspam+pushing+Locky+ransomware+tries+Ho…
∗∗∗ Fehler in API: Möglicherweise Millionen Kontaktdaten von Instagram-Usern öffentlich ∗∗∗
---------------------------------------------
Wegen eines Bug in der Kommunikationsschnittstelle zu anderen Apps müssen Millionen Instagram-Nutzer um ihre Privatsphäre fürchten. Betroffen sind laut der Facebook-Tochter nicht nur Prominente.
---------------------------------------------
https://heise.de/-3820497
∗∗∗ Mehrere Sicherheitslücken in RubyGems ∗∗∗
---------------------------------------------
Rubys Paketsystem RubyGems enthält Schwachstellen, die unter anderem DoS-Angriffe und DNS-Hijacking ermöglichen. Ein Update auf die aktuelle Version 2.6.13 bannt die Gefahr.
---------------------------------------------
https://heise.de/-3820891
∗∗∗ Mehrere große Torrent-Seiten offenbar nach Attacken offline ∗∗∗
---------------------------------------------
Eine Reihe prominenter Plattformen wie Torrentproject sind nicht mehr erreichbar – Domains suspendiert, Überlastungsangriffe
---------------------------------------------
http://derstandard.at/2000063553913
=====================
= Advisories =
=====================
∗∗∗ DSA-3960 gnupg - security update ∗∗∗
---------------------------------------------
Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that GnuPG is prone to a local side-channel attack allowing full key recovery for RSA-1024.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3960
∗∗∗ DSA-3961 libgd2 - security update ∗∗∗
---------------------------------------------
A double-free vulnerability was discovered in the gdImagePngPtr()function in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a specially crafted file is processed.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3961
∗∗∗ DSA-3962 strongswan - security update ∗∗∗
---------------------------------------------
A denial of service vulnerability was identified in strongSwan, an IKE/IPsecsuite, using Googles OSS-Fuzz fuzzing project.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3962
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 31-08-2017 18:00 − Freitag 01-09-2017 18:00
Handler: Olaf Schwarz
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Boobytrapped Word File Installs Locky Ransomware When You Close the Document ∗∗∗
---------------------------------------------
Summer vacation is over! During the past week, security researchers have discovered several distribution campaigns pushing the Locky ransomware via different methods, including a new variant that features one hell of a clever trick.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/boobytrapped-word-file-insta…
∗∗∗ US Government Site Was Hosting Ransomware ∗∗∗
---------------------------------------------
As recently as Wednesday afternoon, a U.S. government website was hosting a malicious JavaScript downloader that led victims to installations of Cerber ransomware. The malware link has since been taken down.
---------------------------------------------
http://threatpost.com/us-government-site-removes-link-to-cerber-ransomware-…
∗∗∗ Malware writer offers free trojan to hackers ... with one small drawback ∗∗∗
---------------------------------------------
Beware of geeks bearing Cobian RAT gifts Those looking on the dark web for malware capable of hijacking computers might have thought they were getting a bargain when a free trojan appeared on various online souks over the past few months.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/free_trojan…
∗∗∗ Lücke in HPE Operations Orchestration ermöglicht Remote Code Execution ∗∗∗
---------------------------------------------
Die Software Operations Orchestration erlaubt in allen Versionen vor 10.80 die Codeausführung aus der Ferne. Hewlett Packard Enterprise rät zum Update. Auch für zwei Performancetest-Tools des Herstellers stehen Aktualisierungen bereit.
---------------------------------------------
https://heise.de/-3819782
=====================
= Advisories =
=====================
∗∗∗ OPW Fuel Management Systems SiteSentinel Integra and SiteSentinel iSite ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-243-04
∗∗∗ Moxa SoftCMS Live Viewer ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-243-05
∗∗∗ Automated Logic Corporation ALC WebCTRL, Liebert SiteScan, Carrier i-VU ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-150-01
∗∗∗ DFN-CERT-2017-1542/">Digium Asterisk, Digium Certified Asterisk: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1542/
∗∗∗ SSA-866217: SMBv1 Vulnerabilities in ACUSON S1000/2000/3000 ∗∗∗
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-866217…
∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Honor 5S Smart Phones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170901-…
∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei APKs ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170901-…
∗∗∗ IBM Security Bulletin: IBM Expeditor is affected by a denial of service vulnerability ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22002103
∗∗∗ IBM Security Bulletin: IBM Notes is affected by a denial of service vulnerability ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21999385
∗∗∗ IBM Security Bulletin: IBM Notes is affected by a denial of service vulnerability ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21999384
∗∗∗ IBM Security Bulletin: IBM Notes is affected by Open Source zlib vulnerabilities ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21997877
∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by a vulnerability in Curl (CVE-2016-7167) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007553
∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in bash (CVE-2016-9401, CVE-2016-7543, CVE-2016-0634) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007554
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22007416
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Network Protection ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007918
∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in Linux kernel ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007552
∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by potential issues of XML External Entity Injection (CVE-2017-1458) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007551
∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by potential issues of Cross-Site Scripting (CVE-2017-1457) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007550
∗∗∗ IBM Security Bulletin: IBM QRadar Network Security has updated commons-fileupload for known vulnerabilities (CVE-2016-3092) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007539
∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by a less-secure algorithm during negotiations vulnerability (CVE-2017-1491) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007535
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 30-08-2017 18:00 − Donnerstag 31-08-2017 18:00
Handler: Robert Waldner
Co-Handler: Olaf Schwarz
=====================
= News =
=====================
∗∗∗ Dissecting the Chrome Extension Facebook malware ∗∗∗
---------------------------------------------
The Facebook malware that spread last week was dissected in a collaboration with Kaspersky Lab and Detectify. We were able to get help from the involved companies and cloud services to quickly shut down parts of the attack to mitigate it as fast as possible.
---------------------------------------------
http://securelist.com/dissecting-the-chrome-extension-facebook-malware/8171…
∗∗∗ Cyber Security Assessment Netherlands 2017: Digital resilience is lagging behind the increasing threat ∗∗∗
---------------------------------------------
The digital resilience of individuals and organisations is lagging behind the increasing threat. Government, business and citizens take many steps to increase digital resilience, but this is not happening fast enough. This is apparent from the Cyber Security Assessment Netherlands 2017 (CSAN 2017), which demissionary State Secretary Dijkhoff sent to parliament in June and which is being published in English today.
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/cyber-security-assessment-n…
∗∗∗ A Framework for Cyber Security Insurance ∗∗∗
---------------------------------------------
New paper: "Policy measures and cyber insurance: a framework," by Daniel Woods and Andrew Simpson, Journal of Cyber Policy, 2017.Abstract: The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. To date, there has been no consideration of the roles governments and the insurance industry should pursue in support of this public-private partnership.
---------------------------------------------
https://www.schneier.com/blog/archives/2017/08/a_framework_for.html
∗∗∗ Mining Adminers – Hackers Scan the Internet For DB Scripts ∗∗∗
---------------------------------------------
Hackers are constantly scanning the internet for exploitable sites, which is why even small, new sites should be fully patched and protected. At the same time, it is not feasible to scan the whole internet with 330+ million domains and billions of web pages. Even Google can’t do it, but hackers are always getting better at reconnaissance. Despite these limitations, scanning just 1% of the internet allows attackers to discover thousands of vulnerable sites.
---------------------------------------------
https://blog.sucuri.net/2017/08/mining-adminers-hackers-scan-the-internet-f…
∗∗∗ Herzschrittmacher von St. Jude Medical: Firmware-Patches gegen Sicherheitslücken ∗∗∗
---------------------------------------------
Versierte Hacker können Herzschrittmacher der Marke Abbott angreifen, um Befehle auszuführen und Patientendaten zu stehlen. Implantatträgern wird ein baldiger Arztbesuch empfohlen, um wichtige Firmware-Updates zu installieren.
---------------------------------------------
https://heise.de/-3817954
∗∗∗ Embedded IoT: Krypto-Bibliothek mbed TLS für Lauschattacken anfällig ∗∗∗
---------------------------------------------
Unter gewissen Umständen könnten Angreifer als Man in the Middle den Informationsaustausch von Geräten, die auf mbed TLS setzen, mitschneiden. Abgesicherte Versionen stehen bereit.
---------------------------------------------
https://heise.de/-3819197
∗∗∗ Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities ∗∗∗
---------------------------------------------
Today, Talos is disclosing the discovery of two remote code execution vulnerabilities which have been identified in the Gdk-Pixbuf Toolkit. This toolkit used in multiple desktop applications including Chromium, Firefox, GNOME thumbnailer, VLC and others. Exploiting this vulnerability allows an attacker to gain full control over the victims machine.
---------------------------------------------
http://blog.talosintelligence.com/2017/08/vuln-spotlight-multiple-gdk.html
=====================
= Advisories =
=====================
∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Compute denial of service vulnerability (CVE-2016-7498) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=nas8N1022227
∗∗∗ IBM Security Bulletin: Vulnerability in libtirpc affects Power Hardware Management Console (CVE-2017-8779) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=nas8N1022176
∗∗∗ IBM Security Bulletin: Vulnerabilities in BIND affect Power Hardware Management Console ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=nas8N1022177
∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by python oslo.middleware package information disclosure (CVE-2017-2592) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=nas8N1022229
∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance server-side request forgery (CVE-2017-7200) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=nas8N1022228
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU that is bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud. ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007046
∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007002
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 29-08-2017 18:00 − Mittwoch 30-08-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ WireX: Google entfernt 300 DDoS-Apps aus dem Playstore ∗∗∗
---------------------------------------------
Google hat ein DDoS-Botnetz aus Android-Geräten lahmgelegt - und dazu
300 Apps aus dem Playstore entfernt. Rund 70.000 Smartphones wurden
infiziert. (DoS, Virus)
---------------------------------------------
https://www.golem.de/news/wirex-google-entfernt-300-ddos-apps-aus-dem-plays…
∗∗∗ Introducing WhiteBear ∗∗∗
---------------------------------------------
As a part of our Kaspersky APT Intelligence Reporting subscription,
customers received an update in mid-February 2017 on some interesting
APT activity that we called WhiteBear. It is a parallel project or
second stage of the Skipper Turla cluster of activity documented in
another private report. Like previous Turla activity, WhiteBear
leverages compromised websites and hijacked satellite connections for
command and control (C2) infrastructure.
---------------------------------------------
http://securelist.com/introducing-whitebear/81638/
∗∗∗ Security baseline for Windows 10 “Creators Update” (v1703) – FINAL
∗∗∗
---------------------------------------------
Microsoft is pleased to announce the final release of the recommended
security configuration baseline settings for Windows 10 “Creators
Update,” also known as version 1703, “Redstone 2,” or RS2. The
downloadable attachment to this blog post includes importable GPOs,
tools for applying the GPOs, custom ADMX files for Group Policy
settings, and all the settings in spreadsheet...
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-f…
∗∗∗ Proof that HMAC-DRBG has No Back Doors ∗∗∗
---------------------------------------------
New research: "Verified Correctness and Security of mbedTLS HMAC-DRBG,"
by Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer,
Adam Petcher, and Andrew W. Appel.Abstract: We have formalized the
functional specification of HMAC-DRBG (NIST 800-90A), and we have
proved its cryptographic security -- that its output is pseudorandom --
using a hybrid game-based proof.
---------------------------------------------
https://www.schneier.com/blog/archives/2017/08/proof_that_hmac.html
=====================
= Advisories =
=====================
∗∗∗ Update to Security Bulletin (APSB17-24) ∗∗∗
---------------------------------------------
The Security Bulletin (APSB17-24) published on August 8 regarding
updates for Adobe Acrobat and Reader has been updated to reflect the
availability of new updates as of August 29. The August 29 updates
resolve a functional regression with XFA forms functionality …
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1484
∗∗∗ DFN-CERT-2017-1525: Wireshark: Mehrere Schwachstellen ermöglichen
Denial-of-Service-Angriffe ∗∗∗
---------------------------------------------
Mehrere Schwachstellen in Wireshark können von einem entfernten, nicht
authentisierten Angreifer für verschiedene Denial-of-Service
(DoS)-Angriffe ausgenutzt werden. Die Ausnutzung der Schwachstellen
erfordert die Verarbeitung speziell präparierter Datenpakete oder
Packet-Trace-Dateien mit den Dissektoren für IrCOMM, Modbus, Profinet
I/O oder MSDP.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1525/
∗∗∗ DFN-CERT-2017-1523: Libgcrypt: Eine Schwachstelle ermöglicht das
Ausspähen von Informationen ∗∗∗
---------------------------------------------
Eine Schwachstelle in Libgcrypt ermöglicht einem lokalen, einfach
authentisierten Angreifer das Ausspähen privaten Schlüsselmaterials.
Das GnuPG-Projekt hat die Schwachstelle in den Versionen 1.7.9 und
1.8.1 behoben. Der Quellcode dieser Versionen steht zum Herunterladen
zur Verfügung.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1523/
∗∗∗ Multiple vulnerabilities in RubyGems ∗∗∗
---------------------------------------------
The following vulnerabilities have been reported. * a DNS request
hijacking vulnerability * an ANSI escape sequence vulnerability * a DoS
vulernerability in the query command * a vulnerability in the gem
installer that allowed a malicious gem to overwrite arbitrary files
---------------------------------------------
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-ru…
∗∗∗ Cisco unveils LabVIEW code execution flaw that won’t be patched ∗∗∗
---------------------------------------------
LabVIEW, the widely used system design and development platform
developed by National Instruments, sports a memory corruption
vulnerability that could lead to code execution. LabVIEW is commonly
used for building data acquisition, instrument control, and industrial
automation systems on a variety of operating systems: Windows, macOS,
Linux and Unix. The vulnerability (CVE-2017-2779) The vulnerability was
discovered by Cory Duplantis of Cisco Talos earlier this year, and
reported to the company.
---------------------------------------------
https://www.helpnetsecurity.com/2017/08/30/labview-code-execution-flaw/
∗∗∗ Abbott Laboratories’ Accent/Anthem, Accent MRI, Assurity/Allure,
and Assurity MRI Pacemaker Vulnerabilities ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01
∗∗∗ AzeoTech DAQFactory ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-241-01
∗∗∗ Advantech WebAccess ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02
∗∗∗ Security Advisory - Improper Authentication Vulnerability in The
FusionSphere OpenStack ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170830-…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK
affect IBM Algo Credit Manager ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22007392
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM®
SDK, Java™ Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/docview.wss?uid=swg22006695
∗∗∗ IBM Security Bulletin: Vulnerabilities in httpd affect Power
Hardware Management Console ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=nas8N1022175
∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application
Server affects Power Hardware Management Console (CVE-2017-1194) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=nas8N1022178
∗∗∗ IBM Security Bulletin: IBM Transformation Extender Advanced and IBM
Standards Processing Engine are susceptible to a vulnerability in 10x
(CVE-2017-1152) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004796
∗∗∗ ImageMagick Heap Overflow in TracePoint() in Processing Files Lets
Remote Users Execute Arbitrary Code ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1039246
∗∗∗ SSA-535640 (Last Update 2017-08-30): Vulnerability in Industrial
Products ∗∗∗
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640…
∗∗∗ SSA-771218 (Last Update 2017-08-30): Vulnerability in 7KM PAC
Switched Ethernet PROFINET expansion module from the SENTRON portfolio
∗∗∗
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-771218…
∗∗∗ SSA-087240 (Last Update 2017-08-30): Vulnerabilities in SIEMENS
LOGO! ∗∗∗
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-087240…
∗∗∗ HPESBGN03765 rev.2 - HPE LoadRunner and HPE Performance Center,
Remote Disclosure of Information ∗∗∗
---------------------------------------------
https://h20565.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 28-08-2017 18:00 − Dienstag 29-08-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Metadata From IoT Traffic Exposes In-Home User Activity ∗∗∗
---------------------------------------------
Metadata from web traffic generated by smart devices installed in a home can reveal quite a lot of information about the owners habits and lifestyle. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/technology/metadata-from-iot-traffic-…
∗∗∗ "Die ganzen Kosten und Risiken trägt im Moment der Kunde" ∗∗∗
---------------------------------------------
Das absolut Mindeste muss sein, dass der Hersteller für alle Sicherheitslücken für den gesamten Nutzungszeitraum der Software Patches für Sicherheitslücken zur Verfügung stellen muss. Wenn es nach mir ginge, bekäme der Kunde eine Pauschale pro Arbeitsplatz und Tag ohne Patch ausgezahlt, und zwar nicht seit das Sicherheitsloch öffentlich bekannt wurde, sondern – wenn das vorher war – seit der Hersteller davon wusste.
---------------------------------------------
https://www.eco.de/2017/news/die-ganzen-kosten-und-risiken-traegt-im-moment…
∗∗∗ Android und Windows: MTP-Bug lässt Dateien verschwinden ∗∗∗
---------------------------------------------
Vorsicht mit Android-Geräten, die per USB an einen PC mit Windows 10 angeschlossen sind: Bei harmlosen Aufräumarbeiten können Fotos und andere Dateien unwiderruflich verloren gehen. Betroffen sind fast alle Android-Geräte außer den neueren von Samsung.
---------------------------------------------
https://heise.de/-3815535
∗∗∗ Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet ∗∗∗
---------------------------------------------
A half dozen technology and security companies -- some of them competitors -- issued the exact same press release today. This unusual level of cross-industry collaboration caps a successful effort to dismantle WireX, an extraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used this month to launch a series of massive cyber attacks. Experts involved in the takedown warn that WireX marks the emergence of a new class of attack tools that are more
---------------------------------------------
https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-a…
∗∗∗ BSI-Studie zur Analyse des Linux-Zufallszahlengenerators wird fortgesetzt ∗∗∗
---------------------------------------------
Im Rahmen einer Langzeitstudie untersucht das Bundesamt für Sicherheit in der Informationstechnik (BSI) seit 2012 die kryptografische Eignung des Linux-Zufallszahlengenerators "/dev/random". Der aktuelle Untersuchungsbericht umfasst sowohl den aktuellen als auch alle vorigen Linux-Kernel und steht in englischer Sprache auf der BSI-Webseite zum Download zur Verfügung.
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Studie_Linu…
=====================
= Advisories =
=====================
∗∗∗ DSA-3958 fontforge - security update ∗∗∗
---------------------------------------------
It was discovered that FontForge, a font editor, did not correctlyvalidate its input. An attacker could use this flaw by tricking a userinto opening a maliciously crafted OpenType font file, thus causing adenial-of-service via application crash, or execution of arbitrary code.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3958
∗∗∗ DSA-3957 ffmpeg - security update ∗∗∗
---------------------------------------------
Several vulnerabilities have been discovered in FFmpeg, a multimediaplayer, server and encoder. These issues could lead to Denial-of-Serviceand, in some situation, the execution of arbitrary code.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3957
∗∗∗ VU#403768: Akeo Consulting Rufus fails to update itself securely ∗∗∗
---------------------------------------------
http://www.kb.cert.org/vuls/id/403768
∗∗∗ DFN-CERT-2017-1514: MISP: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1514/
∗∗∗ DFN-CERT-2017-1512: OpenSSL: Eine Schwachstelle ermöglicht das Darstellen falscher Informationen ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1512/
∗∗∗ DFN-CERT-2017-1515: Ghostscript: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1515/
∗∗∗ DFN-CERT-2017-1517: SQLite: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1517/
∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170807-…
∗∗∗ Security Advisory - App Lock Bypass Vulnerability in Huawei Mobile Phones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170829-…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director. ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025659
∗∗∗ Pulse Connect Secure Access Control Flaw in diag.cgi Lets Remote Users Conduct Cross-Site Request Forgery Attacks ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1039242
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 25-08-2017 18:00 − Montag 28-08-2017 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
=====================
= News =
=====================
=====================
= Advisories =
=====================
∗∗∗ Disabling Intel ME 11 via undocumented mode ∗∗∗
---------------------------------------------
.. researchers has delved deep into the internal architecture of Intel
Management Engine (ME) 11, revealing a mechanism that can disable Intel
ME after hardware is initialized and the main processor starts. In this
article, we describe how we discovered this undocumented mode and how
it is connected with the U.S. governments High Assurance Platform (HAP)
program.
---------------------------------------------
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017
/huawei-sa-20170807-01-smartphone-en
∗∗∗ IBM Security Bulletin: OpenSSL Security Advisory [22 Sep 2016 ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=ssg1S1010571
∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM
Sametime Community Server ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22006228
∗∗∗ IBM Security Bulletin: IBM Cognos Analytics is affected by multiple
vulnerabilities ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007242
∗∗∗ IBM Security Bulletin: A vulnerability in IBM Sametime Web Player
(CVE-2016-2980) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22006447
∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM Sametime
Connect client (CVE-2016-0243, CVE-2016-2974) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22006444
∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cisco
SAN switches and directors (CVE-2016-2108, CVE-2016-2107,
CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=ssg1S1010566
∗∗∗ IBM Security Bulletin: Various Security Vulnerabilities in IBM
Sametime Proxy Server ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22006441
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 24-08-2017 18:00 − Freitag 25-08-2017 18:00
Handler: Olaf Schwarz
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability ∗∗∗
---------------------------------------------
Adam Donenfeld, a researcher with mobile security firm Zimperium, has published today proof-of-concept code for zIVA — a kernel exploit that affects iOS 10.3.1 and previous versions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/researcher-releases-fully-wo…
∗∗∗ New EMPTY CryptoMix Ransomware Variant Released ∗∗∗
---------------------------------------------
Today, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .EMPTY extension to encrypted file names. Considering that the previous variant used ERROR as the previous extension and now uses EMPTY, it is clear that the developers are running out of extensions to use.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomwa…
∗∗∗ Mobile malware factories: Android apps for creating ransomware ∗∗∗
---------------------------------------------
Mobile ransomware can now be created automatically without the need to write code. Having little to no coding experience is no longer a problem for wannabe mobile malware authors, thanks to Trojan Development Kits (TDKs). Criminals can now install an app that will allow them to quickly and easily create Android ransomware with their own devices.
---------------------------------------------
https://www.symantec.com/connect/blogs/mobile-malware-factories-android-app…
∗∗∗ Analysis of Ronggolawe Ransomware and How to Block It ∗∗∗
---------------------------------------------
... Web server ransomware is not new. In fact we witnessed first evidence of it back at 2015 and most recently in the well-known attack aimed at the South Korean web hosting company NAYANA. Unfortunately, today ransomware targeted at web servers is even more popular especially given the availability of open source malware easily found in public repositories such as GitHub. Most recently we have seen reports of a new web server ransomware called Ronggolawe, the code name for AwesomeWare.
---------------------------------------------
https://www.imperva.com/blog/2017/08/ronggolawe-ransomware-how-to-block-it/
∗∗∗ The Adventure of the Final Intel AMT Problem ∗∗∗
---------------------------------------------
Its high time to learn how cunning cyber criminals can use Intel AMT powerful capabilities to achieve their malicious goals. See the captivating story of hacking Intel AMT with all its twists and turns and awe-inspiring details with your own eyes. The freshest and the hottest presentation “MythBusters: CVE-2017-5689 – How Intel AMT could be broken completely” from HITB 2017.
---------------------------------------------
https://embedi.com/news/adventure-final-intel-amt-problem
∗∗∗ Sophos UTM: Update kümmert sich um alte und neue Sicherheitslücken ∗∗∗
---------------------------------------------
In der UTM von Sophos klaffen mehrere Schwachstellen. Eine fehlerbereinigte Version steht zum Download bereit.
---------------------------------------------
https://heise.de/-3812308
∗∗∗ Android Oreo: Das sind die Sicherheits-Neuerungen bei Android 8.0 ∗∗∗
---------------------------------------------
Google härtet Android mit Google Play Protect, Schutzfunktionen für die System-UI, strikteren Regeln für nachgeladenen Code aus Drittquellen und erweiterter Isolierung von Browser-Prozessen.
---------------------------------------------
https://heise.de/-3812341
=====================
= Advisories =
=====================
∗∗∗ ZDI-17-697: (0Day) Delta Industrial Automation WPLSoft dvp File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-17-697/
∗∗∗ ESB-2017.2137 - [Appliance] WPLSoft, ISPSoft and PMSoft ∗∗∗
---------------------------------------------
This bulletin contains ten (10) Zero Day Initiative security advisories.
---------------------------------------------
https://www.auscert.org.au/bulletins/51578/print
∗∗∗ Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455 ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01
∗∗∗ Rockwell Automation Allen-Bradley Stratix and ArmoStratix ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-208-04
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Light ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22007508
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily