=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 11-07-2017 18:00 − Mittwoch 12-07-2017 18:00
Handler: Stephan Richter
Co-Handler:
=====================
= News =
=====================
∗∗∗ NTLM Relay Attacks Still Causing Problems in 2017 ∗∗∗
---------------------------------------------
Microsofts July 2017 Patch Tuesday includes a fix for an issue with the NT LAN Manager (NTLM) Authentication Protocol that can be exploited to allow attackers to create admin accounts on a local networks domain controller (DC). [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ntlm-relay-attacks-still-cau…
∗∗∗ HTTPS: Private Schlüssel auf dem Webserver ∗∗∗
---------------------------------------------
Zu einem Zertifikat für verschlüsselte HTTPS-Verbindungen gehört ein privater Schlüssel. Doch was, wenn der Schlüssel auf dem Webserver landet - und dann nicht mehr privat ist? Wir fanden zahlreiche Webseiten, die ihren privaten Schlüssel zum Herunterladen anbieten. (SSL, Technologie)
---------------------------------------------
https://www.golem.de/news/https-private-schluessel-auf-dem-webserver-1707-1…
∗∗∗ Telegram-Controlled Hacking Tool Targets SQL Injection at Scale ∗∗∗
---------------------------------------------
The Katyusha Scanner can find SQL injection bugs at scale, and is managed via the Telegram messenger on any smartphone.
---------------------------------------------
http://threatpost.com/telegram-controlled-hacking-tool-targets-sql-injectio…
∗∗∗ July 2017 security update release ∗∗∗
---------------------------------------------
Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice. More information about this month’s security updates can be found on the Security Update Guide. MSRC team
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2017/07/11/july-2017-security-upda…
∗∗∗ Who Controls The Internet? ∗∗∗
---------------------------------------------
The title of the paper Who controls the Internet? Analyzing global threats using property traversal graphs is enough to ensnare any Internet researcher. The control plane for a number of attacks, as the paper points out, is the DNS due to the role it plays in mapping names to resources. MX records in the DNS control [...]
---------------------------------------------
http://dyn.com/blog/who-controls-the-internet/
∗∗∗ Julys Microsoft Patch Tuesday, (Tue, Jul 11th) ∗∗∗
---------------------------------------------
TodaysMicrosoft Patch Tuesdayfixes critical and important flaws that, if exploited, could give an attacker a range of possibilities - from privilege escalation to remote code execution (RCE) - on different Windows OS and Microsoft Office versions.
---------------------------------------------
https://isc.sans.edu/diary/rss/22602
∗∗∗ Backup Scripts, the FIM of the Poor, (Wed, Jul 12th) ∗∗∗
---------------------------------------------
File Integrity Management or FIM is an interesting security control that can help to detect unusual changes in a file system. By example, on a server, they are directories that do not change often.
---------------------------------------------
https://isc.sans.edu/diary/rss/22606
∗∗∗ Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers ∗∗∗
---------------------------------------------
Customer-premises equipment (CPE)—specifically small office/home office (SOHO) routers—has become ubiquitous. CPE routers are notorious for their web interface vulnerabilities, old versions of software components with known vulnerabilities, default and hard-coded credentials, and other security issues.
---------------------------------------------
http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=502613
∗∗∗ What will it take to improve the ICS patch process? ∗∗∗
---------------------------------------------
While regular patching is indisputably good advice for IT networks, one of the main takeaways from the Petya and WannaCry attacks is that a lot of companies don’t do it. And with even more NSA exploits like EternalBlue scheduled to be released by The Shadow Brokers (TSB), it’s certainly not going to get any better. Patching IT systems is hard enough, but it’s even more difficult to patch industrial control systems (ICS), commonly found in [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/07/12/ics-patch-process/
=====================
= Advisories =
=====================
∗∗∗ Security Update for Windows Kernel (3186973) ∗∗∗
---------------------------------------------
V1.0 (September 13, 2016): Bulletin published.
V2.0 (July 11, 2017): Revised Windows Affected Software and Vulnerability Severity Ratings table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3305. Microsoft recommends that customers running Windows 10 Version 1703 should install update 4025342 to be protected from this vulnerability.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-111
∗∗∗ [2017-07-12] Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products ∗∗∗
---------------------------------------------
The AGFEO ES 5xx/6xx SmartHome product lines are prone to multiple critical vulnerabilities. It is possible to read the whole user database by an active debug web service in order to reveal all passwords even from the administrative account. Furthermore, many debug services are active which enable an attacker to reconfigure the whole device without such administrative permissions. A hardcoded cryptographic key pair is embedded in the firmware which is used for HTTPS communication. Those keys [...]
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
∗∗∗ Fuji Electric V-Server ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-192-02
∗∗∗ ABB VSN300 WiFi Logger Card ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-192-03
∗∗∗ OSIsoft PI Coresight ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-192-04
∗∗∗ Schweitzer Engineering Laboratories, Inc. SEL-3620 and SEL-3622 ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-192-06
∗∗∗ OSIsoft PI ProcessBook and PI ActiveView ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-192-05
∗∗∗ NetIQ Privileged Account Manager 3.1 Patch Update 3 (3.1.0.3) ∗∗∗
---------------------------------------------
https://download.novell.com/Download?buildid=MtsbTyzebZw~
∗∗∗ DFN-CERT-2017-1206/">FreeBSD, Heimdal: Eine Schwachstelle ermöglicht die vollständige Kompromittierung des Dienstes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1206/
∗∗∗ Security Advisory - Directory Traversal Vulnerability in Push Module of Huawei Smart Phone ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-…
∗∗∗ Security Advisory - Escalation of Privilege Vulnerability in Intel AMT, Intel ISM and Intel SMT ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-…
∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Push Module of Huawei Smart Phone ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-…
∗∗∗ IBM Security Bulletin: Daeja ViewONE arbitrary files can be accessed ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22003806
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004602
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Functional Tester (CVE-2017-3511, CVE-2017-3514, CVE-2017-3539) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005085
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in zlib affects IBM Common Inventory Technology (CIT) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005841
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities addressed in the IBM Emptoris Sourcing product (CVE-2017-1447, CVE-2017-1449, CVE-2017-1450, CVE-2017-1444) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22005834
∗∗∗ IBM Security Bulletin: Vulnerability in account lockout affects IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x (CVE-2016-8964) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21995024
∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSL ∗∗∗
---------------------------------------------
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-50…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities addressed in IBM Emptoris Strategic Supply Management (CVE-2016-6019, CVE-2016-8951, CVE-2016-8952 ) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005839
∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM WebSphere MQ (CVE-2016-3485 ) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22001630
∗∗∗ JSA10806 - 2017-07 Security Bulletin: Junos OS: SRX Series: Cluster configuration synch failures occur if the root user account is locked out (CVE-2017-10604) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10806&actp=RSS
∗∗∗ JSA10775 - 2017-07 Security Bulletin: OpenSSL Security Advisory [26 Jan 2017] ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10775&actp=RSS
∗∗∗ JSA10779 - 2017-07 Security Bulletin: Junos: RPD crash due to malformed BGP OPEN message (CVE-2017-2314) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10779&actp=RSS
∗∗∗ JSA10782 - 2017-07 Security Bulletin: ScreenOS: Multiple XSS vulnerabilities in ScreenOS Firewall ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10782&actp=RSS
∗∗∗ JSA10787 - 2017-07 Security Bulletin: Junos: VM to host privilege escalation in platforms with Junos OS running in a virtualized environment. (CVE-2017-2341) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10787&actp=RSS
∗∗∗ JSA10789 - 2017-07 Security Bulletin: Junos: SRX Series denial of service vulnerability in flowd due to crafted DHCP packet (CVE-2017-10605) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10789&actp=RSS
∗∗∗ JSA10790 - 2017-07 Security Bulletin: SRX Series: MACsec failure to report errors (CVE-2017-2342) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10790&actp=RSS
∗∗∗ JSA10791 - 2017-07 Security Bulletin: SRX Series: Hardcoded credentials in Integrated UserFW feature. (CVE-2017-2343) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10791&actp=RSS
∗∗∗ JSA10792 - 2017-07 Security Bulletin: Junos: Buffer overflow in sockets library (CVE-2017-2344) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10792&actp=RSS
∗∗∗ JSA10793 - 2017-07 Security Bulletin: Junos: snmpd denial of service upon receipt of crafted SNMP packet (CVE-2017-2345) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10793&actp=RSS
∗∗∗ JSA10794 - 2017-07 Security Bulletin: MS-MPC or MS-MIC crash when passing large fragmented traffic through an ALG (CVE-2017-2346) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10794&actp=RSS
∗∗∗ JSA10797 - 2017-07 Security Bulletin: Junos OS: Incorrect argument handling in sendmsg() affects Junos OS (CVE-2016-1887) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10797&actp=RSS
∗∗∗ HPE Performance Center Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1038868
∗∗∗ HPE LoadRunner Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1038867
∗∗∗ Linux kernel vulnerability CVE-2017-1000365 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K15412203
∗∗∗ Linux kernel vulnerability CVE-2016-8399 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K23030550
∗∗∗ IPv6 fragmentation vulnerability CVE-2016-10142 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K57211290
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 10-07-2017 18:00 − Dienstag 11-07-2017 18:00
Handler: Stephan Richter
Co-Handler:
=====================
= News =
=====================
∗∗∗ Security Bulletins posted for Adobe Flash Player and Adobe Connect ∗∗∗
---------------------------------------------
Adobe has published security bulletins for Adobe Flash Player (APSB17-21) and Adobe Connect (APSB17-22). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. This posting is provided “AS IS” with no [...]
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1474
∗∗∗ Exploiting Windows Authentication Protocols: Introduction ∗∗∗
---------------------------------------------
SMB relay attack Exploiting the weak Windows authentication protocols is on the top of the list for any adversary, because it mostly relies on a design flaw in the protocol itself, moreover, it is easy and could allow the adversary to get access to remote systems with almost no alert from most systems such as [...]
---------------------------------------------
http://resources.infosecinstitute.com/exploiting-windows-authentication-pro…
∗∗∗ A Computational Complexity Attack against Racoon and ISAKMP Fragmentation ∗∗∗
---------------------------------------------
Trustwave recently reported a remotely exploitable computational complexity vulnerability in the racoon isakmp daemon that is part of the ipsec-tools open-source project (http://ipsec-tools.sourceforge.net/). The vulnerability is present in the handling of fragmented packets. A computational complexity attack seeks to cause [...]
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/A-Computational-Complexity-A…
∗∗∗ Verschlüsselung knackbar: Hoffnung für (manche) NotPetya-Opfer ∗∗∗
---------------------------------------------
Die Entwickler des Verschlüsselungstrojaners NotPetya haben entscheidende Fehler bei der Umsetzung ihrer Verschlüsselung gemacht. Unter bestimmten Umständen lässt sich diese knacken. Automatische Tools wird es aber wohl erst einmal nicht geben.
---------------------------------------------
https://heise.de/-3768889
∗∗∗ SambaCry bedroht HPE-NonStop-Server ∗∗∗
---------------------------------------------
Das NonStopOS von Hewlett Packards NonStop-Serversystemen ist anfällig für Angriffe über die SambaCry-Lücke. Die Firma empfiehlt, entsprechende Workarounds umzusetzen, bis Patches bereit stehen.
---------------------------------------------
https://heise.de/-3769117
∗∗∗ Learning PowerShell: The basics ∗∗∗
---------------------------------------------
Get acquainted with some of the basic principles of Powershell and get prepared for some basic usage of this versatile tool that is available on all modern Windows systems.
---------------------------------------------
https://blog.malwarebytes.com/101/how-tos/2017/07/learning-powershell-the-b…
∗∗∗ SAP Security Patch Day – July 2017 ∗∗∗
---------------------------------------------
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...]
---------------------------------------------
https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/
=====================
= Advisories =
=====================
∗∗∗ Schneider Electric Pelco Sarix/Spectra Cameras Root Remote Code Execution ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017070080
∗∗∗ Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017070076
∗∗∗ DFN-CERT-2017-1193: Sophos UTM: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1193/
∗∗∗ HPESBNS03755 rev.1 - HPE NonStop Server using Samba, Multiple Remote Vulnerabilities ∗∗∗
---------------------------------------------
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e…
∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-Site Scripting (XSS) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004729
∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance invalid requests cause denial of service to SDR and CLUSSDR channels (CVE-2017-1285) ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=swg22003856
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Cast Iron ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22005610
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Emptoris Spend Analysis product (CVE-2017-1445, CVE-2017-1446) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005787
∗∗∗ IBM Security Bulletin:Multiple vulnerabilities in the IBM Emptoris Services Procurement product ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22005550
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM Emptoris Sourcing product ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22005549
∗∗∗ IBM Security Bulletin: Apache PDFBox affects IBM Emptoris Contract Management (CVE-2016-2175) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22005591
∗∗∗ SQL Injection in extension "Content Rating Extbase" (content_rating_extbase) ∗∗∗
---------------------------------------------
https://typo3.org/news/article/sql-injection-in-extension-content-rating-ex…
∗∗∗ Remote Code Execution in extension "PHPMailer" (bb_phpmailer) ∗∗∗
---------------------------------------------
https://typo3.org/news/article/remote-code-execution-in-extension-phpmailer…
∗∗∗ Remote Code Execution in extension "AH Sendmail" (ah_sendmail) ∗∗∗
---------------------------------------------
https://typo3.org/news/article/remote-code-execution-in-extension-ah-sendma…
∗∗∗ Remote Code Execution in extension "Maag Sendmail" (maag_sendmail) ∗∗∗
---------------------------------------------
https://typo3.org/news/article/remote-code-execution-in-extension-maag-send…
∗∗∗ SQL Injection in extension "Faceted Search" (ke_search) ∗∗∗
---------------------------------------------
https://typo3.org/news/article/sql-injection-in-extension-faceted-search-ke…
∗∗∗ Linux kernel vulnerability CVE-2017-1000364 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K51931024
∗∗∗ Linux kernel vulnerability CVE-2017-1000366 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K20486351
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 07-07-2017 18:00 − Montag 10-07-2017 18:00
Handler: Stephan Richter
Co-Handler:
=====================
= News =
=====================
∗∗∗ A VBScript with Obfuscated Base64 Data, (Sat, Jul 8th) ∗∗∗
---------------------------------------------
A few months ago, I posted a diary to explain how to search for (malicious) PE files in Base64 data[1]. Base64 is indeed a common way to distribute binary content in an ASCII form. There are plenty of scripts based on this technique. On my Macbook, Im using width:800px [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/22590
∗∗∗ Adversary hunting with SOF-ELK, (Sun, Jul 9th) ∗∗∗
---------------------------------------------
As we recently celebrated Independence Day in the U.S., Im reminded that we honor what was, of course, an armed conflict. Todays realities, when we think about conflict, are quite different than the days of lining troops up across the field from each other, loading muskets, and flinging balls of lead into the fray. We live in a world of asymmetrical battles, often conflicts that arent always obvious in purpose and intent, and likely fought on multiple fronts. For one of the best reads on the [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/22592
∗∗∗ 94 .ch & .li domain names hijacked and used for drive-by ∗∗∗
---------------------------------------------
A Swiss domain holder called us today telling us that the .ch zone points to the wrong name servers for his domain. The NS entries were ns1.dnshost[.]ga and ns2.dnshost[.]ga. We contacted the registrar and soon realized that this is not the [...]
---------------------------------------------
https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-an…
∗∗∗ BSI warnt Unternehmen gezielt vor akutem Risiko durch CEO Fraud ∗∗∗
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/CEO_Fraud_1…
∗∗∗ Attack on Critical Infrastructure Leverages Template Injection ∗∗∗
---------------------------------------------
Contributors: Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall Executive SummaryAttackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro [...]
---------------------------------------------
http://blog.talosintelligence.com/2017/07/template-injection.html
=====================
= Advisories =
=====================
∗∗∗ Microsoft .NET Privilege Escalation ∗∗∗
---------------------------------------------
Topic: Microsoft .NET Privilege Escalation Risk: Medium Text:Hi @ll, all versions of .NET Framework support to load a COM object as code profiler, enabled via two or three environment ...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017070067
∗∗∗ DSA-3905 xorg-server - security update ∗∗∗
---------------------------------------------
https://www.debian.org/security/2017/dsa-3905
∗∗∗ Petya Malware Variant (Update C) ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01C
∗∗∗ iManager 3.0.3 Patch 2 (3.0.3.2) ∗∗∗
---------------------------------------------
https://download.novell.com/Download?buildid=KhPP8lJyDik~
∗∗∗ DFN-CERT-2017-1188: SQLite: Eine Schwachstelle ermöglicht u.a. das Ausspähen von Informationen ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1188/
∗∗∗ DFN-CERT-2017-1187: Apache Software Foundation Struts: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1187/
∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server for Bluemix April 2017 CPU ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22004278
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Performance Tester. ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004418
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Service Tester. ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004419
∗∗∗ EMC Data Protection Advisor Input Validation Flaws Let Remote Authenticated Users Obtain Potentially Sensitive Information and Inject SQL Commands ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1038841
∗∗∗ EMC Secure Remote Services (ESRS) Policy Manager Undocumented Account With Default Password Lets Remote Users Access the Target System ∗∗∗
---------------------------------------------
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 06-07-2017 18:00 − Freitag 07-07-2017 18:00
Handler: Stephan Richter
Co-Handler:
=====================
= News =
=====================
∗∗∗ CIA Malware Can Steal SSH Credentials, Session Traffic ∗∗∗
---------------------------------------------
WikiLeaks dumped today the documentation of two CIA hacking tools
codenamed BothanSpy and Gyrfalcon, both designed to steal SSH
credentials from Windows and Linux systems, respectively. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security
/cia-malware-can-steal-ssh-credentials-session-traffic/
∗∗∗ ZIP Bombs Can Protect Websites From Getting Hacked ∗∗∗
---------------------------------------------
Webmasters can use so-called ZIP bombs to crash a hackers vulnerability
and port scanner and prevent him from gaining access to their website.
[...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security
/zip-bombs-can-protect-websites-from-getting-hacked/
∗∗∗ IT und Energiewende: Stromnetzbetreiber fordern das ganz große
Lastmanagement ∗∗∗
---------------------------------------------
Silizium statt Kupfer und Stahl: Die Energiewende und die
Elektromobilität erfordern einen Ausbau des Stromnetzes. Doch die
Netzbetreiber setzen lieber auf Digitalisierung und "Flexibilisierung".
Stromlieferanten wollen sich gegen die Bevormundung wehren. (Smart
Grid, GreenIT)
---------------------------------------------
https://www.golem.de/news
/it-und-energiewende-stromnetzbetreiber-fordern-das-ganz-grosse-last
management-1707-128779-rss.html
∗∗∗ Decryption Key to Original Petya Ransomware Released ∗∗∗
---------------------------------------------
The key to decrypt the original Petya ransomware has been reportedly
released by the ransomware’s author.
---------------------------------------------
http://threatpost.com
/decryption-key-to-original-petya-ransomware-released/126705/
∗∗∗ Someones phishing US nuke power stations. So far, no kaboom ∗∗∗
---------------------------------------------
Stuxnet, this aint Dont panic, but attackers are trying to phish their
way into machines in various US power facilities, including nuclear
power station operators.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/071/07
/someones_phishing_us_nuke_power_stations_so_far_no_kaboom/
∗∗∗ Lets not help attackers by spreading fear, uncertainty and doubt
∗∗∗
---------------------------------------------
Spreading FUD in the wake of cyber-attacks is never a good idea. But
its even worse when this might be one of the attackers implicit goals.
---------------------------------------------
https://www.virusbulletin.com:443/blog/2017/07
/lets-not-help-attackers-spreading-fear-uncertainty-and-doubt/
∗∗∗ Hacker-Sammlung gefunden: 500 Mio. E-Mail-Adressen und
Passwörter betroffen ∗∗∗
---------------------------------------------
Das Bundeskriminalamt hat in einer Underground-Economy-Plattform im
Internet eine Sammlung von ca. 500.000.000 ausgespähten Zugangsdaten
gefunden. Die Daten bestehen aus Email-Adressen mit dazugehörigen
Passwörtern. Vermutlich stammen die Daten von verschiedenen
Hacking-Angriffen und wurden über einen längeren Zeitraum
zusammengetragen. Die aktuellsten ausgespähten Zugangsdaten sind
wahrscheinlich aus Dezember 2016.
---------------------------------------------
https://www.bka.de/SharedDocs/Kurzmeldungen/DE/Kurzmeldungen
/170705_HackerSammlung.html
∗∗∗ Abgesicherte PHP-Versionen erschienen ∗∗∗
---------------------------------------------
Trotz der Möglichkeit von Angreifern Schadcode ausführen zu können,
gilt der Bedrohungsgrad nicht als kritisch.
---------------------------------------------
https://heise.de/-3766935
∗∗∗ Android-Mega-Patch: Google schließt haufenweise kritische Lücken
∗∗∗
---------------------------------------------
Unter anderem werden Lücken in WLAN-Chipsets von Broadcom geschlossen,
die Angreifern das Ausführen von Code mittels manipulierter Wifi-Pakete
erlauben. Auch für Android 4.4 (KitKat) sind Patches dabei.
---------------------------------------------
https://heise.de/-3767103
∗∗∗ New Ransomware Variant "Nyetya" Compromises Systems Worldwide ∗∗∗
---------------------------------------------
Note: This blog post discusses active research by Talos into a new
threat. This information should be considered preliminary and will be
updated as research continues.Update 2017-07-06 12:30 EDT: Updated to
explain the modified DoublePulsar backdoor.Since the SamSam attacks
that targeted US healthcare entities in March 2016, Talos has been
concerned about the proliferation of malware via unpatched network
vulnerabilities. In May 2017, WannaCry ransomware took advantage of a
vulnerability in [...]
---------------------------------------------
http://blog.talosintelligence.com/2017/06
/worldwide-ransomware-variant.html
=====================
= Advisories =
=====================
∗∗∗ Schneider Electric Wonderware ArchestrA Logger ∗∗∗
---------------------------------------------
This advisory contains mitigation details for stack-based buffer
overflow, uncontrolled resource consumption, and null pointer deference
vulnerabilities in Schneider Electric’s Wonderware ArchestrA Logger.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-187-04
∗∗∗ Schneider Electric Ampla MES ∗∗∗
---------------------------------------------
This advisory contains mitigation details for cleartext transmission of
sensitive information and inadequate encryption strength
vulnerabilities in Schneider Electric’s Ampla MES.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05
∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Credential Disclosure ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017070056
∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Support Tunnel Hijack ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017070060
∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Username / Session ID Leak
∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017070059
∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Early Boot Root Shell ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017070058
∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Grub Password Complexity ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017070057
∗∗∗ Bugtraq: KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials ∗∗∗
---------------------------------------------
http://www.securityfocus.com/archive/1/540812
∗∗∗ Bugtraq: [SYSS-2017-011] Office 365: Insufficient Session
Expiration (CWE-613) ∗∗∗
---------------------------------------------
http://www.securityfocus.com/archive/1/540814
∗∗∗ iManager 2.7 Support Pack 7 - Patch 10 Hotfix 2 ∗∗∗
---------------------------------------------
https://download.novell.com/Download?buildid=WeEb4PchpTU~
∗∗∗ eDirectory 8.8 SP8 Patch 10 ∗∗∗
---------------------------------------------
https://download.novell.com/Download?buildid=VYtYu65T21Y~
∗∗∗ IBM Security Bulletin: IBM MQ Java/JMS application can incorrectly
flow password in plain text. (CVE-2017-1337) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22003853
∗∗∗ IBM Security Bulletin: IBM MQ Passwords specified by MQ java or JMS
applications can appear in WebSphere Application Server trace.
(CVE-2017-1284) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22003851
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK
affect WebSphere Application Server and Tivoli Netcool Performance
Manager October 2016 and January 2017 CPU (multiple CVEs) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005615
∗∗∗ IBM Security Bulletin: Vulnerabilities in tcpdump affect AIX ∗∗∗
---------------------------------------------
http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc
∗∗∗ PHP Multiple Flaws Let Remote Users Obtain Potentially Sensitive
Information, Deny Service, and Execute Arbitrary Code ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1038837
∗∗∗ systemd vulnerability CVE-2017-9445 ∗∗∗
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 05-07-2017 18:00 − Donnerstag 06-07-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Decryptor Released for the Mole02 CryptoMix Ransomware Variant ***
---------------------------------------------
It is always great to be able to announce a free decryptor for victims who have had their files encrypted by a ransomware. This is the case today, where a decryptor for the Mole02 cryptomix variant was released. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-m…
*** Evolution of Conditional Spam Targeting Drupal Sites ***
---------------------------------------------
Last year we took a look at how attackers were infecting Drupal installations to spread their spam and keep their campaigns going by just including a malicious file in each visitor's session. It's quite common for attackers to evolve their techniques and add new variations of hidden backdoors to make it harder to get rid of the infection. These evasion and reinfection techniques can also make it difficult to modify the malicious code, which is what has exactly happened in this case, [...]
---------------------------------------------
https://blog.sucuri.net/2017/07/drupal-conditional-spam-evolved.html
*** New BTCWare Ransomware Decrypter Released for the Master Variant ***
---------------------------------------------
Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-btcware-ransomware-decry…
*** Sicherheitsupdates: Cisco kämpft gegen statische und unverschlüsselte Zugangsdaten ***
---------------------------------------------
Der Netzwerkausrüster stopft zum Teil kritische Sicherheitslücken in seinem Elastic Services Controller und seinem Ultra Services Framework.
---------------------------------------------
https://heise.de/-3765238
*** M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013 ***
---------------------------------------------
Servers and infrastructure belonging to Intellect Service, the company behind the M.E.Doc accounting software, were grossly mismanaged, being left without updates since 2013, and getting backdoored on three separate occasions during the past three months. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoo…
*** The MeDoc Connection ***
---------------------------------------------
The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was [...]
---------------------------------------------
http://blog.talosintelligence.com/2017/07/the-medoc-connection.html
*** Fritzbox-Lücke erlaubt delikate Einblicke ins lokale Netz ***
---------------------------------------------
Durch ein Informationsleck können Webseiten offenbar viele Details über das Heimnetz eines Fritzbox-Nutzers erfahren. Zu den abfischbaren Daten zählen die Netzwerknamen aller Clients, IP- und Mac-Adresssen und die eindeutige ID der Fritzbox.
---------------------------------------------
https://heise.de/-3764885
*** FIRST announces release of Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure ***
---------------------------------------------
The Forum of Incident Response and Security Teams announces the release of a set of guidelines and norms for vulnerability disclosure that affects multiple parties.
---------------------------------------------
https://www.first.org/newsroom/releases/20170706
*** APWG Global Phishing Survey 2016: Trends and Domain Name Use ***
---------------------------------------------
This report comprehensively examines a large data set of more than 250,000 phishing attacks detected in 2015 and 2016. By quantifying this cybercrime activity and understanding the patterns that lurk therein, we have learned more about what phishers have been doing, and how they have accomplished their schemes.
---------------------------------------------
https://apwg.org/resources/apwg-reports/domain-use-and-trendshttps://docs.apwg.org/reports/APWG_Global_Phishing_Report_2015-2016.pdf
*** Gefälschte Anwaltsschreiben verbreiten Schadsoftware ***
---------------------------------------------
In gefälschten Anwaltsschreiben behaupten Kriminelle, dass Adressat/innen Schulden bei einem Unternehmen haben. Weiterführende Informationen zu der offenen Geldforderung sollen sich im Dateianhang der Nachricht finden. In Wahrheit verbirgt er Schadsoftware.
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-anwalt…
*** BadGPO - Using Group Policy Objects for Persistence and Lateral Movement ***
---------------------------------------------
[...] Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain.
---------------------------------------------
http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_052_Willi_…
*** ZDI-17-452: (0Day) Advantech WebOP Designer Project File Heap Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebOP Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-17-452/
*** Android Security Bulletin July 2017 ***
---------------------------------------------
https://source.android.com/security/bulletin/2017-07-01.html
*** BlackBerry powered by Android Security Bulletin July 2017 ***
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber…
*** Petya Malware Variant (Update B) ***
---------------------------------------------
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-181-01A Petya Ransomware Variant that was published July 3, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk [...]
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01B
*** rsyslog: remote syslog PRI vulnerability CVE-2014-3634 ***
---------------------------------------------
rsyslog: remote syslog PRI vulnerability CVE-2014-3634. Security Advisory. Security Advisory Description. rsyslog before ...
---------------------------------------------
https://support.f5.com/csp/article/K42903299
*** DFN-CERT-2017-1171: LibTIFF: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1171/
*** Security Advisories for Drupal Third-Party Modules ***
---------------------------------------------
*** SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055 ***
https://www.drupal.org/node/2890357
---------------------------------------------
*** DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057 ***
https://www.drupal.org/node/2892404
---------------------------------------------
*** OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056 ***
https://www.drupal.org/node/2892400
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A Security vulnerability in IBM Java SDK affects IBM Tivoli System Automation for Multiplatforms (CVE-2017-1289). ***
http://www.ibm.com/support/docview.wss?uid=swg22005058
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002336
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg22002335
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000488
---------------------------------------------
*** Siemens Security Advisories ***
---------------------------------------------
*** SSA-804859 (Last Update 2017-07-06): Denial of Service Vulnerability in SIMATIC Logon ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-804859…
---------------------------------------------
*** SSA-874235 (Last Update 2017-07-06): Intel Vulnerability in Siemens Industrial Products ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235…
---------------------------------------------
*** SSA-275839 (Last Update 2017-07-06): Denial-of-Service Vulnerability in Industrial Products ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839…
---------------------------------------------
*** SSA-931064 (Last Update 2017-07-06): Authentication Bypass in SIMATIC Logon ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-931064…
---------------------------------------------
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Nexus Series Switches Telnet CLI Command Injection Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Nexus Series Switches CLI Command Injection Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco FireSIGHT System Software Arbitrary Code Execution Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Wide Area Application Services Central Manager Information Disclosure Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Wide Area Application Services Core Dump Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Ultra Services Framework Staging Server Arbitrary Command Execution Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Ultra Services Framework AutoVNF Log File User Credential Information Disclosure Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Ultra Services Framework UAS Unauthenticated Access Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco StarOS Border Gateway Protocol Process Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Prime Network Privilege Escalation Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Identity Services Engine Guest Portal Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco IOS XR Software Multicast Source Discovery Protocol Session Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco IOS XR Software Incorrect Permissions Privilege Escalation Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Elastic Services Controller Unauthorized Access Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Elastic Services Controller Arbitrary Command Execution Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Prime Network Information Disclosure Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco StarOS CLI Command Injection Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 04-07-2017 18:00 − Mittwoch 05-07-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** #NoPetya-Attacke hinterließ Sicherheitslücke ***
---------------------------------------------
Der weltweite Cyberangriff in der vergangenen Woche hat schwerwiegendere Folgen als bislang bekannt.
---------------------------------------------
https://futurezone.at/digital-life/nopetya-attacke-hinterliess-sicherheitsl…
*** Cyber-Attacke NotPetya: Angebliche Angreifer wollen 250.000 Euro für Datenrettung ***
---------------------------------------------
Die mutmaßlichen Entwickler der Schadsoftware NotPetya wollen gegen 100 Bitcoin (fast 250.000 Euro) einen Schlüssel herausgeben, mit dem die Daten zu retten sein sollen. Ob sie Wort halten, ist unklar. Beobachter vermuten andere Motive hinter der Wendung.
---------------------------------------------
https://heise.de/-3764208
*** Ukrainian Police Seize Servers From Where NotPetya Outbreak First Spread ***
---------------------------------------------
Ukrainian Police announced today it seized the servers from where the NotPetya ransomware outbreak first started to spread. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ukrainian-police-seize-serve…
*** The day a mysterious cyber-attack crippled Ukraine ***
---------------------------------------------
On the morning of Tuesday, 27 June, Oleh Derevianko, the head of Kiev-based cybersecurity firm Information Security Systems Partners (ISSP), was at Bessarabska market, a popular food market in the heart of downtown. Derevianko was picking up a few things before heading out for the 300km drive to his parents' village. Wednesday was constitution day in Ukraine, a national holiday, and he'd be using the mid-week break to spend a couple days with his kids.
---------------------------------------------
http://www.bbc.com/future/story/20170704-the-day-a-mysterious-cyber-attack-…
*** NotPetya Group Moves All Their Bitcoin, Posts Proposition on the Dark Web ***
---------------------------------------------
The person or group behind the NotPetya ransomware has made its first move since the outbreak that took place eight days ago. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/notpetya-group-moves-all-the…
*** Doctor Web: M.E.Doc backdoor lets cybercriminals access computers ***
---------------------------------------------
July 4, 2017 Doctor Web security researchers examined the update module M.E.Doc and discovered that it is involved in the distribution of at least one other malicious program. You may recall that independent researchers named specifically this M.E.Doc update module as the source of the recent outbreak of the encryption worm Trojan.Encoder.12544, also known as NePetya, Petya.A, ExPetya and WannaCry-2. M.E.Doc is tax accounting software that is popular in Ukraine.
---------------------------------------------
http://news.drweb.com/show/?i=11363&lng=en&c=9
*** Qubes OS im Test: Linux sicher und nutzerfreundlich? ***
---------------------------------------------
Anwendungen und Einsatzbereiche voneinander per Virtualisierung trennen, gleichzeitig eine für den regulären Nutzer einfach zu bedienende Desktop-Oberfläche bieten: Das Qubes-OS-Projekt hat sich einiges vorgenommen.
---------------------------------------------
https://heise.de/-3764500
*** Österreich im Bereich Cybersicherheit auf Platz 30 ***
---------------------------------------------
Große Industriestaaten schneiden bei der Cybersicherheit einer UN-Studie zufolge teils schlechter ab als einige deutlich ärmere Staaten.
---------------------------------------------
https://futurezone.at/digital-life/oesterreich-im-bereich-cybersicherheit-a…
*** Introducing Linux Support for FakeNet-NG: FLARE's Next GenerationDynamic Network Analysis Tool ***
---------------------------------------------
Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware analysis and reverse engineering. Since FakeNet-NG's release, FLARE has added support for additional protocols. FakeNet-NG now has out-of-the-box support for DNS, HTTP (including BITS), FTP, TFTP, [...]
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-faken…
*** The Hardware Forensic Database ***
---------------------------------------------
The Hardware Forensic Database (or HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools.
---------------------------------------------
http://hfdb.io/
*** Kundendaten: Datenleck bei der Deutschen Post ***
---------------------------------------------
Eine Datenbank mit 200.000 Umzugsmitteilungen der Post lag ungeschützt im Netz. Tausende andere Firmen aus aller Welt haben exakt den gleichen Fehler gemacht.
---------------------------------------------
https://www.golem.de/news/kundendaten-datenleck-bei-der-deutschen-post-1707…
*** Vulnerability Spotlight: Dell Precision Optimizer and Invincea Vulnerabilities ***
---------------------------------------------
Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace. These packages are pre-installed on certain Dell systems. Vulnerabilities present in these applications could allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user.
---------------------------------------------
http://blog.talosintelligence.com/2017/06/vulnerability-spotlight-dell-prec…
*** Security Advisory - DoS Vulnerability in TLS of Some Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170705-…
*** rt-sa-2017-011 ***
---------------------------------------------
Remote Command Execution in PDNS Manager
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2017-011.txt
*** DFN-CERT-2017-1159: Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1159/
*** IBM Security Bulletin: Incorrect saved channel status enquiry could cause denial of service for IBM MQ (CVE-2017-1236) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22003510
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005108
*** IBM Security Bulletin: RabbitMQ vulnerability affect IBM Cloud Manager with OpenStack (CVE-2015-8786) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025403
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 03-07-2017 18:00 − Dienstag 04-07-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Yet more reasons to disagree with experts on nPetya ***
---------------------------------------------
In WW II, they looked at planes returning from bombing missions that were shot full of holes. Their natural conclusion was to add more armor to the sections that were damaged, to protect them in the future. But wait, said the statisticians. The original damage is likely spread evenly across the plane. Damage on returning planes indicates where they could damage and still return. The undamaged areas are where they were hit and couldnt return. Thus, its the undamaged areas you need to [...]
---------------------------------------------
http://blog.erratasec.com/2017/07/yet-more-reasons-to-disagree-with.html
*** Analysis of TeleBots cunning backdoor ***
---------------------------------------------
On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors' intention was to cause damage, so they did all that they could to make data decryption very unlikely.
---------------------------------------------
https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-back…
*** GnuPG crypto library cracked, look for patches ***
---------------------------------------------
Boffins bust libgcrypt via side-channel Linux users need to check out their distributions to see if a nasty bug in libgcrypt20 has been patched.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/07/04/gnupg_crypt…
*** Cryptology ePrint Archive: Report 2017/627 ***
---------------------------------------------
Sliding right into disaster: Left-to-right sliding windows leak
Abstract: It is well known that constant-time implementations of modular exponentiation cannot use sliding windows. However, software libraries such as Libgcrypt, used by GnuPG, continue to use sliding windows. It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery [...]
---------------------------------------------
https://eprint.iacr.org/2017/627
*** ERCIM News 110 published - Special theme "Blockchain Engineering" ***
---------------------------------------------
The ERCIM News No. 110 has just been published at with a special theme on "Blockchain Engineering". SBA Research contributes two articles in this issue. The first article is by Aljosha Judmayer, Alexei Zamyatin, Nicholas Stifter and Edgar Weippl on [...]
---------------------------------------------
https://www.sba-research.org/2017/07/03/ercim-news-110-published-special-th…
*** Joomla! 3.7.3 Release ***
---------------------------------------------
Security Issues Fixed
Core - Information Disclosure (affecting Joomla 1.7.3-3.7.2)
Core - XSS Vulnerability (affecting Joomla 1.7.3-3.7.2)
Core - XSS Vulnerability (affecting Joomla 1.5.0-3.6.5)
---------------------------------------------
https://www.joomla.org/announcements/release-news/5709-joomla-3-7-3-release…
*** Petya Malware Variant (Update A) ***
---------------------------------------------
This updated alert is a follow-up to the original alert titled ICS-ALERT-17-181-01 Petya Ransomware Variant that was published June 30, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01A
*** RSA Archer eGRC Multiple Flaws Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and Open Redirect Attacks and Let Remote Authenticated Users Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1038815
*** DFN-CERT-2017-1145: Apache Subversion: Eine Schwachstelle ermöglicht die Manipulation von Daten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1145/
*** SSA-563539 (Last Update: 2017-07-04): Vulnerabilities in OZW672 and OZW772 ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-563539…
*** SSA-323211 (Last Update: 2017-07-04): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211…
*** SSA-452237 (Last Update: 2017-07-04): Vulnerabilities in Reyrolle ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-452237…
*** IBM Security Bulletin: Weak Cipher available in IBM API Connect (CVE-2015-2808) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22003868
*** IBM Security Bulletin: Multiple vulnerabilities in Open Source zlib affects IBM Netezza Platform Software clients (CVE-2016-9840, CVE-2016-9841 and CVE-2016-9843). ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22001026
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 30-06-2017 18:00 − Montag 03-07-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** From Pass-the-Hash to Pass-the-Ticket with No Pain ***
---------------------------------------------
We are all grateful to the Microsoft which gave us the possibility to use the "Pass the Hash" technique! In short: if we have the NTLM hashes of the user password, we can authenticate against the remote system without knowing the real password, just using the hashes. Things were (finally) changing, starting from Windows 7, [...]
---------------------------------------------
http://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/
*** SQL Injection Vulnerability in WP Statistics ***
---------------------------------------------
As part of a vulnerability research project for our Sucuri Firewall, we have been auditing popular open source projects looking for security issues. While working on the WordPress plugin WP Statistics, we discovered a SQL Injection vulnerability. This plugin is currently installed on 300,000+ websites. Are You at Risk? This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right [...]
---------------------------------------------
https://blog.sucuri.net/2017/06/sql-injection-vulnerability-wp-statistics.h…
*** OutlawCountry Is CIAs Malware for Hacking Linux Systems ***
---------------------------------------------
WikiLeaks dumped today a manual describing a new CIA malware strain. Called OutlawCountry, this is malware designed for Linux operating systems. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/outlawcountry-is-cias-malwar…
*** So You Think You Can Spot a Skimmer? ***
---------------------------------------------
This week marks the 50th anniversary of the automated teller machine -- better known to most people as the ATM or cash machine. Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think youre good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge.
---------------------------------------------
https://krebsonsecurity.com/2017/06/so-you-think-you-can-spot-a-skimmer/
*** PE Section Name Descriptions, (Sun, Jul 2nd) ***
---------------------------------------------
PE files (.exe, .dll, ...) have sections: a section with code, one with data, ... Each section has a name, and different compilers use different section names. Section names can help us identify the compiler and the type of PE file we are analyzing.
---------------------------------------------
https://isc.sans.edu/diary/rss/22576
*** TLS security: Past, present and future ***
---------------------------------------------
The Transport Layer Security (TLS) protocol as it stands today has evolved from the Secure Sockets Layer (SSL) protocol from Netscape Communications and the Private Communication Technology (PCT) protocol from Microsoft that were developed in the 1990s, mainly to secure credit card transactions over the Internet. It soon became clear that a unified standard was required, and an IETF TLS WG was tasked. As a result, TLS 1.0 was specified in 1999, TLS 1.1 in [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/07/03/tls-security/
*** Achtung, Fake: Nein, Billa verlost keinen 250-Euro-Gutschein auf Whatsapp ***
---------------------------------------------
Der Kettenbrief verbreitet sich momentan rasant - Verlinkung auf mysteriöse Seite
---------------------------------------------
http://derstandard.at/2000060650645
*** WSUSpendu? What for? ***
---------------------------------------------
At BlackHat USA 2015, the WSUSpect attack scenario has been released. Approximately at the same time, some french engineers have been wondering if it would be possible to use a compromised WSUS server to extend the compromise to its clients, similarly to this WSUSpect attack. After letting this topic rest for almost two years, weve been able, at Alsid and ANSSI, to demonstrate this attack.
---------------------------------------------
https://github.com/AlsidOfficial/WSUSpendu
*** SB17-184: Vulnerability Summary for the Week of June 26, 2017 ***
---------------------------------------------
Original release date: July 03, 2017 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit [...]
---------------------------------------------
https://www.us-cert.gov/ncas/bulletins/SB17-184
*** DSA-3901 libgcrypt20 - security update ***
---------------------------------------------
Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal andYuval Yarom discovered that Libgcrypt is prone to a local side-channelattack allowing full key recovery for RSA-1024.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3901
*** Bugtraq: [CVE-2017-9313] Webmin 1.840 Multiple XSS Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540794
*** Microsoft Dynamics CRM Input Validation Flaw in SyncFilterPage.aspx Lets Remote Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1038813
*** FortiWLM upgrade user account hard-coded credentials ***
---------------------------------------------
FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller. Having the upgrade account credentials would allow an attacker to transfer files to any attached or previously attached controllers as an admin user, thus raising potential further security issues.
---------------------------------------------
http://fortiguard.com/psirt/FG-IR-17-115
*** F5 Security Advisories ***
---------------------------------------------
*** BIND vulnerability CVE-2017-3142 ***
https://support.f5.com/csp/article/K59448931
---------------------------------------------
*** BIND vulnerability CVE-2017-3143 ***
https://support.f5.com/csp/article/K02230327
---------------------------------------------
*** GnuTLS vulnerability CVE-2017-7507 ***
https://support.f5.com/csp/article/K37830055
---------------------------------------------
*** Novell Patches ***
---------------------------------------------
*** Sentinel 8.1 (Sentinel 8.1.0.0) Build 3732 ***
https://download.novell.com/Download?buildid=SISjocZzgJM~
---------------------------------------------
*** eDirectory 9.0.3 Patch 1 (9.0.3.1) ***
https://download.novell.com/Download?buildid=_f8Eq87R-gs~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 10 HotFix 1 ***
https://download.novell.com/Download?buildid=z1R5CZBTHBM~
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Improper Authentication vulnerability affects IBM Security Guardium (CVE-2017-1264) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004425
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium is affected by XML External Entity vulnerability (CVE-2017-1254) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004463
---------------------------------------------
*** IBM Security Bulletin: OS Command Injection vulnerability affects IBM Security Guardium (CVE-2017-1253 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004426
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management could allow a local user to obtain sensitive information due to inappropriate data retention of attachments(CVE-2017-1176) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005210
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL injection(CVE-2017-1175) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005212
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting(CVE-2017-1208) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005243
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder that is shipped with Jazz Reporting Service ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001007
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology ***
http://www.ibm.com/support/docview.wss?uid=swg21999760
---------------------------------------------
*** IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Team Concert ***
http://www.ibm.com/support/docview.wss?uid=swg22004611
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in NTP and OpenSSL affect IBM Netezza Firmware Diagnostics ***
http://www-01.ibm.com/support/docview.wss?uid=swg21997020
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect SmartCloud Entry ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025357
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus ***
http://www.ibm.com/support/docview.wss?uid=swg22005345
---------------------------------------------
*** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Information Disclosure vulnerability ***
http://www.ibm.com/support/docview.wss?uid=swg22005382
---------------------------------------------
*** IBM Security Bulletin: IBM Integration Bus and WebSphere Message Broker are affected by Unquoted Search Path or Element (CWE-428) Vulnerability on Windows ***
http://www.ibm.com/support/docview.wss?uid=swg22005383
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus ***
http://www.ibm.com/support/docview.wss?uid=swg22005335
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Open Source Botan affects IBM Netezza Platform Software clients (CVE-2016-2849). ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001108
---------------------------------------------
*** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Open Source Tomcat vulnerability ***
http://www.ibm.com/support/docview.wss?uid=swg22005331
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 29-06-2017 18:00 − Freitag 30-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Eternal Champion Exploit Analysis ***
---------------------------------------------
Recently, a group named the ShadowBrokers published several remote server exploits targeting various protocols on older versions of Windows. In this post we are going to look at the EternalChampion exploit in detail to see what vulnerabilities it exploited, how it exploited them, and how the latest mitigations in Windows 10 break the exploit as-written....
---------------------------------------------
https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit…
*** Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone ***
---------------------------------------------
A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-…
*** Sicherheitsupdates angekündigt: Ciscos IOS-System ist für Schadcode anfällig ***
---------------------------------------------
Bisher können Betroffene die Bedrohung durch neu entdeckte Schwachstellen in Ciscos IOS und IOS EX nur über Workarounds eindämmen. Sicherheitspatches sollen folgen.
---------------------------------------------
https://heise.de/-3759927
*** e-Government in Deutschland: Kritische Schwachstellen in zentraler Transportkomponente ***
---------------------------------------------
You can find the English version of this post here containing further technical details.Die "OSCI-Transport" Java-Bibliothek ist eine Kernkomponente im deutschen e-Government. Schwachstellen in dieser Komponente erlauben es einem Angreifer, bestimmte zwischen Behörden ausgetauschte Informationen zu entschlüsseln oder zu manipulieren bzw. sogar Daten von Behördenrechnern auszulesen.OSCI-Transport ist ein Protokoll, das dazu dient Daten zwischen Behörden sicher [...]
---------------------------------------------
http://blog.sec-consult.com/2017/06/e-government-in-deutschland-schwachstel…
*** Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation ***
---------------------------------------------
On May 12, there was a major outbreak of WannaCrypt ransomware. WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers. Using ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven't...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-ana…
*** Eternal Blues: A free EternalBlue vulnerability scanner ***
---------------------------------------------
It is to be hoped that after the WannaCry and NotPetya outbreaks, companies will finally make sure to install - on all their systems - the Windows update that patches SMB vulnerabilities leveraged by the EternalBlue and EternalRomance exploits. These exploits are currently available to practically any hacker who might want to use them, and protecting systems against them should be a must for every organization. But while bigger ones might have an IT department [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/06/30/eternal-blues-eternalblue-vulner…
*** Cyber Europe 2016: Key lessons from a simulated cyber crisis ***
---------------------------------------------
Today marks the end of the latest cyber crisis exercise organised by ENISA, with the release of the after action report and closure video of Cyber Europe 2016.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/cyber-europe-2016-key-lessons-f…
*** TeleBots are back: supply-chain attacks against Ukraine ***
---------------------------------------------
The latest Petya-like outbreak has gathered a lot of attention from the media. However, it should be noted that this was not an isolated incident: this is the latest in a series of similar attacks in Ukraine. This blogpost reveals many details about the Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya) outbreak and related information about previously unpublished attacks.
---------------------------------------------
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attack…
*** How Malicious Websites Infect You in Unexpected Ways ***
---------------------------------------------
You probably spend most of your time on a PC browsing, whether that is Facebook, news or just blogs or pages that appeal to your particular interest. If a malicious hacker wants to break into your computer and scramble the kilobytes that make up your digital life, his starting point will be to create a [...]
---------------------------------------------
https://heimdalsecurity.com/blog/malicious-websites/
*** SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software ***
---------------------------------------------
The Simple Network Management Protocol(SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Schneider Electric U.motion Builder ***
---------------------------------------------
This advisory contains mitigation details for SQL injection, path traversal, improper authentication, use of hard-coded password, improper access control, denial of service, and information disclosure vulnerabilities in Schneider Electric's U.motion Builder.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-180-02
*** BIND TSIG Authentication Bugs Let Remote Users Bypass Authentication to Transfer or Modify Zone Conetnt ***
---------------------------------------------
http://www.securitytracker.com/id/1038809
*** SSA-545214 (Last Update 2017-06-29): Vulnerability in ViewPort for Web Office Portal ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-545214…
*** SSA-874235 (Last Update 2017-06-29): Intel Vulnerability in Siemens Industrial Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235…
*** 2017-06-16 (updated 2017-06-30): Cyber Security Notification - CrashOverride/Industroyer Malware ***
---------------------------------------------
http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&Lang…
*** [2017-06-30] Multiple critical vulnerabilities in OSCI-Transport library 1.2 for German e-Government ***
---------------------------------------------
The OSCI-transport library 1.2, a core component of Germanys e-government infrastructure, is affected by XXE, padding oracle and signature wrapping. These vulnerabilities could be used to read local files from OSCI-systems, decrypt certain parts of a message or, under specific circumstances, even to forge messages.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin:OpenSource ICU4C Vulnernabilties in IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg21996949
---------------------------------------------
*** IBM Security Bulletin:Cross-site scripting vulnerability in WebSphere Application Server admin console in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998348
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg21996957
---------------------------------------------
*** IBM Security Bulletin: WebSphere Application Server vulnerability with malformed SOAP requests in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998347
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999097
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Microsoft SharePoint ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999099
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for File Systems ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999105
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999106
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache PDFBox Vulnerability in IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg21991027
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999098
---------------------------------------------
*** IBM Security Bulletin: zlib vulnerability may affect IBM SDK, Java Technology Edition ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004465
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Intel Ethernet Controller XL710 affects IBM MQ Appliance ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002763
---------------------------------------------
*** IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Security Guardium (CVE-2017-1256) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004461
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in openssl, gnutl, mysql, kernel, glibc, ntp shipped with SmartCloud Entry Appliance ***
http://www.ibm.com/support/docview.wss?uid=isg3T1025342
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001465
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001458
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Microsoft SharePoint ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001455
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for File Systems ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001463
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001460
---------------------------------------------
*** IBM Security Bulletin: WebSphere Application Server vulnerability in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998346
---------------------------------------------
*** IBM Security Bulletin: SQL Injection vulnerability affects IBM Security Guardium (CVE-2017-1269) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004462
---------------------------------------------
*** IBM Security Bulletin: Missing Authentication for Critical Function affects IBM Security Guardium (CVE-2017-1258) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004309
---------------------------------------------
*** IBM Security Bulletin: IBM InfoSphere Guardium is affected by Cleartext Transmission of Sensitive Information vulnerability (CVE-2016-0238 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989124
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM HTTP Server affects Netezza Performance Portal (CVE-2015-8743) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003173
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 28-06-2017 18:00 − Donnerstag 29-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Petya/NotPetya: Kein Erpressungstrojaner sondern ein "Wiper" ***
---------------------------------------------
Nach eingehenden Analysen des Schädlings NotPetya sind sich die meisten Experten einig: Der Schädling hatte es nicht auf Geld abgesehen sondern auf Randale, sprich: auf möglichst großen Datenverlust bei den Opfern.
---------------------------------------------
https://heise.de/-3759293
*** Update on Petya malware attacks ***
---------------------------------------------
As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release...
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware…
*** Websites Grabbing User-Form Data Before Its Submitted ***
---------------------------------------------
Websites are sending information prematurely:...we discovered NaviStones code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.This is important because it goes [...]
---------------------------------------------
https://www.schneier.com/blog/archives/2017/06/websites_grabbi.html
*** Microsoft Announces "Controlled Folder Access" to Fend Off Crypto-Ransomware ***
---------------------------------------------
This fall, Microsoft plans to release a new Windows Defender feature called Controlled Folder Access, which blocks and blacklists unauthorized apps from making changes to files located inside specially-designated folders. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-control…
*** DFN-CERT-2017-1124: Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1124/
*** Symantec Management Console XSS/XXE Issues ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Kaspersky Anti-Virus for Linux File Server Multiple Flaws Let Remote Users Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks, Remote Authenticated Users View Files on the Target System, and Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1038798
*** Bugtraq: ESA-2017-062: VASA Provider Virtual Appliance Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540783
*** 2017-06-16 (updated 2017-06-27): Cyber Security Notification - CrashOverride/Industroyer Malware ***
---------------------------------------------
http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&Lang…
*** SMTP - Moderatley Critical - Information Disclosure - SA-CONTRIB-2017-055 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2017-055Project: SMTP Authentication Support (third-party module)Version: 7.x, 8.xDate: 2017-June-28Security risk: 10/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescriptionThis SMTP module enables you to send mail using a third party (non-system) mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged [...]
---------------------------------------------
https://www.drupal.org/node/2890357
*** Services - Critical - SQL Injection - SA-CONTRIB-2017-054 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2017-054Project: Services (third-party module)Version: 7.xDate: 2017-June-28Security risk: 19/25 ( Critical) AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescriptionThis module provides a standardized solution for building APIs so that external clients can communicate with Drupal.The module doesnt sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it.This vulnerability is [...]
---------------------------------------------
https://www.drupal.org/node/2890353
*** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2 and v5.0.2. (CVE-2017-3539, CVE-2016-9840, CVE-2016-9841,CVE-2016-9842, CVE-2016-9843) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005365
*** IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2017-1217) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004348
*** IBM Security Bulletin: Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX (CVE-2017-3514, CVE-2017-3512, CVE-2017-3511, CVE-2017-3509, CVE-2017-3544, CVE-2017-3533, CVE-2017-3539, CVE-2017-1289, CVE-2016-9840, CVE-2016-9841, ***
---------------------------------------------
http://aix.software.ibm.com/aix/efixes/security/java_apr2017_advisory.asc