=====================
= End-of-Day report =
=====================
Timeframe: Freitag 04-08-2017 18:00 − Montag 07-08-2017 18:00
Handler: Alexander Riepl
Co-Handler:
=====================
= News =
=====================
∗∗∗ You Can Trick Self-Driving Cars by Defacing Street Signs ∗∗∗
---------------------------------------------
A team of eight researchers has discovered that by altering street signs, an adversary could confuse self-driving cars and cause their machine-learning systems to misclassify signs and take ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/you-can-trick-self-driving-c…
∗∗∗ Passwortmanager: Lastpass ab sofort doppelt so teuer ∗∗∗
---------------------------------------------
Wer den Passwortmanager Lastpass nutzt, muss künftig mehr bezahlen. Nutzern der kostenfreien Version werden einige Funktionen gestrichten. Außerdem kündigt ..
---------------------------------------------
https://www.golem.de/news/passwortmanager-lastpass-ab-sofort-doppelt-so-teu…
∗∗∗ Links in phishing-like emails lead to tech support scam ∗∗∗
---------------------------------------------
Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites. Anti-spam filters in Microsoft Exchange ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/08/07/links-in-phishing-like-…
∗∗∗ Increase of phpMyAdmin scans ∗∗∗
---------------------------------------------
PMA (or phpMyAdmin) is a well-known MySQL front-end written in PHP that brings MySQL to the web as stated on the web site[1]. The tool is very popularamongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a common findingin many penetration tests to find an old PMA interface left byan admin.
---------------------------------------------
https://isc.sans.edu/diary/rss/22688
∗∗∗ ESET Spreading FUD About Torrent Files, Clients ∗∗∗
---------------------------------------------
An anonymous reader writes: ESET has taken fear mongering, something that some security firms continue to do, to a new level by issuing a blanket warning to users to view torrent files and clients as a threat. The warning came from the companys so-called security evangelist Ondrej Kubovic, (who used extremely patchy data to try and ..
---------------------------------------------
https://it.slashdot.org/story/17/08/04/1938242/eset-spreading-fud-about-tor…
∗∗∗ Tale of the Two Payloads – TrickBot and Nitol ∗∗∗
---------------------------------------------
A couple of weeks ago, we observed the Necurs botnet distributing a new malware spam campaign with a payload combo that includes Trickbot and Nitol. Trickbot is a banking trojan ..
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%e2…
∗∗∗ Erpressungstrojaner Cerber soll Bitcoins klauen ∗∗∗
---------------------------------------------
Offenbar ist den Malware-Entwicklern von Cerber das Lösegeld nicht genug: Der Verschlüsselungstrojaner soll sich nun auch Bitcoin-Wallets und Passwörter unter den Nagel reißen.
---------------------------------------------
https://heise.de/-3793763
∗∗∗ FireEye dementiert Hacker-Angriff auf US-Sicherheitsfirma Mandiant ∗∗∗
---------------------------------------------
Ein unbekannter Hacker brüstete sich damit, dass er das Netzwerk von Mandiant und Computer von Mitarbeitern kompromittiert hat. FireEye erklärt nun, dass das nicht stimmt.
---------------------------------------------
https://heise.de/-3794454
∗∗∗ Hackercamp SHA2017: All Computers are broken ∗∗∗
---------------------------------------------
ACAB mag in anderen Kreisen etwas anderes bedeuten, doch für Hacker ist die Sache klar: All Computers are broken. Das wurde auf dem niederländischen Hackercamp SHA2017 deutlich.
---------------------------------------------
https://heise.de/-3794575
∗∗∗ Hintergrund: Die Geschichte von Junipers enteigneter Hintertür ∗∗∗
---------------------------------------------
In einem mehrfach ausgezeichneten Paper liefern Forscher eine Art Krypto-Krimi. Sie dokumentieren minutiös, wie der Netzwerkausrüster Juniper eine versteckte Hintertür in seine Produkte einbaute – und wie ein externer Angreifer sie später umfunktionierte.
---------------------------------------------
https://heise.de/-3794610
∗∗∗ Gefälschte GMX-Nachricht: Konto gesperrt ∗∗∗
---------------------------------------------
Kriminelle versenden eine gefälschte GMX-Nachricht mit dem Betreff „GMX Konto Gesperrt“. Darin behaupten sie, dass das E-Mailkonto der Empfänger/innen gelöscht werde. Kund/innen, die das verhindern wollen, sollen ihre Zugangsdaten auf einer gefälschten GMX-Website ..
---------------------------------------------
https://www.watchlist-internet.at/phishing/gefaelschte-gmx-nachricht-konto-…
=====================
= Advisories =
=====================
∗∗∗ DSA-3926 chromium-browser - security update ∗∗∗
---------------------------------------------
https://www.debian.org/security/2017/dsa-3926
∗∗∗ DSA-3925 qemu - security update ∗∗∗
---------------------------------------------
https://www.debian.org/security/2017/dsa-3925
∗∗∗ Eaton ELCSoft Vulnerabilities ∗∗∗
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-216-01-0
∗∗∗ WP Live Chat Support <= 7.1.04 - Cross-Site Scripting (XSS) ∗∗∗
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8880
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 03-08-2017 18:00 − Freitag 04-08-2017 18:00
Handler: Petr Sikuta
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Week In Review – 4th August 2017 ∗∗∗
---------------------------------------------
Creating Fake Identities Everything today seems to be linked to your identity; or perhaps more specifically, to your digital identity. While safeguarding ones identity is important, it is also equally important to find ways to stop people from creating fake identities. Kevin Mitnick belonged to an earlier generation that many of this generations up and comers may not have heard of. While today he is a respectable information security professional, he wasn’t always quite a white hat, and [...]
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/week-in-review-4th-aug…
∗∗∗ JavaScript Packages Caught Stealing Environment Variables ∗∗∗
---------------------------------------------
On August 1, npm Inc. — the company that runs the biggest JavaScript package repository — removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/javascript-packages-caught-s…
∗∗∗ Verseuchte Chrome-Erweiterung infiziert eine Million User ∗∗∗
---------------------------------------------
Die Erweiterung Web Developer wurde gekapert und durch eine Version mit Schadsoftware ausgetauscht und an User verteilt.
---------------------------------------------
https://futurezone.at/digital-life/verseuchte-chrome-erweiterung-infiziert-…
∗∗∗ Verhaftung nach Black Hat: Wanna-Cry-Hacker soll Bankingtrojaner entwickelt haben ∗∗∗
---------------------------------------------
Ein britischer Sicherheitsforscher und Hacker ist in den USA verhaftet worden. Der 23-Jährige hatte unabsichtlich dazu beigetragen, die Ausbreitung von Wanna Cry zu verlangsamen. Er soll an der Entwicklung des Kronos-Bankentrojaners beteiligt gewesen sein.
---------------------------------------------
https://www.golem.de/news/wanna-cry-sicherheitsforscher-malwaretech-in-den-…
∗∗∗ Weekly Security Roundup ∗∗∗
---------------------------------------------
This week, we’ve published an article about session hijacking, a dangerous hacking method that takes control of a user’s account as they are live and using it. Security articles of the week (July 31st – August 4th, 2017) The biggest story from the beginning of this week was the HBO hack that ended up with leaked [...]
---------------------------------------------
https://heimdalsecurity.com/blog/weekly-security-roundup/
∗∗∗ Cisco schließt Super-Admin-Lücke ∗∗∗
---------------------------------------------
Der Netzwerkausrüster stellt elf Sicherheitsupdates für diverse Produkte bereit. Von den Lücken soll ein mittleres bis hohes Risiko ausgehen.
---------------------------------------------
https://heise.de/-3793025
=====================
= Advisories =
=====================
∗∗∗ Upcoming Security Updates for Adobe Reader and Acrobat (APSB17-24) ∗∗∗
---------------------------------------------
A prenotification Security Advisory has been posted regarding upcoming Adobe Reader and Acrobat updates scheduled for Tuesday, August 8, 2017.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1478
∗∗∗ Schneider Electric Pro-face GP-Pro EX ∗∗∗
---------------------------------------------
This advisory contains mitigation details for an uncontrolled search path element vulnerability in Schneider Electric’s Pro-face GP-Pro EX.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-215-01
∗∗∗ IBM Security Bulletin: A vulnerability in libtirpc affects PowerKVM ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1025258
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004331
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Extreme Scale ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005297
∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos TM1 ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22006551
∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Insight ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22006550
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 02-08-2017 18:00 − Donnerstag 03-08-2017 18:00
Handler: Petr Sikuta
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Windows Defender ATP machine learning: Detecting new and unusual breach activity ∗∗∗
---------------------------------------------
Microsoft has been investing heavily in next-generation security technologies. These technologies use our ability to consolidate large sets of data and build intelligent systems that learn from that data. These machine learning (ML) systems flag and surface threats that would otherwise remain unnoticed amidst the continuous hum of billions of normal events and the inability...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-ma…
∗∗∗ Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain ∗∗∗
---------------------------------------------
Over the last few months, we have been keeping an eye on the Magnitude exploit kit which is mainly used to deliver the Cerber ransomware to specific countries in Asia. Our telemetry shows that South Korea is most impacted via ongoing malvertising campaigns. When a visitor goes to a website that monetizes its traffic via adverts he may be exposed to malicious advertising. Tailored ads shown in the browser are initiated on-the-fly via a process known as Real-time Bidding (RTB).
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/2017/08/enemy-at-the-gates-reviewi…
∗∗∗ The Retefe Saga ∗∗∗
---------------------------------------------
Surprisingly, there is a lot of media attention going on at the moment on a macOS malware called OSX/Dok. In the recent weeks, various anti-virus vendors and security researchers published blog posts on this threat, presenting their analysis and findings. While some findings where very interesting, others were misleading or simply wrong.
---------------------------------------------
https://www.govcert.admin.ch/blog/33/the-retefe-saga
∗∗∗ Warnung vor Fake-Mail "Ihr Konto wurde limitiert" ∗∗∗
---------------------------------------------
[...] Diese E-Mail gibt sich als PayPal (service@ ppal.com) aus, PayPal hat mit der Betrugsmasche jedoch nichts zu tun. PayPal selbst wurde hier Opfer, indem sein Name missbräuchlich verwendet wird, um Nutzer in die Falle zu locken!
---------------------------------------------
http://www.mimikama.at/allgemein/ihr-konto/
∗∗∗ Sicherheitspatches: Varnish anfällig für DoS-Attacke ∗∗∗
---------------------------------------------
In verschiedenen Versionen von Varnish klafft eine Schwachstelle, über die Angreifer Server attackieren könnten.
---------------------------------------------
https://heise.de/-3791311
∗∗∗ Pwned Passwords: Neuer Dienst macht geknackte Passwörter auffindbar ∗∗∗
---------------------------------------------
Wurde mein Lieblings-Passwort schon einmal in einem Datenleck veröffentlicht und kann deswegen einfach für Bruteforce-Angriffe verwendet werden? Diese Frage beantwortet ein neuer Webdienst des Sicherheitsforschers Troy Hunt.
---------------------------------------------
https://heise.de/-3792707
∗∗∗ Malicious content delivered over SSL/TLS has more than doubled in six months ∗∗∗
---------------------------------------------
Threats using SSL encryption are on the rise. An average of 60 percent of the transactions in the Zscaler cloud have been delivered over SSL/TLS. Researchers also found that the Zscaler cloud saw an average of 8.4 million SSL/TLS-based security blocks per day this year. “Hackers are increasingly using SSL to conceal device infections, shroud data exfiltration and hide botnet command and control communications.
---------------------------------------------
https://www.helpnetsecurity.com/2017/08/03/malicious-content-ssl-tls/
∗∗∗ Gefälschte Bank Austria-Nachricht: Änderungen im OnlineBanking ∗∗∗
---------------------------------------------
In einer gefälschten Bank Austria-Nachricht schreiben Kriminelle, dass es zu einer Änderung im OnlineBanking-System gekommen sei. Das führt zu Fehlern, weshalb Kund/innen ihre Zugangsdaten auf einer Website nennen sollen. Empfänger/innen der Nachricht, die dem nachkommen, übermitteln ihre Passwörter an Verbrecher/innen.
---------------------------------------------
https://www.watchlist-internet.at/phishing/gefaelschte-bank-austria-nachric…
=====================
= Advisories =
=====================
∗∗∗ Cisco Videoscape Distribution Suite Cache Server Denial of Service Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the cache server within Cisco Videoscape Distribution Suite (VDS) for Television could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted appliance.The vulnerability is due to excessive mapped connections exhausting the allotted resources within the system. An attacker could exploit this vulnerability by sending large amounts of inbound traffic to a device with the intention of overloading certain resources.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Identity Services Engine Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the authentication module of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to bypass local authentication.The vulnerability is due to improper handling of authentication requests and policy assignment for externally authenticated users. An attacker could exploit this vulnerability by authenticating with a valid external user account that matches an internal username and incorrectly receiving the authorization policy ...
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22003928
∗∗∗ IBM Security Bulletin: Apache Commons Collection Java Deserialization Vulnerability in Multiple N series Products ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009711
∗∗∗ IBM Security Bulletin: CVE-2015-4000 Diffie-Hellman Export Cipher Suite Vulnerabilities in Multiple N series Products ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009681
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 01-08-2017 18:00 − Mittwoch 02-08-2017 18:00
Handler: Petr Sikuta
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Ein paar Thesen zu aktuellen Gesetzesentwürfen ∗∗∗
---------------------------------------------
Ein paar Thesen zu aktuellen Gesetzesentwürfen31. Juli 2017Das Thema "LE going dark in the age of encrytion" kocht mal wieder hoch, und noch schnell vor den Neuwahlen wurden entsprechende Gesetzesentwürfe eingebracht. Ich will hier aus technischer Sicht ein paar Argumente in die Diskussion einwerfen, ..
---------------------------------------------
http://www.cert.at/services/blog/20170731130131-2076.html
∗∗∗ Auch bei Amazon: Android-Smartphones mit vorinstallierter Malware im Umlauf ∗∗∗
---------------------------------------------
Vorinstallierte Malware auf dem Smartphone dürfte für viele Nutzer ein Albtraum sein. In einem aktuellen Fall sollen günstige Smartphones des Herstellers Nomu betroffen sein. Diese sind auch in Deutschland bestellbar.
---------------------------------------------
https://www.golem.de/news/auch-bei-amazon-android-smartphones-mit-vorinstal…
∗∗∗ WannaCry Inspires Banking Trojan to Add Self-Spreading Ability ∗∗∗
---------------------------------------------
Although the wave of WannaCry and Petya ransomware has now been slowed down, money-motivated hackers and cyber criminals have taken lessons from the global outbreaks to make their malware more powerful. Security researchers have now discovered at least one group of cyber criminals that are attempting to ..
---------------------------------------------
https://thehackernews.com/2017/08/trickbot-banking-trojan.html
∗∗∗ Invisible Man malware runs keylogger on your Android banking apps ∗∗∗
---------------------------------------------
Top tip: Dont fetch and install dodgy Flash updates from random websites A new breed of Android malware is picking off mobile banking customers, particularly those in the UK and Germany, were told.
---------------------------------------------
http://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/
∗∗∗ Sorry, psycho bosses, its not OK to keylog your employees ∗∗∗
---------------------------------------------
In Germany, at least, youre gonna have to get your jollies some other way Installing keylogging software on your employees computers and using what you find to fire them is not OK, a German court has decided.
---------------------------------------------
http://www.theregister.co.uk/2017/08/02/keylogging_software_for_employees/
∗∗∗ Exposed IoT servers let hackers unlock prison cells, modify pacemakers ∗∗∗
---------------------------------------------
A researcher has found an often misconfigured protocol (MQTT) puts heart monitors, oil pipelines or particle accelerators at risk of attack.
---------------------------------------------
http://www.zdnet.com/article/exposed-servers-hack-prison-cells-alter-pacema…
∗∗∗ Sicherheitsupdates: VMware vCenter Server und Tools angreifbar ∗∗∗
---------------------------------------------
Die Entwickler schließen mehrere Schwachstellen in ihrer Software. Keine Lücke gilt als kritisch.
---------------------------------------------
https://heise.de/-3790197
∗∗∗ Most damaging threat vector for companies? Malicious insiders ∗∗∗
---------------------------------------------
According to a new SANS survey, 40 percent of respondents rated malicious insiders (insiders who intentionally do harm) as the most damaging threat vector their companies faced. Furthermore, nearly half (49 percent) said they were in the process of developing a formal incident response plan with provisions ..
---------------------------------------------
https://www.helpnetsecurity.com/2017/08/02/malicious-insiders-threat-vector/
=====================
= Advisories =
=====================
∗∗∗ Mitsubishi Electric Europe B.V. E-Designer ∗∗∗
---------------------------------------------
This advisory contains mitigation details for heap-based buffer overflow, stack-based buffer overflow, and out-of-bounds write vulnerabilities in the Mitsubishi Electric Europe B.V. E-Designer.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-213-01
∗∗∗ Schneider Electric Trio TView ∗∗∗
---------------------------------------------
This advisory contains mitigation details for multiple vulnerabilities for Java Runtime Environment in Schneider Electric’s Trio TView software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-213-02
∗∗∗ Security Advisory - Multiple Buffer Overflow Vulnerabilities in Driver of Huawei Smart Phone ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170801-…
∗∗∗ Security Advisory - DoS Vulnerability of Audio Driver in Some Huawei Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170802-…
∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Bastet of Huawei Smart Phone ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170802-…
∗∗∗ IBM Security Bulletin: Weaker than expected security in WebSphere Application Server (CVE-2017-1504) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006803
∗∗∗ IBM Security Bulletin: Fix Available for IBM iNotes Cross-Site Scripting Vulnerability (CVE-2017-1327) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22003664
∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to cross-site scripting (XSS) Attack (CVE-2017-1199) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006618
∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management is vulnerable to multiple OpenSSL vulnerabilities (CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006602
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 31-07-2017 18:00 − Dienstag 01-08-2017 18:00
Handler: Petr Sikuta
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Hacker bremsen Tesla Model X aus der Ferne ∗∗∗
---------------------------------------------
Chinesische Sicherheitsforscher konnten die Firmware manipulieren und zahlreiche Funktionen des Fahrzeugs kontrollieren.
---------------------------------------------
https://futurezone.at/produkte/hacker-bremsen-tesla-model-x-aus-der-ferne/2…
∗∗∗ Rooting Out Hosts that Support Older Samba Versions, (Tue, Aug 1st) ∗∗∗
---------------------------------------------
Ive had a number of people ask how they can find services on their network that still support SMBv1. In an AD Domain you can generally have good control of patching and the required registry keys to disable SMBv1. However, for non-domain members thats tougher.
---------------------------------------------
https://isc.sans.edu/diary/rss/22672
∗∗∗ Windows Hacking Kurs – Durchführungsgarantie ∗∗∗
---------------------------------------------
November 30, 2017 - December 01, 2017 - All Day SBA Research Favoritenstraße 16 Vienna
---------------------------------------------
https://www.sba-research.org/events/windows-hacking-kurs-durchfuhrungsgaran…
∗∗∗ CISSP Training – Durchführungsgarantie ∗∗∗
---------------------------------------------
September 11, 2017 - September 15, 2017 - All Day SBA Research Favoritenstraße 16 Vienna
---------------------------------------------
https://www.sba-research.org/events/cissp-training-durchfuhrungsgarantie-6/
∗∗∗ Incident Response Kurs – Durchführungsgarantie ∗∗∗
---------------------------------------------
September 27, 2017 - September 29, 2017 - All Day SBA Research Favoritenstraße 16 1040 Wien
---------------------------------------------
https://www.sba-research.org/events/incident-response-kurs-durchfuhrungsgar…
∗∗∗ Cobalt strikes back: an evolving multinational threat to finance ∗∗∗
---------------------------------------------
Cobalt has attacked banks, financial exchanges, insurance companies, investment funds, and other financial organizations. The group is not afraid to use the names of regulatory authorities or security topics to trick recipients into opening phishing messages from illegitimate domains. Now they actively use Supply Chain Attacks to leverage the infrastructure and accounts of actual employees at one company, in order to forge convincing emails targeting a different partner organization
---------------------------------------------
http://blog.ptsecurity.com/2017/08/cobalt-group-2017-cobalt-strikes-back.ht…
∗∗∗ Reddoxx: Angreifer können TÜV-geprüfte Mail-Archivierungssoftware kapern ∗∗∗
---------------------------------------------
Ein einfacher Ping-Befehl, der über ein Admin-Interface ausgelöst wird lässt sich von jedermann aus der Ferne missbrauchen, um beliebigen Code auszuführen. So können Angreifer die E-Mail-Software für rechtssichere Archivierung übernehmen.
---------------------------------------------
https://heise.de/-3785041
∗∗∗ Phisher bringen Chrome-Erweiterung Copyfish unter ihre Kontrolle ∗∗∗
---------------------------------------------
Wer die aktuelle Version von Copyfish installiert hat, wird von Werbeeinblendungen genervt. Nun hat Google die von Betrügern manipulierte Chrome-Erweiterung offline genommen.
---------------------------------------------
https://heise.de/-3787978
∗∗∗ NeoCoolCam: Chinesische IP-Kameras mit massiven Sicherheitslücken ∗∗∗
---------------------------------------------
Sicherheitsforscher haben wieder einmal gravierende Sicherheitslücken in IP-Kameras aufgedeckt. Mindestens 175.000 Geräte des Herstellers Shenzhen Neo Electronics lassen sich mit einfachen Mitteln aus dem Netz kapern.
---------------------------------------------
https://heise.de/-3788061
∗∗∗ Hackers can turn Amazon Echo into a covert listening device ∗∗∗
---------------------------------------------
New research released by MWR InfoSecurity reveals how attackers can compromise the Amazon Echo and turn it into a covert listening device, without affecting its overall functionality. Found to be susceptible to a physical attack, which allows an attacker to gain a root shell on the Linux Operating Systems and install malware, the Amazon Echo would enable hackers to covertly monitor and listen in on users and steal private data without their permission or knowledge.
---------------------------------------------
https://www.helpnetsecurity.com/2017/08/01/amazon-echo-covert-listening/
∗∗∗ Hinweis auf betrügerische Bestellung verbreitet Schadsoftware ∗∗∗
---------------------------------------------
Kriminelle versenden eine E-Mail, in der sie von einer Online-Bestellung sprechen. Sie sei von „Schwindlern begangen" worden. Empfänger/innen können Angaben zu der betrügerischen Bestellung auf einer Website herunterladen. Wenn sie das tun, installieren Nutzer/innen Schadsoftware auf ihrem Computer.
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/hinweis-auf-betrue…
∗∗∗ KRITIS: Erster branchenspezifischer Sicherheitsstandard anerkannt ∗∗∗
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Erster_bran…
=====================
= Advisories =
=====================
∗∗∗ DFN-CERT-2017-1328: Red Hat JBoss Enterprise Application Platform: Zwei Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1328/
∗∗∗ DFN-CERT-2017-1330: McAfee Security Scan Plus: Eine Schwachstelle ermöglicht die Ausführung beliebiger Programme mit Benutzerrechten ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1330/
∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to retrieval of access credentials by highly privileged users ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006068
∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to a privilege escalation ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006067
∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005803
∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server has a network layer security vulnerability ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006063
∗∗∗ IBM Security Bulletin: Session fixation defect in IBM Security AppScan Enterprise (CVE-2016-9981) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006430
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 28-07-2017 18:00 − Montag 31-07-2017 18:00
Handler: Robert Waldner
Co-Handler:
=====================
= News =
=====================
∗∗∗ Ein paar Thesen zu aktuellen Gesetzentwürfen ∗∗∗
---------------------------------------------
Ein paar Thesen zu aktuellen Gesetzentwürfen31. Juli 2017Das Thema "LE going dark in the age of encrytion" kocht mal wieder hoch, und noch schnell vor den Neuwahlen wurden entsprechende Gesetzesentwürfe eingebracht. Ich will hier aus technischer Sicht ein paar Argumente in die Diskussion einwerfen, beschränke mich hier aber rein auf den Aspekt Überwachung trotz Verschlüsselung.
---------------------------------------------
http://www.cert.at/services/blog/20170731130131-2076.html
∗∗∗ Reverse Engineering a JavaScript Obfuscated Dropper ∗∗∗
---------------------------------------------
1. Introduction Nowadays one of the techniques most used to spread malware on windows systems is using a JavaScript (js) dropper. A js dropper represents, in most attack scenarios, the first stage of a malware infection. It happens because Windows systems allow the execution of various scripting language using the Windows Script Host (WScript). This […]The post Reverse Engineering a JavaScript Obfuscated Dropper appeared first on InfoSec Resources.
---------------------------------------------
http://resources.infosecinstitute.com/reverse-engineering-javascript-obfusc…
∗∗∗ A new era in mobile banking Trojans ∗∗∗
---------------------------------------------
In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.
---------------------------------------------
http://securelist.com/a-new-era-in-mobile-banking-trojans/79198/
∗∗∗ LeakerLocker Mobile Ransomware Threatens to Expose User Information ∗∗∗
---------------------------------------------
While mobile ransomware such as the recent SLocker focuses on encrypting files on the victim’s devices, a new mobile ransomware named LeakerLocker taps into its victims worst fears by allegedly threatening to send personal data on a remote server and expose its contents to everyone on their contact lists.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/tDsXJe6LJ0g/
∗∗∗ Das Millionengeschäft mit Softwarefehlern ∗∗∗
---------------------------------------------
Softwarefehler können enormen Schaden anrichten, wie zuletzt die großangelegte Cyberattacke mit der Schadsoftware „NotPetya“ gezeigt hat. Das Aufspüren solcher Schwachstellen ist die Aufgabe von Bug-Kopfgeldjägern, die damit oft gut verdienen. Interesse an den Diensten der Hacker gibt es dabei nicht nur vonseiten der Hersteller.
---------------------------------------------
http://orf.at/stories/2397792/2397793/
∗∗∗ Container security: The seven biggest mistakes companies are making ∗∗∗
---------------------------------------------
As enterprises increase adoption of containers, they also risk increasing the number of mistakes they make with the technology. Given that many companies are still wrapping their heads around the potential of container technology and how to best leverage it, that stands to reason. With that said, however, companies must ensure that they are establishing a solid foundation for security as they continue to identify strategies and workloads that make sense on a container platform. … More
---------------------------------------------
https://www.helpnetsecurity.com/2017/07/31/container-security-seven-biggest…
=====================
= Advisories =
=====================
∗∗∗ CAN Bus Standard Vulnerability ∗∗∗
---------------------------------------------
NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-209-01
∗∗∗ Security flaw shows 3G, 4G LTE networks are just as prone to stingray phone tracking ∗∗∗
---------------------------------------------
Security researchers have revealed a recently discovered vulnerability in modern, high-speed cell networks, which they say can allow low-cost phone surveillance and location tracking.
---------------------------------------------
http://www.zdnet.com/article/stingray-security-flaw-cell-networks-phone-tra…
∗∗∗ Cloud-Antivirensoftware hilft beim Datenklau aus luftdichten Netzwerken ∗∗∗
---------------------------------------------
Mindestens vier Virenscanner, die verdächtige Daten zur Analyse in die Cloud hochladen, helfen beim Datenklau von ansonsten in ihrer Kommunikationsfähigkeit beschränkten PCs. Auch Virustotal ist betroffen.
---------------------------------------------
https://heise.de/-3786507
∗∗∗ Attacking industrial pumps by adjusting valves to create bubbles in the pipes. ∗∗∗
---------------------------------------------
https://twitter.com/KraftCERT/status/891929915200856064
∗∗∗ DFN-CERT-2017-1309/">FreeRDP: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1309/
∗∗∗ [webapps] GitHub Enterprise < 2.8.7 - Remote Code Execution ∗∗∗
---------------------------------------------
https://www.exploit-db.com/exploits/42392/?rss
∗∗∗ IBM Security Bulletin: CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668 and CVE-2017-7679 in IBM i HTTP Server ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=nas8N1022204
∗∗∗ IBM Security Bulletin: 10x vulnerability in IBM Control Center could allow an outside user to obtain the ID (CVE-2017-1152) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006361
∗∗∗ IBM Security Bulletin: Non-configured connections could cause denial of service in IBM WebSphere MQ Internet Pass-Thru (CVE-2017-1118 ) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006580
∗∗∗ IBM Security Bulletin: A vulnerability in Java runtime from IBM affects IBM WebSphere MQ ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005123
∗∗∗ Fortinet FortiOS Input Validation Flaws Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1039020
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 27-07-2017 18:00 − Freitag 28-07-2017 18:00
Handler: Stephan Richter
Co-Handler:
=====================
= News =
=====================
∗∗∗ Google Study Quantifies Ransomware Profits ∗∗∗
---------------------------------------------
A ransomware study released Google revealed the malware earned criminals $25 million over the past two years.
---------------------------------------------
http://threatpost.com/google-study-quantifies-ransomware-revenue/127057/
∗∗∗ Attack Uses Docker Containers To Hide, Persist, Plant Malware ∗∗∗
---------------------------------------------
Abuse of the Docker API allows remote code execution on targeted system, which enables hackers to escalate and persists thanks to novel attacks called Host Rebinding Attack and Shadow Containers.
---------------------------------------------
http://threatpost.com/attack-uses-docker-containers-to-hide-persist-plant-m…
∗∗∗ The Cloak & Dagger Attack That Bedeviled Android For Months ∗∗∗
---------------------------------------------
Not all Android attacks come from firmware mistakes.
---------------------------------------------
https://www.wired.com/story/cloak-and-dagger-android-malware
∗∗∗ Hacker Says He Broke Through Samsungs Secure Smartphone Platform ∗∗∗
---------------------------------------------
When his rooting exploit worked on plenty of Android devices but failed on the Samsung Galaxy S7 Edge, researcher Di Shen decided to dig into KNOX.
---------------------------------------------
https://motherboard.vice.com/en_us/article/pad5jn/hacker-says-he-broke-thro…
∗∗∗ OPC Data Access IDAPython script ∗∗∗
---------------------------------------------
An IDAPython script for IDA Pro that helps reverse engineer binaries that are using the OPC Data Access protocol.
---------------------------------------------
https://github.com/eset/malware-research/blob/master/industroyer/README.adoc
∗∗∗ Internet der Dinge: Wenn die Waschstraße angreift ∗∗∗
---------------------------------------------
Sicherheitsforscher haben diverse Schwachstellen in automatisierten Autowaschstraßen gefunden, die sich sogar übers Internet missbrauchen lassen. Durch ferngesteuerte Tore, Roboterarme und Hochdruck-Wasserstrahle könnte es sogar zu Personenschäden kommen.
---------------------------------------------
https://heise.de/-3785654
∗∗∗ Microsoft opens fuzz testing service to the wider public ∗∗∗
---------------------------------------------
Microsoft Security Risk Detection, a cloud-based fuzz testing service previously known under the name Project Springfield, is now open to all and sundry.
---------------------------------------------
https://www.helpnetsecurity.com/2017/07/28/microsoft-fuzz-testing-service/
=====================
= Advisories =
=====================
∗∗∗ Continental AG Infineon S-Gold 2 (PMB 8876) ∗∗∗
---------------------------------------------
This advisory contains mitigation details for a stack-based buffer overflow and an improper restriction of operations within the bounds of a memory buffer vulnerability in Continental AGs Infineon S-Gold 2 (PMB 8876).
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-208-01
∗∗∗ Mirion Technologies Telemetry Enabled Devices ∗∗∗
---------------------------------------------
This advisory contains mitigation details for use of hard-coded cryptographic key and inadequate encryption strength vulnerabilities in Mirion Technologies Telemetry Enabled Devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-208-02
∗∗∗ PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch ∗∗∗
---------------------------------------------
This advisory contains mitigation details for improper authentication and missing encryption of sensitive data affecting PDQ Manufacturing, Inc.s LaserWash, LaserJet, and ProTouch car washes.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-208-03
∗∗∗ Multiple Cisco Products OSPF LSA Manipulation Vulnerability ∗∗∗
---------------------------------------------
Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated, remote attacker to take full control of the OSPF Autonomous System (AS) domain routing table, allowing the attacker to intercept or black-hole traffic.The attacker could exploit this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause the targeted router [...]
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ VMSA-2017-0012 ∗∗∗
---------------------------------------------
VMware VIX API VM Direct Access Function security issue
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2017-0012.html
∗∗∗ VMSA-2017-0013 ∗∗∗
---------------------------------------------
VMware vCenter Server and Tools updates resolve multiple security vulnerabilities
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2017-0013.html
∗∗∗ Vuln: Cloud Foundry Cloud Controller API CVE-2017-8036 Incomplete Fix Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.securityfocus.com/bid/100002
∗∗∗ DFN-CERT-2017-1305: PHPMailer: Zwei Schwachstellen ermöglichen Cross-Site-Scripting-Angriffe ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1305/
∗∗∗ DFN-CERT-2017-1310: Microsoft Outlook: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1310/
∗∗∗ FortiOS XSS vulnerabilities via FortiView Application filter, FortiToken activation & SSL VPN Replacement Messages ∗∗∗
---------------------------------------------
http://fortiguard.com/psirt/FG-IR-17-104
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSource ISC Bind affects IBM Netezza Host Management ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005830
∗∗∗ IBM Security Bulletin: Fix Available for IBM iNotes Cross-site Scripting Vulnerability (CVE-2017-1332) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22005233
∗∗∗ IBM Security Bulletin: Multiple security vunerabilities in Oracle Java SE and Java SE Embedded affects IBM InfoSphere Master Data Management ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006603
∗∗∗ IBM Security Bulletin: IBM System Networking Switch Center is affected by a Jsch vulnerability (CVE-2016-5725) ∗∗∗
---------------------------------------------
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50…
∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management is vulnerable to a Insecure JSF ViewState found in MDM User Interface (CVE-2016-9714) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006608
∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to Insecure HTTP Method – TRACE discovered in MDM User Interface (CVE-2016-9718) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006606
∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to a Cross Site Request Forgery discovered in MDM User Interface (CVE-2016-9716) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006610
∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to cross-site scripting Attack (CVE-2016-9715) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006611
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities might affect IBM® SDK for Node.js™ ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=swg22006298
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in coreutils, sudo, jasper, bind, bash, libtirpc, nss and nss-util affect IBM SmartCloud Entry ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1025538
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in qemu-kvm and libguestfs affect SmartCloud Entry (CVE-2016-9603 CVE-2017-2633 CVE-2017-7718 CVE-2017-7980 CVE-2015-8869) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1025529
∗∗∗ IBM Security Bulletin: IBM i is affected by an OSPF vulnerability (CVE-2017-1460) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=nas8N1022191
∗∗∗ IBM Security Bulletin: The BigFix Platform has a vulnerability that can cause denial of service ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22003222
∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management is vulnerable to a X-Frame-Options Header ClickJacking attack (CVE-2016-9719 ) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006607
∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to HTTP Parameter Override discovered in MDM User Interface (CVE-2016-9717) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006605
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cloud Manager ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1025397
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 26-07-2017 18:00 − Donnerstag 27-07-2017 18:00
Handler: Stephan Richter
Co-Handler:
=====================
= News =
=====================
∗∗∗ IoT-Geräte in Österreich: 31.000 von 280.000 unsicher ∗∗∗
---------------------------------------------
In Österreich gibt es eine beträchtlich hohe Zahl ungeschützter Router und Webcams im Internet, so eine neue Studie von Avast. Warum das ein Problem ist und was man tun kann.
---------------------------------------------
https://futurezone.at/produkte/iot-geraete-in-oesterreich-31-000-von-280-00…
∗∗∗ Lipizzan: Google findet neue Staatstrojaner-Familie für Android ∗∗∗
---------------------------------------------
Erneut hat Google eine Android-Spyware einer isrealischen Firma gefunden. Die Software tarnte sich als harmlose App im Playstore, die Rooting-Funktion wird dann nachgeladen.
---------------------------------------------
https://www.golem.de/news/lipizzan-google-findet-neue-staatstrojaner-famili…
∗∗∗ Announcing the Windows Bounty Program ∗∗∗
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-…
∗∗∗ Extending Microsoft Edge Bounty Program ∗∗∗
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2017/05/16/extending-microsoft-edg…
∗∗∗ Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets ∗∗∗
---------------------------------------------
Fully remote exploits that allow for compromise of a target without any user interaction have become something of a myth in recent years. While some are occasionally still found against insecure and unpatched targets such as routers, various IoT devices or old versions of Windows, practically no remotely exploitable bugs that reliably bypass DEP and ASLR have been found on Android and iOS. In order to compromise these devices, attackers [...]
---------------------------------------------
https://blog.exodusintel.com/2017/07/26/broadpwn/
∗∗∗ DeepINTEL Schedule updated – Psychology and Power Grids ∗∗∗
---------------------------------------------
We have updated the schedule for DeepINTEL 2017. The human mind and power grids are both critical infrastructure. Both can be manipulated and switched off, arguably. And most of us use both every day. So this is why we added two more presentations to the schedule.
---------------------------------------------
http://blog.deepsec.net/deepintel-schedule-updated-psychology-power-grids/
∗∗∗ Black Hat: Strahlungsmessgeräte per Funk manipulierbar ∗∗∗
---------------------------------------------
Ein Hacker hat Sicherheitslücken in stationären und mobilen Messgeräten für radioaktive Strahlung gefunden. Kriminelle könnten so radioaktives Material durch Kontrollen schleusen oder Fehlalarme in Kernreaktoren auslösen. Updates wird es nicht geben.
---------------------------------------------
https://heise.de/-3784966
∗∗∗ Slowloris all the things ∗∗∗
---------------------------------------------
At DEFCON, some researchers are going to announce a Slowloris-type exploit for SMB -- SMBloris. I thought Id write up some comments.The original Slowloris from several years creates a ton of connections to a web server, but only sends partial headers. The server allocates a large amount of memory to handle the requests, expecting to free that memory soon when the requests are completed. But the requests are never completed, so the memory remains tied up indefinitely.
---------------------------------------------
http://blog.erratasec.com/2017/07/slowloris-all-things.html
=====================
= Advisories =
=====================
∗∗∗ McAfee Releases Security Bulletin for Web Gateway ∗∗∗
---------------------------------------------
Original release date: July 27, 2017 McAfee has released a security bulletin to address multiple vulnerabilities in Web Gateway. Some of these vulnerabilities could allow a remote attacker to take control of an affected system.
---------------------------------------------
https://www.us-cert.gov/ncas/current-activity/2017/07/27/McAfee-Releases-Se…
∗∗∗ VU#547255: Dahua IP cameras Sonia web interface is vulnerable to stack buffer overflow ∗∗∗
---------------------------------------------
http://www.kb.cert.org/vuls/id/547255
∗∗∗ Cisco Access Control System Stored Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco IOS and IOS XE Software Autonomic Networking Infrastructure Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco IOS XE Software Autonomic Networking Infrastructure Certificate Revocation Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco IOS and IOS XE Software Autonomic Control Plane Channel Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ DFN-CERT-2017-1295: FortiNet FortiOS, FortiAnalyzer: Mehrere Schwachstellen ermöglichen u.a die Ausführung beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1295/
∗∗∗ DFN-CERT-2017-1303: Foxit PDF Compressor: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1303/
∗∗∗ HPESBHF03765 rev.1 - HPE ConvergedSystem 700 Solution with Comware v7 Switches using OpenSSL, Remote Denial of Service (DoS) and Disclosure of Sensitive Information ∗∗∗
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf037…
∗∗∗ Security Advisory - MaxAge LSA Vulnerability in OSPF Protocal of Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170720-…
∗∗∗ Security Advisory - BroadPwn Remote Code Execute Vulnerability ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170727-…
∗∗∗ IBM Security Bulletin: Weaker than expected security in IBM API Connect Developer Portal (CVE-2017-6922) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005722
∗∗∗ IBM Security Bulletin: Weaker than expected security in IBM API Connect (CVE-2017-1386) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004981
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) – IBM Java SDK updates April 2017 ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005840
∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2017-1303) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004979
∗∗∗ [2017-07-27] Kathrein UFSconnect 916 multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
∗∗∗ [2017-07-27] Ubiquiti Networks UniFi Cloud Key multiple critical vulnerabilities ∗∗∗
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 25-07-2017 18:00 − Mittwoch 26-07-2017 18:00
Handler: Stephan Richter
Co-Handler:
=====================
= News =
=====================
∗∗∗ Smart Drawing Pads Used for DDoS Attacks, IoT Fish Tank Used in Casino Hack ∗∗∗
---------------------------------------------
Some clever hackers found new ways to use the smart devices surrounding us, according to a report published last week by UK-based cyber-defense company Darktrace. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/smart-drawing-pads-used-for-…
∗∗∗ IOS Forensics ∗∗∗
---------------------------------------------
1. INTRODUCTION Day by day, Smart phones and tablets are becoming popular, and hence technology used in development to add new features or improve the security of such devices is advancing too fast. iPhone and iPod are the game changer products launched by Apple. Apple operating system (IOS) devices started growing popular in the mobile [...]
---------------------------------------------
http://resources.infosecinstitute.com/ios-forensics/
∗∗∗ Windows SMB Zero Day to Be Disclosed During DEF CON ∗∗∗
---------------------------------------------
Microsoft has said it will not patch a two-decade-old Windows SMB vulnerability, called SMBloris because it behaves comparably to the Slowloris attacks. The flaw will be disclosed and demonstrated during DEF CON.
---------------------------------------------
http://threatpost.com/windows-smb-zero-day-to-be-disclosed-during-def-con/1…
∗∗∗ WikiLeaks drops another cache of ‘Vault7’ stolen tools ∗∗∗
---------------------------------------------
Latest dump is a trove of malware from Raytheon used for surveillance and data collection
---------------------------------------------
https://nakedsecurity.sophos.com/2017/07/26/wikileaks-drops-another-cache-o…
∗∗∗ Where are the holes in machine learning – and can we fix them? ∗∗∗
---------------------------------------------
Machine learning algorithms are increasingly a target for the bad guys - but the industry is working to stop them, explains Sophos chief data scientist Joshua Saxe
---------------------------------------------
https://nakedsecurity.sophos.com/2017/07/26/where-are-the-holes-in-machine-…
∗∗∗ How a Citadel Trojan Developer Got Busted ∗∗∗
---------------------------------------------
A U.S. District Court judge in Atlanta last week handed a five year prison sentence to Mark Vartanyan, a Russian hacker who helped develop and sell the once infamous and widespread Citadel banking trojan. This fact has been reported by countless media outlets, but far less well known is the fascinating backstory about how Vartanyan got caught.
---------------------------------------------
https://krebsonsecurity.com/2017/07/how-a-citadel-trojan-developer-got-bust…
=====================
= Advisories =
=====================
∗∗∗ CRASHOVERRIDE Malware ∗∗∗
---------------------------------------------
CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-206-01
∗∗∗ NXP i.MX Product Family ∗∗∗
---------------------------------------------
This advisory was originally posted to the NCCIC Portal on June 1, 2017, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for stack-based buffer overflow and improper certificate validation vulnerabilities in the NXP i.MX Product Family.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-152-02
∗∗∗ Bugtraq: [SECURITY] [DSA 3919-1] openjdk-8 security update ∗∗∗
---------------------------------------------
http://www.securityfocus.com/archive/1/540926
∗∗∗ DFN-CERT-2017-1288: Red Hat JBoss Enterprise Web Server: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1288/
∗∗∗ Security Advisory - Two DoS Vulnerabilities in Call Module of Some Huawei Smart Phones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170725-…
∗∗∗ Security Advisory - Resource Exhaustion Vulnerability in Some Huawei Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170725-…
∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities fixed in Java shipped as a component of IBM Security Privileged Identity Manager ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006547
∗∗∗ SSA-323211 (Last Update 2017-07-25): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Devices ∗∗∗
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211…
∗∗∗ SSA-822184 (Last Update 2017-07-26): Microsoft Web Server and HP Client Automation Vulnerabilities in Molecular Imaging Products from Siemens Healthineers ∗∗∗
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-822184…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 24-07-2017 18:00 − Dienstag 25-07-2017 18:00
Handler: Stephan Richter
Co-Handler:
=====================
= News =
=====================
∗∗∗ Fruit Fly 2: Mysteriöse Mac-Malware seit Jahren aktiv ∗∗∗
---------------------------------------------
Auch Mac-Nutzer sind nicht vor Schadsoftware sicher: Eine Malware soll seit mehr als fünf Jahren aktiv sein, aber nur einige hundert Nutzer befallen haben. Die Software ermöglicht einen weitgehenden Zugriff auf den Rechner und private Informationen. (Malware, Virus)
---------------------------------------------
https://www.golem.de/news/fruit-fly-2-mysterioese-mac-malware-seit-jahren-a…
∗∗∗ CowerSnail, from the creators of SambaCry ∗∗∗
---------------------------------------------
We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry.
---------------------------------------------
http://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/
∗∗∗ Novel Attack Tricks Servers to Cache, Expose Personal Data ∗∗∗
---------------------------------------------
Researchers have a devised a way to trick a web server into caching pages and exposing personal data to attackers.
---------------------------------------------
http://threatpost.com/novel-attack-tricks-servers-to-cache-expose-personal-…
∗∗∗ SBA Research co-organizes ROOTS 2017 ∗∗∗
---------------------------------------------
November 16, 2017 - November 17, 2017 - All Day The Imperial Riding School Vienna Ungargasse 60 Vienna
---------------------------------------------
https://www.sba-research.org/events/sba-research-co-organizes-roots-2017/
∗∗∗ Alternatives to Government-Mandated Encryption Backdoors ∗∗∗
---------------------------------------------
Policy essay: "Encryption Substitutes," by Andrew Keane Woods
---------------------------------------------
https://www.schneier.com/blog/archives/2017/07/alternatives_to_1.html
∗∗∗ ShieldFS Is a Clever New Tool That Shuts Down Ransomware Before Its Too Late ∗∗∗
---------------------------------------------
By sniffing out ransomware in real-time, ShieldFS might be the cure to the internets latest security scourge.
---------------------------------------------
https://www.wired.com/story/shieldfs-ransomware-protection-tool
∗∗∗ ENISA invites European utilities to join EE-ISAC Expert meeting in September ∗∗∗
---------------------------------------------
Together with the DG Energy of the European Commission, ENISA is organising a full-day expert seminar, which will be held on 7th September, 2017 in Athens. Registration is now open.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/enisa-invites-european-utilitie…
=====================
= Advisories =
=====================
∗∗∗ VU#350135: Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin ∗∗∗
---------------------------------------------
Vulnerability Note VU#350135 Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin Original Release date: 07 Jun 2017 | Last revised: 24 Jul 2017 Overview WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to change the administrator password on the device.
---------------------------------------------
http://www.kb.cert.org/vuls/id/350135
∗∗∗ VU#838200: Telerik Web UI contains cryptographic weakness ∗∗∗
---------------------------------------------
Vulnerability Note VU#838200 Telerik Web UI contains cryptographic weakness Original Release date: 25 Jul 2017 | Last revised: 25 Jul 2017 Overview The Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys.
---------------------------------------------
http://www.kb.cert.org/vuls/id/838200
∗∗∗ [20170704] - Core - Installer: Lack of Ownership Verification ∗∗∗
---------------------------------------------
Project: Joomla! SubProject: CMS Installer Severity: High Versions: 1.0.0 through 3.7.3 Exploit type: Lack of Ownership Verification Reported Date: 2017-Apr-06 Fixed Date: 2017-July-25 CVE Number: CVE-2017-11364 Description The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control. Please note: Already installed sites are not affected, as this issue is limited to the installer application!
---------------------------------------------
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/dsijOki-S50/700-20170704-c…
∗∗∗ [20170705] - Core - XSS Vulnerability ∗∗∗
---------------------------------------------
Project: Joomla! SubProject: CMS Severity: Low Versions: 1.5.0 through 3.7.3 Exploit type: XSS Reported Date: 2017-April-26 Fixed Date: 2017-July-25 CVE Number: CVE-2017-11612 Description Inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components.
---------------------------------------------
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/uutSEqYQKbU/701-20170605-c…
∗∗∗ DFN-CERT-2017-1285: Cacti: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1285/
∗∗∗ Vulnerability in Citrix NetScaler SD-WAN Enterprise & Standard Edition and Citrix CloudBridge Virtual WAN Edition Could Result in Unauthenticated Remote Code Execution ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX225990
∗∗∗ IBM Security Bulletin: IBM Sterling B2B Integrator has Cross Site Scripting vulnerabilities in Queue Watcher (CVE-2017-1496) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22006175
∗∗∗ IBM Security Bulletin: A vulnerability in OpenSource GNU Glibc affect IBM Netezza Host Management ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22005677
∗∗∗ IBM Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2017-1370) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005868
∗∗∗ IBM Security Bulletin: Vulnerabilities in open source zlib library affect IBM Data Server Driver Package and IBM Data Server Driver for ODBC and CLI ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22002754
∗∗∗ IBM Security Bulletin: Open Source OpenSSL Vulnerabilities affect IBM Network Advisor ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010466
∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities affect IBM WebSphere Portal Rich Media Edition ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005279
∗∗∗ [2017-07-24] Cross-Site Scripting (XSS) issue in multiple Ubiquiti Networks products ∗∗∗
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
∗∗∗ [2017-07-24] Open Redirect issue in multiple Ubiquiti Networks products ∗∗∗
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily