Daily

daily@lists.cert.at

1 participants
3189 discussions

Tageszusammenfassung - 21.09.2017
by Daily end-of-shift report 21 Sep '17

21 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-09-2017 18:00 − Donnerstag 21-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Transportverschlüsselung zwischen Mailservern ∗∗∗ --------------------------------------------- Empfehlungen zur Konfiguration mit Beispielen für Postfix und exim --------------------------------------------- https://www.dfn-cert.de/aktuell/smtp-transportverschluesselung.html ∗∗∗ Optimierungsprogramm: Ccleaner-Malware sollte wohl Techkonzerne ausspionieren ∗∗∗ --------------------------------------------- Cisco widerspricht Avast: Die zweite Stufe der mit Ccleaner verteilten Malware sei sehr wohl aktiviert worden. Angeblich sollen die Macher der Kampagne es auf Betriebsgeheimnisse großer Techfirmen abgesehen haben. --------------------------------------------- https://www.golem.de/news/optimierungsprogramm-ccleaner-malware-sollte-wohl… ∗∗∗ FedEX: TNT verliert durch NotPetya 300 Millionen US-Dollar ∗∗∗ --------------------------------------------- Angriffe auf die IT-Infrastruktur sind teuer: Nach Maersk hat auch das Logistikunternehmen TNT einen erheblichen Verlust durch NotPetya bekannt gegeben. Die Reparatur aller Systeme soll bis Ende September abgeschlossen werden. --------------------------------------------- https://www.golem.de/news/fedex-tnt-verliert-durch-notpetya-300-millionen-u… ∗∗∗ Deep-Learning PassGAN Tool Improve Password Guessing ∗∗∗ --------------------------------------------- A deep-learning network known as a GAN has been applied to passwords, and a tool called PassGAN significantly improves the ability to guess user passwords over tools such as Hashcat or John the Ripper. --------------------------------------------- http://threatpost.com/deep-learning-passgan-tool-improve-password-guessing/… ∗∗∗ Introducing Burplay, A Burp Extension for Detecting Privilege Escalations ∗∗∗ --------------------------------------------- The seventh entry on the most recent OWASP Top 10 release (from 2013, due to the 2017 release candidate being rejected!) is "Missing Function Level Access Control", which is essentially what leads to Privilege Escalation issues. This common vulnerability related... --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Burplay,-A-… ∗∗∗ New FinFisher surveillance campaigns: Are internet providers involved? ∗∗∗ --------------------------------------------- New surveillance campaigns utilizing FinFisher, infamous spyware known also as FinSpy and sold to governments and their agencies worldwide, are in the wild. Besides featuring technical improvements, some of these variants have been using a cunning, previously-unseen infection vector with strong indicators of major internet service provider (ISP) involvement. --------------------------------------------- https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campai… ∗∗∗ Intel Management Engine gehackt ∗∗∗ --------------------------------------------- Sicherheitsexperten zeigten, wie sie eine Sicherheitslücke in Intels ME-Firmware nutzen, um unsignierten Code auszuführen. Die ME hat im Prinzip unbeschränkten Zugriff auf die Hardware des Systems, kann aber von Virenscannern nicht überwacht werden. --------------------------------------------- https://heise.de/-3837239 ∗∗∗ Verschlüsselung: Gpg4win 3.0 hält sich dezent im Hintergrund ∗∗∗ --------------------------------------------- Die Windows-Softwaresammlung Gpg4win verwendet Version 2.2 der freien Krypto-Engine GnuPG und sorgt dafür, dass Outlook mit dem OpenPGP/MIME-Standard umgehen kann. --------------------------------------------- https://heise.de/-3837176 ===================== = Advisories = ===================== ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 20, 2017 The Samba Team has released security updates to address several vulnerabilities in Samba. An attacker could exploit any of these vulnerabilities to obtain access to potentially sensitive information.US-CERT encourages users and administrators to review the Samba Security Announcements for CVE-2017-12150, CVE-2017-12151, and CVE-2017-12163 and apply the necessary updates, or refer to their Linux or Unix-based OS vendors for appropriate patches. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/09/20/Samba-Releases-Sec… ∗∗∗ Page Access - Unsupported - SA-CONTRIB-2017-75 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2910306 ∗∗∗ Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2910308 ∗∗∗ Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2907118 ∗∗∗ Security Update for tvOS 11 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208113 ∗∗∗ Security Update for watchOS 4 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208115 ∗∗∗ Cisco Unified Intelligence Center Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wide Area Application Services HTTP Application Optimization Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco UCS Central Software Command Line Interface Restricted Shell Break Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business SPA300, SPA500, and SPA51x Series IP Phones Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business Managed Switches Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FindIT DLL Preloading Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Customer Voice Portal Operations Console Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Intelligence Center Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Intelligence Center User Interface Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Vulnerability in the Linux Kernel affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems (CVE-2017-6214) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099637 ∗∗∗ IBM Security Bulletin: IBM MQ termination of a client application causes denial of service (CVE-2017-1235) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005415 ∗∗∗ IBM Security Bulletin: Open Source OpenSSL, GNUTls, RHEL CVE-2016-8610 'SSL-Death-Alert' affects IBM Cisco switches and directors. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010572 ∗∗∗ IBM Security Bulletin: Multiple Java Vulnerabilities affect DB2 Text Search Stand Alone Accessories Suite ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007190 ∗∗∗ OpenJDK vulnerabilities CVE-2015-2601, CVE-2015-2621, CVE-2015-2632, CVE-2015-4748, and CVE-2015-4749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84947349 ∗∗∗ HPESBHF03705 rev.2 - HPE Integrated Lights-Out 4 and Moonshot Remote Console Administrator (iLO 4 and MRCA) Remote Disclosure of Information ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2017
by Daily end-of-shift report 20 Sep '17

20 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-09-2017 18:00 − Mittwoch 20-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iTerm2 Leaks Everything You Hover in Your Terminal via DNS Requests ∗∗∗ --------------------------------------------- iTerm2, a popular Mac application that comes as a replacement for Apples official Terminal app, just received a security fix minutes ago for a severe security issue that leaked terminal content via DNS requests. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/iterm2-leaks-everything-you-… ∗∗∗ New tool: mac-robber.py, (Tue, Sep 19th) ∗∗∗ --------------------------------------------- On a recent forensic investigation where we couldn't take the Linux system down to image the disks, I was forced to do live response. Fortunately, I was able to get a memory image, but I also wanted a filesystem timeline. I first went to my old friend fls from The SleuthKit (TSK), but for some reason, it failed. So, I tried mac-robber (also from TSK) and it, too, failed. Not one to give up easily, I decided to write my own version of mac-robber in Python. Like the TSK mac-robber, [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22844 ===================== = Advisories = ===================== ∗∗∗ PHOENIX CONTACT mGuard Device Manager ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper access control vulnerabilities within PHOENIX CONTACTs mGuard Device Manager associated with Oracle Java SE. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-262-01 ∗∗∗ WordPress 4.8.2 Security and Maintenance Release ∗∗∗ --------------------------------------------- WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. --------------------------------------------- https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance… ∗∗∗ Apple Security Updates ∗∗∗ --------------------------------------------- iOS 11: https://support.apple.com/en-us/HT208112 Safari 11: https://support.apple.com/en-us/HT208116 Xcode 9: https://support.apple.com/en-us/HT208103 --------------------------------------------- ∗∗∗ DFN-CERT-2017-1665: Apache Foundation Tomcat: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1665/ ∗∗∗ Security Advisory - Two Vulnerabilities in Some Huawei CPE Devices ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - Information Exposure Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - Information Exposure Vulnerability on FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ F5 TMM vulnerability CVE-2017-6147 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43945001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2017
by Daily end-of-shift report 19 Sep '17

19 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 18-09-2017 18:00 − Dienstag 19-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Avast Clarifies Details Surrounding CCleaner Malware Incident ∗∗∗ --------------------------------------------- Avast published earlier today a post-mortem of the CCleaner malware incident, in the hopes to clarify some of the details surrounding the event that many of its users found troubling. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surr… ∗∗∗ Apples FaceID ∗∗∗ --------------------------------------------- This is a good interview with Apples SVP of Software Engineering about FaceID. Honestly, I dont know what to think. I am confident that Apple is not collecting a photo database, but not optimistic that it cant be hacked with fake faces. I dislike the fact that the police can point the phone at someone and have it automatically unlock. So this is important: I also quizzed Federighi about the exact way you "quick disabled" Face ID in tricky scenarios -- like being stopped by police, or [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/09/apples_faceid.html ∗∗∗ Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data ∗∗∗ --------------------------------------------- Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php). The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks. Typical injected scripts look like this: [...] --------------------------------------------- https://blog.sucuri.net/2017/09/old-themes-abandoned-scripts-pitfalls-clean… ∗∗∗ Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks ∗∗∗ --------------------------------------------- Two-factor authentication by SMS? More like SOS Once again, its been demonstrated that vulnerabilities in cellphone networks can be exploited to intercept one-time two-factor authentication tokens in text messages. --------------------------------------------- https://www.theregister.co.uk/2017/09/18/ss7_vuln_bitcoin_wallet_hack_risk/ ∗∗∗ Open Hadoop Service Scanning Project ∗∗∗ --------------------------------------------- If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at the Hadoop Namenode or Datanode web service. The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have one or both of these hadoop services service running. The goal of this project is to identify openly accessible systems that have these services running and report them back to the network owners for [...] --------------------------------------------- https://hadoopscan.shadowserver.org/ ∗∗∗ Call for Papers IT-SECX 2017 - "Future incident response" ∗∗∗ --------------------------------------------- Die IT-SECX ist eine Security-Konferenz mit Vorträgen und Workshops. [...] Das Motto der heurigen IT-SECX ist "Future incident response" mit dem Ziel aktuelle gezielte Angriffe, Malwarekampagnen und Gegenmaßnahmen zu diskutieren. Mit diesem Fokus sind Einreichungen für Vorträge zu folgenden Themen erwünscht: [...] --------------------------------------------- https://itsecx.fhstp.ac.at/call-for-papers/ ∗∗∗ Gefährdeter Datenschutz: Firefox löscht lokale Datenbanken nicht ∗∗∗ --------------------------------------------- Der Firefox-Browser bringt ein großes Datenschutzproblem mit sich. Nur umständlich lässt sich die Firefox-Chronik von Nutzern löschen. Webseiten können mühelos auf zuvor im Browser gespeicherte Daten zugreifen. --------------------------------------------- https://heise.de/-3835084 ∗∗∗ PC-Wahl: CCC demonstriert erneut einen Angriff und bietet Open-Source-Hilfe ∗∗∗ --------------------------------------------- Mit einem demonstrativen Hack macht der CCC auf ein erneutes Sicherheitsproblem der bereits mehrfach nachgebesserten Wahl-Software aufmerksam. Eine Open-Source-Spende soll PC-Wahl jetzt zu einer sicheren Update-Funktion verhelfen. --------------------------------------------- https://heise.de/-3835282 ∗∗∗ Unternehmen im Visier von Cyber-Kriminellen ∗∗∗ --------------------------------------------- Mit gefälschten Zahlungsanweisungen versuchen Kriminelle, von Unternehmen hohe Geldsummen zu stehlen. Ihre Nachrichten richten sich direkt an die Buchhaltung und geben vor, dass sie von der Geschäftsführung stammen. Mitarbeiter/innen, die auf den sogenannten CEO-Betrug hereinfallen, verursachen hohe Verluste. Wir zeigen Ihnen, wie Sie Ihr Unternehmen vor diesem Betrug schützen. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/unternehmen-im-visier-von-cyber… ===================== = Advisories = ===================== ∗∗∗ [20170901] - Core - Information Disclosure ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Severity: Low Versions: 3.7.0 through 3.7.5 Exploit type: Information Disclosure Reported Date: 2017-August-4 Fixed Date: 2017-September-19 CVE Number: CVE-2017-14595 Description A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state. Affected Installs Joomla! CMS versions 3.7.0 through 3.7.5 Solution Upgrade to version 3.8.0 --------------------------------------------- https://developer.joomla.org/security-centre/710-20170901-core-information-… ∗∗∗ [20170902] - Core - LDAP Information Disclosure ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Severity: Medium Versions: 1.5.0 through 3.7.5 Exploit type: Information Disclosure Reported Date: 2017-July-27 Fixed Date: 2017-September-19 CVE Number: CVE-2017-14596 Description Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password. Affected Installs Joomla! CMS versions 1.5.0 through 3.7.5 Solution Upgrade to version 3.8.0 --------------------------------------------- https://developer.joomla.org/security-centre/711-20170902-core-ldap-informa… ∗∗∗ Security Advisory 2017-04: Security Update for all OTRS Versions ∗∗∗ --------------------------------------------- September 18, 2017 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability. Please send information regarding vulnerabilities in OTRS to: security(a)otrs.org --------------------------------------------- https://www.otrs.com/security-advisory-2017-04-security-update-otrs-version… ∗∗∗ DSA-3978 gdk-pixbuf - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3978 ∗∗∗ DSA-3977 newsbeuter - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3977 ∗∗∗ DFN-CERT-2017-1643: Moodle: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1643/ ∗∗∗ Security Advisory - Multiple Vulnerabilities in MTK Platform ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170919-… ∗∗∗ IBM Security Bulletin: API Connect Portal is affected by multiple Drupal vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008323 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect API Connect ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008382 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational Synergy ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008122 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1382) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007663 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1380) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007665 ∗∗∗ Expat vulnerability CVE-2016-0718 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52320548 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2017
by Daily end-of-shift report 18 Sep '17

18 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-09-2017 18:00 − Montag 18-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Machine Learning Myths ∗∗∗ --------------------------------------------- “Machine learning” is the new “it” buzzword in security. As a result, it’s being thrown around fairly loosely on vendor websites and in marketing materials. Not only is that unfortunate for anyone looking to get a straight answer on how machine learning can help their company stay more secure, it is also fostering a general sense of confusion around what the term actually means. To help clear things up, let’s take a closer look at six of the most common [...] --------------------------------------------- https://feeds.feedblitz.com/~/459728214/0/alienvault-blogs~Machine-Learning… ∗∗∗ Optionsbleed: Apache-Webserver blutet ∗∗∗ --------------------------------------------- Beim Apache-Webserver lassen sich in bestimmten Konfigurationen Speicherfragmente durch einen Angreifer auslesen. Besonders kritisch ist diese Lücke in Shared-Hosting-Umgebungen. --------------------------------------------- https://www.golem.de/news/optionsbleed-apache-webserver-blutet-1709-130105-… ∗∗∗ CCleaner: Avast verteilt Malware mit Optimierungsprogramm ∗∗∗ --------------------------------------------- So hatten sich Nutzer die Optimierung des PCs sicher nicht vorgestellt: Eine Version von CCleaner wurde für rund einen Monat mit Malware ausgeliefert. --------------------------------------------- https://www.golem.de/news/ccleaner-avast-verteilt-malware-mit-optimierungsp… ∗∗∗ An (un)documented Word feature abused by attackers ∗∗∗ --------------------------------------------- A little while back we were investigating the malicious activities of the Freakyshelly targeted attack and came across spear phishing emails that had some interesting documents attached to them. They were in OLE2 format and contained no macros, exploits or any other active content. --------------------------------------------- http://securelist.com/an-undocumented-word-feature-abused-by-attackers/8189… ∗∗∗ Malicious Backdoors: Fake Images and Strrev Functions ∗∗∗ --------------------------------------------- When a website is compromised, attackers frequently leave behind a backdoor – according to our research around 70% of all website hacks include a backdoor. These backdoors are not designed to attack a website or destroy data, instead they allow an attacker to re-enter a targeted website with little to no authentication, providing them with unauthorized access to the system. Backdoors can be planted anywhere within a site, file system, or database. --------------------------------------------- https://blog.sucuri.net/2017/09/malicious-backdoors-fake-images-strrev-func… ∗∗∗ Achtung: Aktuelle Spam-Mails fälschen Absender von Mitarbeitern ∗∗∗ --------------------------------------------- Akute Gefahr geht von einer Schädlingswelle aus, die per E-Mail anrollt. Durch eine clevere Wahl der Absender könnten auch versierte Anwender verleitet werden, dem darin enthaltenen Link zu folgen. Er führt zu bislang weitgehend unerkannter Malware. --------------------------------------------- https://heise.de/-3834782 ∗∗∗ Keine Sicherheits-App der Erste Bank installieren ∗∗∗ --------------------------------------------- In einer gefälschten Erste Bank-Nachricht fordern Kriminelle Kund/innen dazu auf, dass sie eine Sicherheits-App für ihr mobiles Endgerät installieren. Das sei angeblich notwendig, damit diese weiterhin ihren OnlineBanking-Zugang nützen können. In Wahrheit ist die Sicherheits-App Schadsoftware. Sie ermöglicht es Unbekannten, auf die Konten ihrer Opfer zuzugreifen. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/keine-sicherheits-app-der-e… ∗∗∗ People cant read (Equifax edition) ∗∗∗ --------------------------------------------- One of these days Im going to write a guide for journalists reporting on the cyber. One of the items Id stress is that they often fail to read the text of what is being said, but instead read some sort of subtext that wasnt explicitly said. This is valid sometimes -- as the subtext is what the writer intended all along, even if they didnt explicitly write it. Other times, though the imagined subtext is not what the writer intended at all. A good example is the recent Equifax breach. --------------------------------------------- http://blog.erratasec.com/2017/09/people-cant-read-equifax-edition.html ===================== = Advisories = ===================== ∗∗∗ DSA-3974 tomcat8 - security update ∗∗∗ --------------------------------------------- Two issues were discovered in the Tomcat servlet and JSP engine. --------------------------------------------- https://www.debian.org/security/2017/dsa-3974 ∗∗∗ DSA-3975 emacs25 - security update ∗∗∗ --------------------------------------------- Charles A. Roelli discovered that Emacs is vulnerable to arbitrary codeexecution when rendering text/enriched MIME data (e.g. when usingEmacs-based mail clients). --------------------------------------------- https://www.debian.org/security/2017/dsa-3975 ∗∗∗ DSA-3976 freexl - security update ∗∗∗ --------------------------------------------- Marcin Icewall Noga of Cisco Talos discovered two vulnerabilities infreexl, a library to read Microsoft Excel spreadsheets, which mightresult in denial of service or the execution of arbitrary code if amalformed Excel file is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-3976 ∗∗∗ ZDI-17-811: EMC Data Protection Advisor Application Service Static Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to escalate privileges on vulnerable installations of EMC Data Protection Advisor. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-811/ ∗∗∗ Magento 2.0.16 and 2.1.9 Security Update ∗∗∗ --------------------------------------------- Magento Commerce and Open Source 2.1.9 and 2.0.16 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. --------------------------------------------- https://magento.com/security/patches/magento-2016-and-219-security-update ∗∗∗ SUPEE-10266 ∗∗∗ --------------------------------------------- SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. --------------------------------------------- https://magento.com/security/patches/supee-10266 ∗∗∗ BlackBerry response to impact of the vulnerabilities known as BlueBorne on BlackBerry products ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Vuln: Moodle CVE-2017-12157 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/100848 ∗∗∗ Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Meeting Server TURN Server Unauthorized Access and Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1634: ChakraCore: Mehrere Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1634/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008401 ∗∗∗ IBM Security Bulletin: A vulnerability in XStream affects IBM InfoSphere Information Governance components ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004784 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-3511, CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006034 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006028 ∗∗∗ IBM Security Bulletin: Sweet32 vulnerability affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-2183) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006040 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1137) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006029 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-1121) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006027 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008182 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® WebSphere Real Time ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006696 ∗∗∗ IBM Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008410 ∗∗∗ OpenJDK vulnerabilities CVE-2015-2621, CVE-2015-2632, CVE-2015-4748, and CVE-2015-4749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84947349 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2017
by Daily end-of-shift report 15 Sep '17

15 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-09-2017 18:00 − Freitag 15-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ten Malicious Libraries Found on PyPI - Python Package Index ∗∗∗ --------------------------------------------- The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-foun… ∗∗∗ Equifax Confirms March Struts Vulnerability Behind Breach ∗∗∗ --------------------------------------------- Equifax divulged on Wednesday that the culprit behind this summers breach of 143 million Americans was an Apache Struts vulnerability, CVE-2017-5638, patched back in March. --------------------------------------------- http://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-br… ∗∗∗ VMware Patches Bug That Allows Guest to Execute Code on Host ∗∗∗ --------------------------------------------- Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, are being encouraged to update to address a series of vulnerabilities, one critical. --------------------------------------------- http://threatpost.com/vmware-patches-bug-that-allows-guest-to-execute-code-… ∗∗∗ Yet Another Android Malware Infects Over 4.2 Million Google Play Store Users ∗∗∗ --------------------------------------------- Even after so many efforts by Google, malicious apps somehow managed to fool its Play Stores anti-malware protections and infect people with malicious software. The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks. Security firm Check Point on --------------------------------------------- https://thehackernews.com/2017/09/play-store-malware.html ∗∗∗ Google veröffentlicht API zum Malware-Schutz für Android ∗∗∗ --------------------------------------------- Mit der SafetyNet Verify Apps API können Apps überprüfen, ob Android-Endgeräte Google Play Protect verwenden. Auch der Zugriff auf die Scan-Funktion ist über die Schnittstelle möglich. --------------------------------------------- https://heise.de/-3832697 ∗∗∗ Bashware: Windows 10 über Linux-Komponente angreifbar ∗∗∗ --------------------------------------------- Die Sicherheitsfirma Checkpoint hat eine Möglichkeit gefunden, wie man Windows-10-Rechner über die optionalen Linux-Komponenten des Betriebssystems angreifen kann. Allerdings übertreiben die Forscher den Ernst der Lage gehörig. --------------------------------------------- https://heise.de/-3833695 ∗∗∗ Malvertising-Kampagne setzt auf Krypto-Mining in fremden Browsern ∗∗∗ --------------------------------------------- Fremde CPU-Leistung mittels Malware zum Mining von Bitcoins und Co. zu missbrauchen, ist eine altbewährte Strategie. Eine aktuelle Malvertising-Kampagne im osteuropäischen Raum verlegt das Mining per JavaScript direkt in den Webbrowser. --------------------------------------------- https://heise.de/-3833536 ===================== = Advisories = ===================== ∗∗∗ LOYTEC LVIS-3ME ∗∗∗ --------------------------------------------- This advisory contains mitigation details for relative path traversal, insufficient entropy, cross-site scripting and insufficiently protected credentials vulnerabilities within LOYTECs LVIS-3ME HMI touch panel. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-257-01 ∗∗∗ VMSA-2017-0015 ∗∗∗ --------------------------------------------- VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0015.html ∗∗∗ USN-3417-1: Libgcrypt vulnerability ∗∗∗ --------------------------------------------- Ubuntu Security Notice USN-3417-1 14th September, 2017 libgcrypt20 vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Summary Libgcrypt could be made to expose sensitive information. Software description libgcrypt20 - LGPL Crypto library Details Daniel Genkin, Luke Valenta, and Yuval Yarom discovered that Libgcrypt was susceptible to an attack via side channels. A local attacker could use this attack to recover Curve25519 private keys. --------------------------------------------- http://www.ubuntu.com/usn/usn-3417-1/ ∗∗∗ IBM Security Bulletin: IBM Spectrum Scale Object Protocols functionality is affected by a security vulnerability in Python (CVE-2017-2592) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010471 ∗∗∗ IBM Security Bulletin: Open Source Apache PDFBox Vulnerabilities in IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21991021 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2017
by Daily end-of-shift report 14 Sep '17

14 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-09-2017 18:00 − Donnerstag 14-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Zerodium Offering $1M for Tor Browser Zero Days ∗∗∗ --------------------------------------------- Exploit acquisition vendor Zerodium said Wednesday it will pay up to $1M for an unknown Tor Browser zero day. --------------------------------------------- http://threatpost.com/zerodium-offering-1m-for-tor-browser-zero-days/127959/ ∗∗∗ Another webshell, another backdoor! ∗∗∗ --------------------------------------------- Im still busy to follow how webshells are evolving... I recently found another backdoor in another webshell called "cor0.id". The best place to find webshells remind pastebin.com. When Im testing a webshell, I copy it in a VM located on a "wild Internet" VLAN in my home lab with, amongst other controls, full packet capture enabled. --------------------------------------------- https://isc.sans.edu/diary/rss/22826 ∗∗∗ Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data ∗∗∗ --------------------------------------------- Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php). The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks. Typical injected scripts look like this ... --------------------------------------------- https://blog.sucuri.net/2017/09/old-themes-abandoned-scripts-pitfalls-clean… ∗∗∗ Samsung’s launches bug bounty program and will reward up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software ∗∗∗ --------------------------------------------- Samsung says,”We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports,”. --------------------------------------------- https://www.techposts.net/samsung-launches-bug-bounty-program-offering-boun… ∗∗∗ Enlarge your botnet with: top D-Link routers (DIR8xx D-Link routers cruisin for a bruisin) ∗∗∗ --------------------------------------------- In this article, we are going to discuss vulnerabilities detected in the top D-Link routers. The devices use the same code, thus giving a magnificent and quite tempting opportunity to attackers to add them to a botnet. Moreover, we have managed to make Mirai for the devices by modifying its compilation script a bit. --------------------------------------------- https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-lin… ∗∗∗ "Display Widgets": WordPress-Plugin mit Backdoor aus Repository entfernt ∗∗∗ --------------------------------------------- Ein Plugin zur Verwaltung von WordPress-Widgets enthielt eine Backdoor, die dessen Herausgeber über Monate hinweg den Fernzugriff ermöglichte. Nun wurde es endgültig aus dem WordPress-Repository entfernt. Ein Update säubert bestehende Installationen. --------------------------------------------- https://heise.de/-3831761 ∗∗∗ Schwere Lücke im Router D-Link DIR-850L: Patches kommen am 19. September ∗∗∗ --------------------------------------------- Die Heimrouter können von Angreifern aus der Ferne übernommen werden. Bisher gibt es kein Update, da der Entdecker der Lücken D-Link vor der Veröffentlichung nicht informiert hat. Nun hat die Firma das Datum mitgeteilt, ab dem es Patches geben soll. --------------------------------------------- https://heise.de/-3832456 ∗∗∗ End of extended support for Office 2007 ∗∗∗ --------------------------------------------- The end of extended support for the Office 2007 family of desktop and server products is coming up next month. See Office 2007 approaching end of extended support for more details and the list of affected products. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2017/09/13… ===================== = Advisories = ===================== ∗∗∗ DSA-3972 bluez - security update ∗∗∗ --------------------------------------------- An information disclosure vulnerability was discovered in the ServiceDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker toobtain sensitive information from bluetoothd process memory, includingBluetooth encryption keys. --------------------------------------------- https://www.debian.org/security/2017/dsa-3972 ∗∗∗ Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074 ∗∗∗ --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-074 Vulnerability: Cross Site Request Forgery Description: The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. --------------------------------------------- https://www.drupal.org/node/2908592 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearQuest (CVE-2017-1289) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007617 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2016-7055, CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002883 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearCase (CVE-2016-7055, CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002863 ∗∗∗ Persistent Cross-Site Scripting in SilverStripe CMS ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/persistent-cross-site-script… ∗∗∗ Authenticated Command Injection in Ubiquiti Networks UniFi Cloud Key ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/authenticated-command-inject… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2017
by Daily end-of-shift report 13 Sep '17

13 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-09-2017 18:00 − Mittwoch 13-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 4,000 ElasticSearch Servers Found Hosting PoS Malware Files ∗∗∗ --------------------------------------------- The Kromtech Security Center has identified over 4,000 instances of ElasticSearch servers that are hosting files specific to two strains of POS (Point of Sale) malware — AlinaPOS and JackPOS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-4-000-elasticsearch-ser… ∗∗∗ Blueborne: Sicherheitslücken gefährden fünf Milliarden Bluetooth-Geräte ∗∗∗ --------------------------------------------- Etwa fünf Milliarden Geräte weltweit sollen von kritischen Bluetooth-Sicherheitslücken betroffen sein. Die Fehler liegen jedoch nicht im Protokoll, sondern in den entsprechenden Stacks von Windows, Linux und Android. Bei Apple sind nur ältere Geräte von Blueborne betroffen. --------------------------------------------- https://www.golem.de/news/bluetooth-kritische-sicherheitsluecken-ermoeglich… ∗∗∗ Exploit for CVE-2017-8759 detected and neutralized ∗∗∗ --------------------------------------------- The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat. The .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-87… ∗∗∗ Hackers Got Into America’s Power Grid. But Don’t Freak Out. ∗∗∗ --------------------------------------------- Last week cybersecurity firm Symantec released a report on what it calls Dragonfly 2.0—a collection of intrusions into industrial and energy-related organizations worldwide. For the last six years, the Dragonfly intrusions and others have regularly gone deeper into the operational networks that control elements of America’s power grid. --------------------------------------------- http://fortune.com/2017/09/11/dragonfly-2-0-symantec-hackers-power-grid/ ∗∗∗ WordPress’ Poor Handling of Plugin Security Exacerbates Malicious Takeover of Display Widgets ∗∗∗ --------------------------------------------- Recently there has been a fair amount of coverage of popular Chrome extensions being modified to include malicious code after the login credentials used to control them in the Chrome Web Store had been compromised .. --------------------------------------------- https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of… ∗∗∗ Adobe stopft Sicherheitslücken in Flash, ColdFusion und RoboHelp ∗∗∗ --------------------------------------------- Auch bei Adobe ist wieder Patchday und der Tradition entsprechend patcht die Firma zu dieser Gelegenheit wieder einmal kritische Lücken im Flash Player. Auch ColdFusion und RoboHelp erhalten Updates. --------------------------------------------- https://heise.de/-3830067 ∗∗∗ Compromised LinkedIn accounts used to send phishing links via private message and InMail ∗∗∗ --------------------------------------------- A recent attack uses existing LinkedIn user accounts to send phishing links to their contacts via private message .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/09/compromised-linkedin-… ∗∗∗ Patchday: Microsoft stopft Staatstrojaner-Schlupfloch ∗∗∗ --------------------------------------------- Lücke in Word und .NET-Framework wurde von FinFisher-Malware ausgenutzt --------------------------------------------- http://derstandard.at/2000064009454 ===================== = Advisories = ===================== ∗∗∗ DSA-3971 tcpdump - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3971 ∗∗∗ DSA-3970 emacs24 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3970 ∗∗∗ DSA-3969 xen - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3969 ∗∗∗ Local File Disclosure in VLC media player iOS app ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/local-file-disclosure-in-vlc… ∗∗∗ Multiple Vulnerabilities in IBM Infosphere Information Server / Datastage ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2017
by Daily end-of-shift report 12 Sep '17

12 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 11-09-2017 18:00 − Dienstag 12-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Miners on the Rise ∗∗∗ --------------------------------------------- Over the last month alone, we have detected several large botnets designed to profit from concealed crypto mining. We have also observed growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the companies’ business processes suffer because data processing speeds fall substantially. --------------------------------------------- http://securelist.com/miners-on-the-rise/81706/ ∗∗∗ Google to kill Symantec certs in Chrome 66, due in early 2018 ∗∗∗ --------------------------------------------- This is how trust ends, not with a bang but with a whimper Google has detailed its plan to deprecate Symantec-issued certificates in Chrome.… --------------------------------------------- www.theregister.co.uk/2017/09/12/chrome_66_to_reject_symantec_certs/ ∗∗∗ D-Link DIR-850L: Router können gekapert werden, Patches nicht verfügbar ∗∗∗ --------------------------------------------- In D-Links Heimrouter 850L klaffen schwerwiegende Sicherheitslücken, über die Angreifer die Geräte in ihre Kontrolle bringen können. Updates, welche die Lücken schließen, sind vorerst nicht zu erwarten. --------------------------------------------- https://heise.de/-3828382 ∗∗∗ SAP Security Patch Day – September 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly .. --------------------------------------------- https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/ ===================== = Advisories = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe RoboHelp (APSB17-25), Adobe Flash Player (APSB17-28) and ColdFusion (APSB17-30). Adobe recommends users update their product .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1491 ∗∗∗ DSA-3968 icedove - security update ∗∗∗ --------------------------------------------- Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. --------------------------------------------- https://www.debian.org/security/2017/dsa-3968 ∗∗∗ Email verification bypass in SAP E-Recruiting ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/email-verification-bypass-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2017
by Daily end-of-shift report 11 Sep '17

11 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-09-2017 18:00 − Montag 11-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Energieversorgung: E-Mail-Konten sind besser gesichert als Windparks ∗∗∗ --------------------------------------------- Windparks machen einen professionellen Eindruck, doch bei der IT-Sicherheit hapert es leider. Recherchen von Internetwache.org und Golem.de zeigen eine Menge Schwachstellen und ein Chaos bei der Zuständigkeit. --------------------------------------------- https://www.golem.de/news/energieversorgung-e-mail-konten-sind-besser-gesic… ∗∗∗ Secure microkernel in a KVM switch offers spy-grade app virtualization ∗∗∗ --------------------------------------------- Need a few air-gapped apps on one screen? Australian researchers show how Researchers at Australian think tank Data61 and the nations Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch.… --------------------------------------------- www.theregister.co.uk/2017/09/07/cross_domain_desktop_compositor_vdi_for_th… ∗∗∗ Apache Foundation rebuffs allegation it allowed Equifax attack ∗∗∗ --------------------------------------------- Timeline explains that either Equifax didnt patch old bugs, or was zero-dayed The Apache Software Foundation has defended its development practices in the face of a report alleging its code was responsible for the Equifax data leak.… --------------------------------------------- www.theregister.co.uk/2017/09/11/apache_rebuts_equifax_allegation/ ∗∗∗ Bug im Windows-Kernel könnte durch Schadcode missbraucht werden ∗∗∗ --------------------------------------------- Im Windows-Kernel schlummert seit Jahren eine Lücke, die in einigen Fällen dafür sorgen könnte, dass Malware vom Radar von Sicherheitssoftware verschwindet. Laut ihrem Entdecker zeigt sich Microsoft bislang aber eher desinteressiert. --------------------------------------------- https://heise.de/-3825130 ∗∗∗ Equifax Breach Response Turns Dumpster Fire ∗∗∗ --------------------------------------------- I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans. --------------------------------------------- https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-… ∗∗∗ Hack: 143 Millionen US-Amerikanern droht Identitätsdiebstahl ∗∗∗ --------------------------------------------- Datendiebstahl bei US-Finanzinstitut Equifax gilt als einer der schlimmsten Einbrüche in der IT-Geschichte --------------------------------------------- http://derstandard.at/2000063850369 ∗∗∗ Another Apache Struts Vulnerability Under Active Exploitation ∗∗∗ --------------------------------------------- This post authored by Nick Biasini with contributions from Alex Chiu.Earlier this week, a critical vulnerability in Apache Struts was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache --------------------------------------------- http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html ===================== = Advisories = ===================== ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ HPESBNS03755 rev.2 - HPE NonStop Server using Samba, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2017
by Daily end-of-shift report 08 Sep '17

08 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-09-2017 18:00 − Freitag 08-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Daten von 143 Millionen US-Amerikanern entwendet ∗∗∗ --------------------------------------------- Bei einem Cyberangriff auf den US-Finanzdienstleister Equifax wurden äußerst sensible Daten von Millionen Amerikanern erbeutet, die nun Betrug im großen Stil ermöglichen. --------------------------------------------- https://futurezone.at/digital-life/daten-von-143-millionen-us-amerikanern-e… ∗∗∗ Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions ∗∗∗ --------------------------------------------- Palo Alto Networks Unit 42 researchers have uncovered a high severity vulnerability in the Android overlay system, which allows a new Android overlay attack by using the “Toast type” overlay.The post Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions appeared first on Palo Alto Networks Blog. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2017/09/unit42-android-toast-ov… ∗∗∗ YASRV (Yet Another Struts RCE Vulnerability) yes a different one from yesterday ∗∗∗ --------------------------------------------- Yesterday saw CVE-2017-9805, today we have a new remote code execution vulnerability in Apache Struts 2 which is CVE-2017-12611. Yesterdays was in the REST API and related to Java XML unsafe deserializarion. Todays relates to using Freemarker in your application. Both should encourage you to patch. --------------------------------------------- https://isc.sans.edu/diary/rss/22796 ∗∗∗ Secure microkernel in a KVM switch offers spy-grade app virtualization ∗∗∗ --------------------------------------------- Need a few air-gapped apps on one screen? Heres how Researchers at Australian think tank Data61 and the nations Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/09/07/cross_domai… ∗∗∗ TLS-Zertifikate: CAAs sollen Zertifizierungsstellen an die Leine legen ∗∗∗ --------------------------------------------- Admins können mit einer Certification Authority Authorization im DNS festlegen, wer Zertifikate für ihre Domain unterschreiben darf. Ab dem 8. September sind diese Vorgaben für Zertifizierungsstellen verbindlich. --------------------------------------------- https://heise.de/-3822010 ∗∗∗ Sechs Lücken in Android-Bootloadern bekannter Hersteller entdeckt ∗∗∗ --------------------------------------------- Die automatisierte Analyse des Codes zweier Android-Bootloader förderte insgesamt sechs Schwachstellen zutage. Denial-of-Service und Zugriff auf sensible Daten sind mögliche Folgen – allerdings nur dann, wenn der Angreifer bereits Root-Rechte hat. --------------------------------------------- https://heise.de/-3824289 ∗∗∗ Schwachstelle in Typo3-Repository als mögliches Schlupfloch für trojanisierte Erweiterungen ∗∗∗ --------------------------------------------- Aufgrund eines Fehlers hätten Dritte unter Umständen mit beliebigem Passwort auf das Typo3 Extension Repository zugreifen können. Nun warnen die Entwickler vor möglichen Erweiterungen mit Schadcode. --------------------------------------------- https://heise.de/-3825378 ∗∗∗ Keine Kartenaktivierung bei card complete erforderlich ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte card complete-Nachricht. Darin heißt es, dass die Kreditkarte von Kund/innen gesperrt worden sei. Für eine Reaktivierung sollen diese persönliche Daten bekannt geben. Wer der Aufforderung nachkommt, sendet Betrüger/innen seine Kreditkarteninformationen. --------------------------------------------- https://www.watchlist-internet.at/phishing/keine-kartenaktivierung-bei-card… ===================== = Advisories = ===================== ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- On September 5, 2017, the Apache Software Foundation released security bulletins that disclose three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section of this advisory.Multiple Cisco products incorporate a version of the Apache Struts 2 package that is affected ... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02 ∗∗∗ SpiderControl SCADA Web Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-250-01 ∗∗∗ PHOENIX CONTACT, Innominate Security Technologies mGuard Firmware ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-250-02 ∗∗∗ i-SENS Inc. SmartLog Diabetes Management Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01 ∗∗∗ DFN-CERT-2017-1587/">GDK-PixBuf: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1587/ ∗∗∗ Security Advisory - MITM Vulnerability in Huawei Themes App in Some Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170908-… ∗∗∗ IBM Security Bulletin: Vulnerability in IBM® Java SDK affects multiple IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007909 ∗∗∗ IBM Security Bulletin: Open Source XStream as used in IBM QRadar SIEM is vulnerable to Denial of Service. (CVE-2017-7957) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008217 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005380 ∗∗∗ IBM Security Bulletin: IBM Java SDK as used in IBM QRadar SIEM is vulnerable to multiple CVE’s. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008210 ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure. (CVE-2017-1162) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008194 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily