=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 04-07-2017 18:00 − Mittwoch 05-07-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** #NoPetya-Attacke hinterließ Sicherheitslücke ***
---------------------------------------------
Der weltweite Cyberangriff in der vergangenen Woche hat schwerwiegendere Folgen als bislang bekannt.
---------------------------------------------
https://futurezone.at/digital-life/nopetya-attacke-hinterliess-sicherheitsl…
*** Cyber-Attacke NotPetya: Angebliche Angreifer wollen 250.000 Euro für Datenrettung ***
---------------------------------------------
Die mutmaßlichen Entwickler der Schadsoftware NotPetya wollen gegen 100 Bitcoin (fast 250.000 Euro) einen Schlüssel herausgeben, mit dem die Daten zu retten sein sollen. Ob sie Wort halten, ist unklar. Beobachter vermuten andere Motive hinter der Wendung.
---------------------------------------------
https://heise.de/-3764208
*** Ukrainian Police Seize Servers From Where NotPetya Outbreak First Spread ***
---------------------------------------------
Ukrainian Police announced today it seized the servers from where the NotPetya ransomware outbreak first started to spread. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ukrainian-police-seize-serve…
*** The day a mysterious cyber-attack crippled Ukraine ***
---------------------------------------------
On the morning of Tuesday, 27 June, Oleh Derevianko, the head of Kiev-based cybersecurity firm Information Security Systems Partners (ISSP), was at Bessarabska market, a popular food market in the heart of downtown. Derevianko was picking up a few things before heading out for the 300km drive to his parents' village. Wednesday was constitution day in Ukraine, a national holiday, and he'd be using the mid-week break to spend a couple days with his kids.
---------------------------------------------
http://www.bbc.com/future/story/20170704-the-day-a-mysterious-cyber-attack-…
*** NotPetya Group Moves All Their Bitcoin, Posts Proposition on the Dark Web ***
---------------------------------------------
The person or group behind the NotPetya ransomware has made its first move since the outbreak that took place eight days ago. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/notpetya-group-moves-all-the…
*** Doctor Web: M.E.Doc backdoor lets cybercriminals access computers ***
---------------------------------------------
July 4, 2017 Doctor Web security researchers examined the update module M.E.Doc and discovered that it is involved in the distribution of at least one other malicious program. You may recall that independent researchers named specifically this M.E.Doc update module as the source of the recent outbreak of the encryption worm Trojan.Encoder.12544, also known as NePetya, Petya.A, ExPetya and WannaCry-2. M.E.Doc is tax accounting software that is popular in Ukraine.
---------------------------------------------
http://news.drweb.com/show/?i=11363&lng=en&c=9
*** Qubes OS im Test: Linux sicher und nutzerfreundlich? ***
---------------------------------------------
Anwendungen und Einsatzbereiche voneinander per Virtualisierung trennen, gleichzeitig eine für den regulären Nutzer einfach zu bedienende Desktop-Oberfläche bieten: Das Qubes-OS-Projekt hat sich einiges vorgenommen.
---------------------------------------------
https://heise.de/-3764500
*** Österreich im Bereich Cybersicherheit auf Platz 30 ***
---------------------------------------------
Große Industriestaaten schneiden bei der Cybersicherheit einer UN-Studie zufolge teils schlechter ab als einige deutlich ärmere Staaten.
---------------------------------------------
https://futurezone.at/digital-life/oesterreich-im-bereich-cybersicherheit-a…
*** Introducing Linux Support for FakeNet-NG: FLARE's Next GenerationDynamic Network Analysis Tool ***
---------------------------------------------
Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware analysis and reverse engineering. Since FakeNet-NG's release, FLARE has added support for additional protocols. FakeNet-NG now has out-of-the-box support for DNS, HTTP (including BITS), FTP, TFTP, [...]
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-faken…
*** The Hardware Forensic Database ***
---------------------------------------------
The Hardware Forensic Database (or HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools.
---------------------------------------------
http://hfdb.io/
*** Kundendaten: Datenleck bei der Deutschen Post ***
---------------------------------------------
Eine Datenbank mit 200.000 Umzugsmitteilungen der Post lag ungeschützt im Netz. Tausende andere Firmen aus aller Welt haben exakt den gleichen Fehler gemacht.
---------------------------------------------
https://www.golem.de/news/kundendaten-datenleck-bei-der-deutschen-post-1707…
*** Vulnerability Spotlight: Dell Precision Optimizer and Invincea Vulnerabilities ***
---------------------------------------------
Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace. These packages are pre-installed on certain Dell systems. Vulnerabilities present in these applications could allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user.
---------------------------------------------
http://blog.talosintelligence.com/2017/06/vulnerability-spotlight-dell-prec…
*** Security Advisory - DoS Vulnerability in TLS of Some Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170705-…
*** rt-sa-2017-011 ***
---------------------------------------------
Remote Command Execution in PDNS Manager
---------------------------------------------
https://www.redteam-pentesting.de/advisories/rt-sa-2017-011.txt
*** DFN-CERT-2017-1159: Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1159/
*** IBM Security Bulletin: Incorrect saved channel status enquiry could cause denial of service for IBM MQ (CVE-2017-1236) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22003510
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005108
*** IBM Security Bulletin: RabbitMQ vulnerability affect IBM Cloud Manager with OpenStack (CVE-2015-8786) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025403
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 03-07-2017 18:00 − Dienstag 04-07-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Yet more reasons to disagree with experts on nPetya ***
---------------------------------------------
In WW II, they looked at planes returning from bombing missions that were shot full of holes. Their natural conclusion was to add more armor to the sections that were damaged, to protect them in the future. But wait, said the statisticians. The original damage is likely spread evenly across the plane. Damage on returning planes indicates where they could damage and still return. The undamaged areas are where they were hit and couldnt return. Thus, its the undamaged areas you need to [...]
---------------------------------------------
http://blog.erratasec.com/2017/07/yet-more-reasons-to-disagree-with.html
*** Analysis of TeleBots cunning backdoor ***
---------------------------------------------
On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors' intention was to cause damage, so they did all that they could to make data decryption very unlikely.
---------------------------------------------
https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-back…
*** GnuPG crypto library cracked, look for patches ***
---------------------------------------------
Boffins bust libgcrypt via side-channel Linux users need to check out their distributions to see if a nasty bug in libgcrypt20 has been patched.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/07/04/gnupg_crypt…
*** Cryptology ePrint Archive: Report 2017/627 ***
---------------------------------------------
Sliding right into disaster: Left-to-right sliding windows leak
Abstract: It is well known that constant-time implementations of modular exponentiation cannot use sliding windows. However, software libraries such as Libgcrypt, used by GnuPG, continue to use sliding windows. It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery [...]
---------------------------------------------
https://eprint.iacr.org/2017/627
*** ERCIM News 110 published - Special theme "Blockchain Engineering" ***
---------------------------------------------
The ERCIM News No. 110 has just been published at with a special theme on "Blockchain Engineering". SBA Research contributes two articles in this issue. The first article is by Aljosha Judmayer, Alexei Zamyatin, Nicholas Stifter and Edgar Weippl on [...]
---------------------------------------------
https://www.sba-research.org/2017/07/03/ercim-news-110-published-special-th…
*** Joomla! 3.7.3 Release ***
---------------------------------------------
Security Issues Fixed
Core - Information Disclosure (affecting Joomla 1.7.3-3.7.2)
Core - XSS Vulnerability (affecting Joomla 1.7.3-3.7.2)
Core - XSS Vulnerability (affecting Joomla 1.5.0-3.6.5)
---------------------------------------------
https://www.joomla.org/announcements/release-news/5709-joomla-3-7-3-release…
*** Petya Malware Variant (Update A) ***
---------------------------------------------
This updated alert is a follow-up to the original alert titled ICS-ALERT-17-181-01 Petya Ransomware Variant that was published June 30, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01A
*** RSA Archer eGRC Multiple Flaws Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and Open Redirect Attacks and Let Remote Authenticated Users Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1038815
*** DFN-CERT-2017-1145: Apache Subversion: Eine Schwachstelle ermöglicht die Manipulation von Daten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1145/
*** SSA-563539 (Last Update: 2017-07-04): Vulnerabilities in OZW672 and OZW772 ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-563539…
*** SSA-323211 (Last Update: 2017-07-04): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211…
*** SSA-452237 (Last Update: 2017-07-04): Vulnerabilities in Reyrolle ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-452237…
*** IBM Security Bulletin: Weak Cipher available in IBM API Connect (CVE-2015-2808) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22003868
*** IBM Security Bulletin: Multiple vulnerabilities in Open Source zlib affects IBM Netezza Platform Software clients (CVE-2016-9840, CVE-2016-9841 and CVE-2016-9843). ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22001026
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 30-06-2017 18:00 − Montag 03-07-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** From Pass-the-Hash to Pass-the-Ticket with No Pain ***
---------------------------------------------
We are all grateful to the Microsoft which gave us the possibility to use the "Pass the Hash" technique! In short: if we have the NTLM hashes of the user password, we can authenticate against the remote system without knowing the real password, just using the hashes. Things were (finally) changing, starting from Windows 7, [...]
---------------------------------------------
http://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/
*** SQL Injection Vulnerability in WP Statistics ***
---------------------------------------------
As part of a vulnerability research project for our Sucuri Firewall, we have been auditing popular open source projects looking for security issues. While working on the WordPress plugin WP Statistics, we discovered a SQL Injection vulnerability. This plugin is currently installed on 300,000+ websites. Are You at Risk? This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right [...]
---------------------------------------------
https://blog.sucuri.net/2017/06/sql-injection-vulnerability-wp-statistics.h…
*** OutlawCountry Is CIAs Malware for Hacking Linux Systems ***
---------------------------------------------
WikiLeaks dumped today a manual describing a new CIA malware strain. Called OutlawCountry, this is malware designed for Linux operating systems. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/outlawcountry-is-cias-malwar…
*** So You Think You Can Spot a Skimmer? ***
---------------------------------------------
This week marks the 50th anniversary of the automated teller machine -- better known to most people as the ATM or cash machine. Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think youre good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge.
---------------------------------------------
https://krebsonsecurity.com/2017/06/so-you-think-you-can-spot-a-skimmer/
*** PE Section Name Descriptions, (Sun, Jul 2nd) ***
---------------------------------------------
PE files (.exe, .dll, ...) have sections: a section with code, one with data, ... Each section has a name, and different compilers use different section names. Section names can help us identify the compiler and the type of PE file we are analyzing.
---------------------------------------------
https://isc.sans.edu/diary/rss/22576
*** TLS security: Past, present and future ***
---------------------------------------------
The Transport Layer Security (TLS) protocol as it stands today has evolved from the Secure Sockets Layer (SSL) protocol from Netscape Communications and the Private Communication Technology (PCT) protocol from Microsoft that were developed in the 1990s, mainly to secure credit card transactions over the Internet. It soon became clear that a unified standard was required, and an IETF TLS WG was tasked. As a result, TLS 1.0 was specified in 1999, TLS 1.1 in [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/07/03/tls-security/
*** Achtung, Fake: Nein, Billa verlost keinen 250-Euro-Gutschein auf Whatsapp ***
---------------------------------------------
Der Kettenbrief verbreitet sich momentan rasant - Verlinkung auf mysteriöse Seite
---------------------------------------------
http://derstandard.at/2000060650645
*** WSUSpendu? What for? ***
---------------------------------------------
At BlackHat USA 2015, the WSUSpect attack scenario has been released. Approximately at the same time, some french engineers have been wondering if it would be possible to use a compromised WSUS server to extend the compromise to its clients, similarly to this WSUSpect attack. After letting this topic rest for almost two years, weve been able, at Alsid and ANSSI, to demonstrate this attack.
---------------------------------------------
https://github.com/AlsidOfficial/WSUSpendu
*** SB17-184: Vulnerability Summary for the Week of June 26, 2017 ***
---------------------------------------------
Original release date: July 03, 2017 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit [...]
---------------------------------------------
https://www.us-cert.gov/ncas/bulletins/SB17-184
*** DSA-3901 libgcrypt20 - security update ***
---------------------------------------------
Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal andYuval Yarom discovered that Libgcrypt is prone to a local side-channelattack allowing full key recovery for RSA-1024.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3901
*** Bugtraq: [CVE-2017-9313] Webmin 1.840 Multiple XSS Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540794
*** Microsoft Dynamics CRM Input Validation Flaw in SyncFilterPage.aspx Lets Remote Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1038813
*** FortiWLM upgrade user account hard-coded credentials ***
---------------------------------------------
FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller. Having the upgrade account credentials would allow an attacker to transfer files to any attached or previously attached controllers as an admin user, thus raising potential further security issues.
---------------------------------------------
http://fortiguard.com/psirt/FG-IR-17-115
*** F5 Security Advisories ***
---------------------------------------------
*** BIND vulnerability CVE-2017-3142 ***
https://support.f5.com/csp/article/K59448931
---------------------------------------------
*** BIND vulnerability CVE-2017-3143 ***
https://support.f5.com/csp/article/K02230327
---------------------------------------------
*** GnuTLS vulnerability CVE-2017-7507 ***
https://support.f5.com/csp/article/K37830055
---------------------------------------------
*** Novell Patches ***
---------------------------------------------
*** Sentinel 8.1 (Sentinel 8.1.0.0) Build 3732 ***
https://download.novell.com/Download?buildid=SISjocZzgJM~
---------------------------------------------
*** eDirectory 9.0.3 Patch 1 (9.0.3.1) ***
https://download.novell.com/Download?buildid=_f8Eq87R-gs~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 10 HotFix 1 ***
https://download.novell.com/Download?buildid=z1R5CZBTHBM~
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Improper Authentication vulnerability affects IBM Security Guardium (CVE-2017-1264) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004425
---------------------------------------------
*** IBM Security Bulletin: IBM Security Guardium is affected by XML External Entity vulnerability (CVE-2017-1254) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004463
---------------------------------------------
*** IBM Security Bulletin: OS Command Injection vulnerability affects IBM Security Guardium (CVE-2017-1253 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004426
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management could allow a local user to obtain sensitive information due to inappropriate data retention of attachments(CVE-2017-1176) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005210
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL injection(CVE-2017-1175) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005212
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting(CVE-2017-1208) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005243
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder that is shipped with Jazz Reporting Service ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001007
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology ***
http://www.ibm.com/support/docview.wss?uid=swg21999760
---------------------------------------------
*** IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Team Concert ***
http://www.ibm.com/support/docview.wss?uid=swg22004611
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in NTP and OpenSSL affect IBM Netezza Firmware Diagnostics ***
http://www-01.ibm.com/support/docview.wss?uid=swg21997020
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect SmartCloud Entry ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025357
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus ***
http://www.ibm.com/support/docview.wss?uid=swg22005345
---------------------------------------------
*** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Information Disclosure vulnerability ***
http://www.ibm.com/support/docview.wss?uid=swg22005382
---------------------------------------------
*** IBM Security Bulletin: IBM Integration Bus and WebSphere Message Broker are affected by Unquoted Search Path or Element (CWE-428) Vulnerability on Windows ***
http://www.ibm.com/support/docview.wss?uid=swg22005383
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus ***
http://www.ibm.com/support/docview.wss?uid=swg22005335
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Open Source Botan affects IBM Netezza Platform Software clients (CVE-2016-2849). ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001108
---------------------------------------------
*** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Open Source Tomcat vulnerability ***
http://www.ibm.com/support/docview.wss?uid=swg22005331
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 29-06-2017 18:00 − Freitag 30-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Eternal Champion Exploit Analysis ***
---------------------------------------------
Recently, a group named the ShadowBrokers published several remote server exploits targeting various protocols on older versions of Windows. In this post we are going to look at the EternalChampion exploit in detail to see what vulnerabilities it exploited, how it exploited them, and how the latest mitigations in Windows 10 break the exploit as-written....
---------------------------------------------
https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit…
*** Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone ***
---------------------------------------------
A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-…
*** Sicherheitsupdates angekündigt: Ciscos IOS-System ist für Schadcode anfällig ***
---------------------------------------------
Bisher können Betroffene die Bedrohung durch neu entdeckte Schwachstellen in Ciscos IOS und IOS EX nur über Workarounds eindämmen. Sicherheitspatches sollen folgen.
---------------------------------------------
https://heise.de/-3759927
*** e-Government in Deutschland: Kritische Schwachstellen in zentraler Transportkomponente ***
---------------------------------------------
You can find the English version of this post here containing further technical details.Die "OSCI-Transport" Java-Bibliothek ist eine Kernkomponente im deutschen e-Government. Schwachstellen in dieser Komponente erlauben es einem Angreifer, bestimmte zwischen Behörden ausgetauschte Informationen zu entschlüsseln oder zu manipulieren bzw. sogar Daten von Behördenrechnern auszulesen.OSCI-Transport ist ein Protokoll, das dazu dient Daten zwischen Behörden sicher [...]
---------------------------------------------
http://blog.sec-consult.com/2017/06/e-government-in-deutschland-schwachstel…
*** Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation ***
---------------------------------------------
On May 12, there was a major outbreak of WannaCrypt ransomware. WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers. Using ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven't...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-ana…
*** Eternal Blues: A free EternalBlue vulnerability scanner ***
---------------------------------------------
It is to be hoped that after the WannaCry and NotPetya outbreaks, companies will finally make sure to install - on all their systems - the Windows update that patches SMB vulnerabilities leveraged by the EternalBlue and EternalRomance exploits. These exploits are currently available to practically any hacker who might want to use them, and protecting systems against them should be a must for every organization. But while bigger ones might have an IT department [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/06/30/eternal-blues-eternalblue-vulner…
*** Cyber Europe 2016: Key lessons from a simulated cyber crisis ***
---------------------------------------------
Today marks the end of the latest cyber crisis exercise organised by ENISA, with the release of the after action report and closure video of Cyber Europe 2016.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/cyber-europe-2016-key-lessons-f…
*** TeleBots are back: supply-chain attacks against Ukraine ***
---------------------------------------------
The latest Petya-like outbreak has gathered a lot of attention from the media. However, it should be noted that this was not an isolated incident: this is the latest in a series of similar attacks in Ukraine. This blogpost reveals many details about the Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya) outbreak and related information about previously unpublished attacks.
---------------------------------------------
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attack…
*** How Malicious Websites Infect You in Unexpected Ways ***
---------------------------------------------
You probably spend most of your time on a PC browsing, whether that is Facebook, news or just blogs or pages that appeal to your particular interest. If a malicious hacker wants to break into your computer and scramble the kilobytes that make up your digital life, his starting point will be to create a [...]
---------------------------------------------
https://heimdalsecurity.com/blog/malicious-websites/
*** SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software ***
---------------------------------------------
The Simple Network Management Protocol(SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Schneider Electric U.motion Builder ***
---------------------------------------------
This advisory contains mitigation details for SQL injection, path traversal, improper authentication, use of hard-coded password, improper access control, denial of service, and information disclosure vulnerabilities in Schneider Electric's U.motion Builder.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-180-02
*** BIND TSIG Authentication Bugs Let Remote Users Bypass Authentication to Transfer or Modify Zone Conetnt ***
---------------------------------------------
http://www.securitytracker.com/id/1038809
*** SSA-545214 (Last Update 2017-06-29): Vulnerability in ViewPort for Web Office Portal ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-545214…
*** SSA-874235 (Last Update 2017-06-29): Intel Vulnerability in Siemens Industrial Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235…
*** 2017-06-16 (updated 2017-06-30): Cyber Security Notification - CrashOverride/Industroyer Malware ***
---------------------------------------------
http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&Lang…
*** [2017-06-30] Multiple critical vulnerabilities in OSCI-Transport library 1.2 for German e-Government ***
---------------------------------------------
The OSCI-transport library 1.2, a core component of Germanys e-government infrastructure, is affected by XXE, padding oracle and signature wrapping. These vulnerabilities could be used to read local files from OSCI-systems, decrypt certain parts of a message or, under specific circumstances, even to forge messages.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin:OpenSource ICU4C Vulnernabilties in IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg21996949
---------------------------------------------
*** IBM Security Bulletin:Cross-site scripting vulnerability in WebSphere Application Server admin console in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998348
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg21996957
---------------------------------------------
*** IBM Security Bulletin: WebSphere Application Server vulnerability with malformed SOAP requests in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998347
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999097
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Microsoft SharePoint ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999099
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for File Systems ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999105
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999106
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache PDFBox Vulnerability in IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg21991027
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999098
---------------------------------------------
*** IBM Security Bulletin: zlib vulnerability may affect IBM SDK, Java Technology Edition ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004465
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Intel Ethernet Controller XL710 affects IBM MQ Appliance ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002763
---------------------------------------------
*** IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Security Guardium (CVE-2017-1256) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004461
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in openssl, gnutl, mysql, kernel, glibc, ntp shipped with SmartCloud Entry Appliance ***
http://www.ibm.com/support/docview.wss?uid=isg3T1025342
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001465
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001458
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Microsoft SharePoint ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001455
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for File Systems ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001463
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001460
---------------------------------------------
*** IBM Security Bulletin: WebSphere Application Server vulnerability in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998346
---------------------------------------------
*** IBM Security Bulletin: SQL Injection vulnerability affects IBM Security Guardium (CVE-2017-1269) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004462
---------------------------------------------
*** IBM Security Bulletin: Missing Authentication for Critical Function affects IBM Security Guardium (CVE-2017-1258) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004309
---------------------------------------------
*** IBM Security Bulletin: IBM InfoSphere Guardium is affected by Cleartext Transmission of Sensitive Information vulnerability (CVE-2016-0238 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989124
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM HTTP Server affects Netezza Performance Portal (CVE-2015-8743) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003173
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 28-06-2017 18:00 − Donnerstag 29-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Petya/NotPetya: Kein Erpressungstrojaner sondern ein "Wiper" ***
---------------------------------------------
Nach eingehenden Analysen des Schädlings NotPetya sind sich die meisten Experten einig: Der Schädling hatte es nicht auf Geld abgesehen sondern auf Randale, sprich: auf möglichst großen Datenverlust bei den Opfern.
---------------------------------------------
https://heise.de/-3759293
*** Update on Petya malware attacks ***
---------------------------------------------
As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release...
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware…
*** Websites Grabbing User-Form Data Before Its Submitted ***
---------------------------------------------
Websites are sending information prematurely:...we discovered NaviStones code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.This is important because it goes [...]
---------------------------------------------
https://www.schneier.com/blog/archives/2017/06/websites_grabbi.html
*** Microsoft Announces "Controlled Folder Access" to Fend Off Crypto-Ransomware ***
---------------------------------------------
This fall, Microsoft plans to release a new Windows Defender feature called Controlled Folder Access, which blocks and blacklists unauthorized apps from making changes to files located inside specially-designated folders. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-control…
*** DFN-CERT-2017-1124: Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1124/
*** Symantec Management Console XSS/XXE Issues ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Kaspersky Anti-Virus for Linux File Server Multiple Flaws Let Remote Users Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks, Remote Authenticated Users View Files on the Target System, and Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1038798
*** Bugtraq: ESA-2017-062: VASA Provider Virtual Appliance Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540783
*** 2017-06-16 (updated 2017-06-27): Cyber Security Notification - CrashOverride/Industroyer Malware ***
---------------------------------------------
http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&Lang…
*** SMTP - Moderatley Critical - Information Disclosure - SA-CONTRIB-2017-055 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2017-055Project: SMTP Authentication Support (third-party module)Version: 7.x, 8.xDate: 2017-June-28Security risk: 10/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescriptionThis SMTP module enables you to send mail using a third party (non-system) mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged [...]
---------------------------------------------
https://www.drupal.org/node/2890357
*** Services - Critical - SQL Injection - SA-CONTRIB-2017-054 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2017-054Project: Services (third-party module)Version: 7.xDate: 2017-June-28Security risk: 19/25 ( Critical) AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescriptionThis module provides a standardized solution for building APIs so that external clients can communicate with Drupal.The module doesnt sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it.This vulnerability is [...]
---------------------------------------------
https://www.drupal.org/node/2890353
*** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2 and v5.0.2. (CVE-2017-3539, CVE-2016-9840, CVE-2016-9841,CVE-2016-9842, CVE-2016-9843) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22005365
*** IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2017-1217) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004348
*** IBM Security Bulletin: Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX (CVE-2017-3514, CVE-2017-3512, CVE-2017-3511, CVE-2017-3509, CVE-2017-3544, CVE-2017-3533, CVE-2017-3539, CVE-2017-1289, CVE-2016-9840, CVE-2016-9841, ***
---------------------------------------------
http://aix.software.ibm.com/aix/efixes/security/java_apr2017_advisory.asc
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 27-06-2017 18:00 − Mittwoch 28-06-2017 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Newport XPS-Cx, XPS-Qx ***
---------------------------------------------
This advisory contains mitigation details for an improper authentication vulnerability in the Newport XPS-Cx and XPS-Qx controllers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-178-01
*** Schroedinger’s Pet(ya) ***
---------------------------------------------
Earlier today (June 27th), we received reports about a new wave of ransomware attacks spreading around the world, primarily targeting businesses in Ukraine, Russia and Western Europe. Our investigation is ongoing and our findings are far from final at this time. Despite rampant public speculation, the following is what we can confirm from our independent analysis.
---------------------------------------------
http://securelist.com/schroedingers-petya/78870/
*** Microsoft bringing EMET back as a built-in part of Windows 10 ***
---------------------------------------------
The built-in exploit mitigations are getting stronger and easier to configure.
---------------------------------------------
https://arstechnica.com/?p=1124813
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security issues have been identified within Citrix XenServer. These issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues ..
---------------------------------------------
https://support.citrix.com/article/CTX224740
*** New ransomware, old techniques: Petya adds worm capabilities ***
---------------------------------------------
On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-tech…
*** DFN-CERT-2017-1114/">systemd: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff und die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1114/
*** DFN-CERT-2017-1112/">Microsoft Azure Active Directory (AD) Connect: Eine Schwachstelle ermöglicht eine Privilegieneskalation ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1112/
*** DSA-3900 openvpn - security update ***
---------------------------------------------
Several issues were discovered in openvpn, a virtual private network application.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3900
*** Security Advisory - DoS Vulnerability of isub Service in Some Huawei Smartphones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170628-…
*** HPESBGN03763 rev.1 - HPE SiteScope, Disclosure of Sensitive Information, Bypass Security Restriction, Remote Arbitrary Code Execution ***
---------------------------------------------
Potential security vulnerabilities have been identified in HPE SiteScope. The vulnerabilities could be exploited to allow disclosure of sensitive information, bypass security restriction, and remote arbitrary code execution.
---------------------------------------------
http://h20566.www2.hpe.com/hpsc/doc/public/display?docId=hpesbgn03763en_us
*** Linux-Kernel-Security: Torvalds bezeichnet Grsecurity als "Müll" ***
---------------------------------------------
Mit seinem wie üblich wenig diplomatischen Feingefühl machte Kernel-Chefhacker Linus Torvalds auf der Kernel-Mailingliste deutlich, was er von dem auf Sicherheit fokussierten ..
---------------------------------------------
https://www.golem.de/news/linux-kernel-security-torvalds-bezeichnet-grsecur…
*** Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS ***
---------------------------------------------
Last month we shared statistics on some popular reflection attacks. Back then the average SSDP attack size was ~12 Gbps and largest SSDP reflection we recorded was:30 Mpps (millions of packets per second)80 ..
---------------------------------------------
https://blog.cloudflare.com/ssdp-100gbps/
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 26-06-2017 18:00 − Dienstag 27-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Petya Ransomware Outbreak ***
---------------------------------------------
Heute hat es in mehreren Firmen in Europa IT-Ausfälle durch Ransomware gegeben. Dabei dürfte die Ransomware auch ein "lateral movement" innerhalb einer Organisation durchführen, und so eine breitflächige Infektion und damit Verschlüsselung erreichen. Die Faktenlage zu den genauen Vektoren, sowohl für die initiale Infektion, als auch für die Weiterverbreitung innerhalb des lokalen Netzes, ist noch sehr dünn und [...]
---------------------------------------------
http://www.cert.at/services/blog/20170627170903-2046.html
*** Second Global Ransomware Outbreak Under Way ***
---------------------------------------------
A massive ransomware outbreak is spreading globally and being compared to WannaCry.
---------------------------------------------
http://threatpost.com/second-global-ransomware-outbreak-under-way/126549/
*** E-Mails über angebliche Verkehrsstrafen ***
---------------------------------------------
E-Mails über angebliche Verkehrsstrafen – ACHTUNG: dahinter verbirgt sich Schadsoftware
---------------------------------------------
http://www.bmi.gv.at/cms/BK/betrug/files/2762017_E_Mails_ber_angebliche_Ver…
*** How Spora ransomware tries to fool antivirus ***
---------------------------------------------
Spora ransomware is back and its trying to confuse antivirus products and email filters.
---------------------------------------------
http://feedproxy.google.com/~r/nakedsecurity/~3/fpIDs0aHpNY/
*** $1 Million Ransomware Payment Has Spurred New DDoS-for-Bitcoin Attacks ***
---------------------------------------------
The $1 million ransom payment paid last week by South Korean web hosting company Nayana has sparked new extortion attempts on South Korean companies. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/-1-million-ransomware-paymen…
*** How Not to Encrypt a File - Courtesy of Microsoft ***
---------------------------------------------
A client recently sent me a crypto spec which involved some, how do I say, suboptimal use of crypto primitives. They're .Net users so I decided to search for a nice msdn crypto reference to set them straight. Instead I found the likely culprit behind their confusion.
---------------------------------------------
https://medium.com/@bob_parks1/how-not-to-encrypt-a-file-courtesy-of-micros…
*** New Shifr RaaS Lets Any Dummy Enter the Ransomware Business ***
---------------------------------------------
Several security researchers have spotted a new Ransomware-as-a-Service (RaaS) portal over the weekend that lets anyone generate their own ransomware executable just by filling in three form fields and pressing a button. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-shifr-raas-lets-any-dumm…
*** What's new in Windows Defender ATP Fall Creators Update ***
---------------------------------------------
When we introduced Windows Defender Advanced Threat Protection (Windows Defender ATP), our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer a set of new prevention capabilities designed to stop...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-de…
*** Micro Focus GroupWise Mobility Service 2014 R2 Support Pack 2 Hot Patch 2 ***
---------------------------------------------
Abstract: Micro Focus GroupWise Mobility Service 2014 R2 Support Pack 2 HP2 has been released. Please see the details section below for installation instructions and the change log section for bug fixes since the last release. NOTE: Please do not continue using older versions of GMS SSLCheck. It has been superceded by GroupWise Mobility Service SSLCheck 1.1 found here: http://download.novell.com/Download?buildid=9naDJkniVtg~Document ID: 5311890Security Alert: YesDistribution Type: [...]
---------------------------------------------
https://download.novell.com/Download?buildid=SIbPzOKmofQ~
*** SSA-874235 (Last Update 2017-06-26): Intel Vulnerability in Siemens Industrial Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM PureApplication System ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005209
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK Java Technology Edition Version 6, 7, 8 and IBM Runtime Environment Java Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation ***
http://www.ibm.com/support/docview.wss?uid=swg22003154
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM PureApplication System (CVE-2017-3731) ***
http://www.ibm.com/support/docview.wss?uid=swg22005135
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilites in IBM Java Runtime Affect Optim Data Growth, Test Data Management and Application Retirement ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003285
---------------------------------------------
*** IBM Security Bulletin: Security vulnerability in SWF files shipped with IBM Cúram Social Program Management (CVE-2017-1106) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004580
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 23-06-2017 18:00 − Montag 26-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Erneut kritische Lücke in Windows Defender & Co ***
---------------------------------------------
Alle AV-Produkte aus dem Hause Microsoft wiesen einen kritischen Fehler auf, der es erlaubte, Windows-Systeme zu kapern. Dazu genügte es, wenn die AV-Software etwa eine Datei in einer E-Mail oder auf der Festplatte auf Schadcode untersucht.
---------------------------------------------
https://heise.de/-3756013
*** Brutal Kangaroo: CIA-Werkzeug infiziert Rechner per USB-Stick ***
---------------------------------------------
WikiLeaks hat geheime CIA-Dokumente veröffentlicht, in denen eine Werkzeug-Suite beschrieben ist, mit der sich via USB-Stick Informationen von Rechnern abgreifen lassen, die nicht mit dem Internet verbunden sind.
---------------------------------------------
https://heise.de/-3754923
*** Aktuelle Intel-Prozessoren von "Albtraum"-Bug geplagt ***
---------------------------------------------
Debian-Projekt spürt Fehler auf, der zu Datenverlust unter allen Betriebssystemen führen kann
---------------------------------------------
http://derstandard.at/2000059819966
*** Cyber-Angriffe auf private E-Mail-Postfächer von Funktionsträgern ***
---------------------------------------------
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) beobachtet derzeit professionelle Cyber-Angriffe auf private E-Mail-Postfächer von Funktionsträgern aus Wirtschaft und Verwaltung. Bei dieser Angriffskampagne werden täuschend echt erscheinende Spearphishing-Mails an ausgewähltes Spitzenpersonal gesandt. Die Angreifer geben beispielsweise vor, Auffälligkeiten bei der Nutzung des Postfachs [...]
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Spearphishi…
*** Traveling with a Laptop / Surviving a Laptop Ban: How to Let Go of "Precious", (Mon, May 29th) ***
---------------------------------------------
For a few months now, passengers on flights from certain countries are no longer allowed to carry laptops and other larger electronic devices into the cabin. Many news media reported over the last weeks that this policy may be expanded to flight from Europe, or to all flights entering the US. But even if you get to keep your laptop with you during your flight, it is difficult to keep it at your site when you travel. So regardless if this ban materializes or not (right now it looks like it will [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/22462
*** Malware: Der unvollständige Ransomware-Schutz von Windows 10 S ***
---------------------------------------------
Windows 10 S soll vor Ransomware schützen - sagt Microsoft. Einem Sicherheitsforscher gelang es trotzdem, innerhalb weniger Stunden Zugriff auf Systemprozesse zu bekommen.
---------------------------------------------
https://www.golem.de/news/malware-der-unvollstaendige-ransomware-schutz-von…
*** Look, But Dont Touch: One Key to Better ICS Security ***
---------------------------------------------
Better visibility is essential to improving the cybersecurity of industrial control systems and critical infrastructure, but the OT-IT cultural divide must be united.
---------------------------------------------
https://www.darkreading.com/vulnerabilities---threats/look-but-dont-touch-o…
*** Blocks and Chains now available ***
---------------------------------------------
Our book has just been published: Blocks and Chains: Introduction to Bitcoin, Cryptocurrencies, and Their Consensus Mechanisms. Aljosha Judmayer, Nicholas Stifter, Katharina Krombholz, and Egar Weippl
---------------------------------------------
https://www.sba-research.org/2017/06/24/blocks-and-chains-now-available/
*** DFN-CERT-2017-1100: Microsoft Malware Protection Engine: Eine Schwachstelle ermöglicht die komplette Systemübernahme ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1100/
*** Security Advisories Relating to Symantec Products - Symantec Messaging Gateway Multiple Vulnerabilities ***
---------------------------------------------
Symantec has released an update to address three issues that were discovered in the Symantec Messaging Gateway (SMG).
---------------------------------------------
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s…
*** Vuln: Multiple Pivotal Products CVE-2017-4974 SQL Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/99254
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: API security restrictions can be bypassed in IBM API Connect (CVE-2017-1328) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003867
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Cross Site Scripting. (CVE-2017-1234) ***
http://www.ibm.com/support/docview.wss?uid=swg22004948
---------------------------------------------
*** IBM Security Bulletin: Docker and Python as used in IBM QRadar SIEM is vulnerable to various CVEs. ***
http://www.ibm.com/support/docview.wss?uid=swg22004947
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Global Mailbox in IBM Sterling B2B Integrator (CVE-2015-5262, CVE-2014-3577) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22005149
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM has weak password requirements. (CVE-2016-9738) ***
http://www.ibm.com/support/docview.wss?uid=swg22004926
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is missing HSTS header. (CVE-2016-9972) ***
http://www.ibm.com/support/docview.wss?uid=swg22004925
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions (Multiple CVEs) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003998
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ***
http://www.ibm.com/support/docview.wss?uid=swg22004713
---------------------------------------------
*** IBM Security Bulletin: Vulnerability affects WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-3092) ***
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000300
---------------------------------------------
*** IBM Security Bulletin: October 2015 Java Platform Standard Edition Vulnerabilities in Multiple N Series Products ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009992
---------------------------------------------
*** IBM Security Bulletin: July 2014 Java Runtime Environment (JRE) Vulnerabilities in Multiple N series Products ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009972
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 22-06-2017 18:00 − Freitag 23-06-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Getting ready for the European Cyber Security Month 2017 ***
---------------------------------------------
100 days left for the launch of the European Cyber Security Month, the EU annual advocacy campaign which takes place in October supported by ENISA and EC DG CONNECT with the participation of many partners from all over Europe.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/getting-ready-for-the-european-…
*** Microsoft Says Fireball Threat ‘Overblown’ ***
---------------------------------------------
Check Point has toned down its initial estimates on the number of Fireball malware infections from 250 million machines and 20 percent of corporate networks to 40 million computers.
---------------------------------------------
http://threatpost.com/microsoft-says-fireball-threat-overblown/126472/
*** DSA-3894 graphite2 - security update ***
---------------------------------------------
Multiple vulnerabilities have been found in the Graphite font rendering engine which might result in denial of service or the execution of arbitrary code if a malformed font file is processed.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3894
*** ZDI-17-441: Apple Safari Node Use-After-Free Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-17-441/
*** DSA-3896 apache2 - security update ***
---------------------------------------------
Several vulnerabilities have been found in the Apache HTTPD server.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3896
*** Smart burglars will ride the surf of inter-connected hackability ***
---------------------------------------------
Let’s invent a dustbin that throws itself away Something for the Weekend, Sir? What the world needs now is an intelligent dustbin. It would be the pinnacle of achievement for the Internet of Things sector.
---------------------------------------------
www.theregister.co.uk/2017/06/23/smart_burglars_will_ride_the_surf_of_inter…
*** Mutmaßlich russische Hacker stahlen Daten britischer Politiker ***
---------------------------------------------
http://derstandard.at/2000059699661
*** Deutsches Sicherheitsamt warnt vor Cyber-Attacken auf Verwaltung ***
---------------------------------------------
Ähnlich wie auf US-Demokraten und französische Partei von Präsident Macron
---------------------------------------------
http://derstandard.at/2000059699049
*** Node.js: Hälfte der NPM-Pakete durch schwache Passwörter verwundbar ***
---------------------------------------------
Der NPM-Dienst hat vor zwei Wochen Passwörter von Entwicklern zurückgezogen. Jetzt ist klar warum: Ein Hacker konnte schwache Passwörter sammeln und hätte damit wohl die Hälfte des ..
---------------------------------------------
https://www.golem.de/news/node-js-haelfte-der-npm-pakete-durch-schwache-pas…
*** Microsoft weist Vorwürfe von Antivirenhersteller zurück ***
---------------------------------------------
Microsoft betont in einem Blogpost die Bedeutung der Zusammenarbeit mit Antivirenherstellern im Rahmen der Microsoft Virus Initiative. Die Veröffentlichung kann als direkte Reaktion auf die Beschwerde von Kaspersky bei Kartellwächtern verstanden werden.
---------------------------------------------
https://heise.de/-3754148
*** Video: So kaperten Hacker ein Stromkraftwerk ***
---------------------------------------------
2015 haben Hacker den Strom für über 200.000 Personen in der Ukraine ausfallen lassen. Ein Video zeigt, wie sie die Steuer-PCs übernommen haben.
---------------------------------------------
https://futurezone.at/digital-life/video-so-kaperten-hacker-ein-stromkraftw…
*** FBI: Extortion, CEO Fraud Among Top Online Fraud Complaints in 2016 ***
---------------------------------------------
Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year, according to new figures from the FBIs Internet Crime Complaint Center (IC3). The IC3 report released ..
---------------------------------------------
https://krebsonsecurity.com/2017/06/fbi-extortion-ceo-fraud-among-top-onlin…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 21-06-2017 18:00 − Donnerstag 22-06-2017 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Cisco WebEx Network Recording Player Multiple Buffer Overflow Vulnerabilities ***
---------------------------------------------
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious ARF file via email or URL and convincing the user to launch the file. Exploitation of these vulnerabilities could cause an ..
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Multiple vulnerabilities in Cisco Prime Infrastructure ***
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Multiple vulnerabilities in Cisco Identity Services ***
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Multiple vulnerabilities in Cisco IOS XR ***
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Cisco Firepower Management Center Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack ..
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Kritischer Bug in Kompressions-Bibliothek RAR gefährdet AV-Software ***
---------------------------------------------
Fehler beim Auspacken von Archiven sind kritisch, weil sie sich besonders einfach ausnutzen lassen – etwa wenn die Antiviren-Software nach Schadcode sucht. Umso bitterer ist es, wenn die sich fünf Jahre nach ihrer Entdeckung noch ausnutzen lassen.
---------------------------------------------
https://heise.de/-3751528
*** Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003 ***
---------------------------------------------
https://www.drupal.org/SA-CORE-2017-003
*** TeslaWare Plays Russian Roulette with your Files ***
---------------------------------------------
I was told about a new ransomware called TeslaWare that is being promoted on a black hat criminal site. After a quick search, I was able to find a sample that was compiled yesterday ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/teslaware-plays-russian-roul…
*** Locky Ransomware Returns, but Targets Only Windows XP & Vista ***
---------------------------------------------
The Locky ransomware is back, spreading via a massive wave of spam emails distributed by the Necurs botnet, but the campaign appears to be a half-baked effort because the ransomware is not able to encrypt files on modern Windows OS versions, locking ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but…
*** NSA-Backed OpenC2.org Aims to Defend Systems at Machine Speed ***
---------------------------------------------
Security experts, vendors, business and the NSA are developing a standardized language that rather than autonomously understands threats, acts on them.
---------------------------------------------
http://threatpost.com/nsa-backed-openc2-org-aims-to-defend-systems-at-machi…
*** Web Application Pentest Guide Part-I ***
---------------------------------------------
In this article, we are going to pentest a web application which was developed by HP for scanner evaluation purpose. We will be demonstrating the complete process ..
---------------------------------------------
http://resources.infosecinstitute.com/web-application-pentest-guide-part/
*** Windows-Trojaner nutzt NSA-Hintertür um verdeckt Kryptowährungen zu schürfen ***
---------------------------------------------
Die DOUBLEPULSAR-Hintertür der NSA wird momentan missbraucht, um ungeschützte Windows-Rechner mit einem Trojaner zu infizieren, der heimlich die Kryptowährung Monero (XMR) schürft.
---------------------------------------------
https://heise.de/-3751247
*** [2017-06-22] Multiple vulnerabilities in Cisco Prime Infrastructure ***
---------------------------------------------
Multiple security vulnerabilities in Cisco Prime Infrastructure < 3.1.6 could allow local low-privileged user to read arbitrary files such as wireless access point configurations, read the hashed passwords of all the users including the administrator from database and infect other users with JavaScript trojan.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** Understanding the true size of “Fireball” ***
---------------------------------------------
... when recent reports of the “Fireball” cybersecurity threat operation were presented as a new discovery, our teams knew ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/22/understanding-the-true-…
*** IBM Security Bulletin: Multiple vulnerabilities in EBICS client in IBM Sterling B2B Integrator (CVE-2017-1132, CVE-2017-1347, CVE-2017-1348) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004199
*** IBM Security Bulletin: HTTP verb tampering vulnerability affects IBM Sterling B2B Integrator (CVE-2017-1131) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22004270
*** Why So Many Top Hackers Hail from Russia ***
---------------------------------------------
Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information ..
---------------------------------------------
https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russi…
*** DSA-3892 tomcat7 - security update ***
---------------------------------------------
Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet andJSP engine, static error pages used the original requests HTTP methodto serve content, instead of systematically using ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3892
*** DSA-3891 tomcat8 - security update ***
---------------------------------------------
Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet andJSP engine, static error pages used the original requests HTTP methodto serve content, instead of systematically ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3891