=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 25-04-2017 18:00 − Mittwoch 26-04-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** FortiOS XSS via srcintf during Firewall Policy Creation ***
---------------------------------------------
An XSS vulnerability caused by the scrintf parameter input during Firewall Policy Creation can be exploited to load and run a remote (malicious) Javascript in a logged in browser.
---------------------------------------------
http://fortiguard.com/psirt/FG-IR-17-017
*** Analyzing Cyber Insurance Policies ***
---------------------------------------------
Theres a really interesting new paper analyzing over 100 different cyber insurance policies. From the abstract:In this research paper, we seek to answer ..
---------------------------------------------
https://www.schneier.com/blog/archives/2017/04/analyzing_cyber.html
*** Kritische Lücken: VMware sichert Anwendungen gegenüber Schadcode ab ***
---------------------------------------------
Sicherheitsupdates schließen mehrere Schwachstellen in verschiedenen VMware-Anwendungen zum Umgang mit virtuellen Maschinen und für den Fernzugriff. Davon sind alle Betriebssysteme betroffen.
---------------------------------------------
https://heise.de/-3696740
*** BrickerBot vs Mirai: Malware-Wettstreit um Internetkameras und Co. ***
---------------------------------------------
Neue Generationen von BrickerBot versuchen schlecht geschützte Geräte zu beschädigen, und entziehen so Mirai die Grundlage
---------------------------------------------
http://derstandard.at/2000056608656
*** Terror EK going ‘pro’? Not quite yet ***
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/2017/04/terror-ek-going-pro-not-qu…
*** AIT beim Citizen Science Award 2017 ***
---------------------------------------------
[...] Im Rahmen des Citizen Science Awards 2017 sind Schulklassen der Unter- und Oberstufe sowie Einzelpersonen eingeladen, aktiv an der Erarbeitung möglicher Strategien gegen Cyberattacken mitzuwirken und gemeinsam das digitale Minispiel „Phishing Wars“ weiterzuentwickeln. Anhand dieses Spiels wird trainiert, worauf es beim Erkennen von Phishing-Mails ankommt, um nicht Opfer von Cyberattacken zu werden.
---------------------------------------------
http://science.apa.at/site/kultur_und_gesellschaft/detail.html?key=SCI_2017…
*** If there are some unexploited MSSQL Servers With Weak Passwords Left: They got you now (again), (Wed, Apr 26th) ***
---------------------------------------------
Setting up a Microsoft SQL server with a stupid simple password like sa for the sa user is hard. First of all, Microsoft implemented a default password policy ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22346
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 24-04-2017 18:00 − Dienstag 25-04-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Frankreich-Wahl: Russische Hacker sollen Macron ins Visier nehmen ***
---------------------------------------------
Experten bringen Gruppe mit russischen Militärgeheimdienst in Verbindung
---------------------------------------------
http://derstandard.at/2000056465269
*** The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27 Year Prison Sentence ***
---------------------------------------------
Roman Seleznev, a 32-year-old Russian cybercriminal and prolific credit card thief, was sentenced Friday to 27 years in federal prison. That is a record ..
---------------------------------------------
https://krebsonsecurity.com/2017/04/the-backstory-behind-carder-kingpin-rom…
*** Analysis of the Shadow Z118 PayPal phishing site, (Mon, Apr 24th) ***
---------------------------------------------
[This is a guest post submitted by Remco Verhoef. Got something interesting to share? Please use our contact form to suggest your topic] Today I got lucky walking around within a phishing site and found some left-over ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22338
*** Alert: If youre running SquirrelMail, Sendmail... why? And oh yeah, remote code vuln found ***
---------------------------------------------
This is nuts Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project.
---------------------------------------------
www.theregister.co.uk/2017/04/24/squirrelmail_vuln/
*** AV provider Webroot melts down as update nukes hundreds of legit files ***
---------------------------------------------
https://arstechnica.com/security/2017/04/av-provider-webroot-melts-down-as-…
*** BrickerBot, the permanent denial-of-service botnet, is back with a vengeance ***
---------------------------------------------
https://arstechnica.com/security/2017/04/brickerbot-the-permanent-denial-of…
*** Western Digital My Cloud 2.21.126 Authentication Bypass ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017040164
*** Bis zu 100.000 Rechner mit geleakter NSA-Malware infiziert ***
---------------------------------------------
Sicherheitsforscher finden "Doublepulsar" auf zigtausenden Maschinen, darunter auch Rechner in Österreich
---------------------------------------------
http://derstandard.at/2000056481284
*** Angreifer könnten Drupal-Webseiten ausspionieren ***
---------------------------------------------
Im Versionsstrang 8.x klafft eine als kritisch eingestufte Sicherheitslücke. Abgesicherte Versionen schließen die Schwachstelle.
---------------------------------------------
https://heise.de/-3693082
*** Doskozil: Bundesheer soll Gegner im Cyberwar auch angreifen ***
---------------------------------------------
Minister: Angriffe sollen nicht nur abgewehrt werden – Wöchentlich fünf bis sechs ernste Attacken
---------------------------------------------
http://derstandard.at/2000056452452
*** Sicherheitspatches in Sicht: Zehn Lücken gefährden Linksys-Router ***
---------------------------------------------
Verschiedene Modelle der Smart-Wi-Fi-Serie von Linksys sind laut Sicherheitsforschern angreifbar. Unter gewissen Voraussetzungen sollen Angreifer Befehle auf Routern ausführen können.
---------------------------------------------
https://heise.de/-3693136
*** New IoT Botnet Rises Feeding on Vulnerable Security Cameras ***
---------------------------------------------
A new botnet is slowly building critical mass on the back of unsecured webcams and IP cameras, ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-iot-botnet-rises-feeding…
*** Hard Target: Fileless Malware ***
---------------------------------------------
Researchers say fileless in-memory malware attacks have become a major nuisance to businesses and have become even harder to detect and defend.
---------------------------------------------
http://threatpost.com/hard-target-fileless-malware/125054/
*** DSA-3833 libav - security update ***
---------------------------------------------
Several security issues have been corrected in multiple demuxers anddecoders of the libav multimedia library. A full list of the changes is available ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3833
*** Ashley Madison users blackmailed again ***
---------------------------------------------
Criminals are still trying to shake down users of the Ashley Madison dating/cheating online service. As you might remember, the service was hacked in 2015, and the attackers ..
---------------------------------------------
https://www.helpnetsecurity.com/2017/04/25/ashley-madison-blackmail/
*** SAP NetWeaver durch Lücken gefährdet ***
---------------------------------------------
In verschiedenen Komponenten der NetWeaver-Plattform klaffen Sicherheitslücken. Sicherheitsforschern zufolge könnten Angreifer über die Schlupflöcher unter anderem an Log-in-Daten kommen.
---------------------------------------------
https://heise.de/-3693658
*** Security Bulletin Posted for ColdFusion (APSB17-14) ***
---------------------------------------------
Adobe has published a Security Bulletin (APSB17-14) announcing the availability of hotfixes for ColdFusion versions 2016, 11 and 10. These hotfixes resolve an input validation ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1460
*** Hackers uncork experimental Linux-targeting malware ***
---------------------------------------------
SSH... its Shishiga Hackers have unleashed a new malware strain that targets Linux-based systems.
---------------------------------------------
www.theregister.co.uk/2017/04/25/linux_malware/
*** [2017-04-25] Portrait Display SDK Service privilege escalation ***
---------------------------------------------
The Portrait Display SDK Service (PdiService.exe) configuration was found to be writable for every authenticated user in a default installation.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** [20170402] - Core - XSS Vulnerability ***
---------------------------------------------
https://developer.joomla.org/security-centre/684-20170402-core-xss-vulnerab…
*** [20170403] - Core - XSS Vulnerability ***
---------------------------------------------
https://developer.joomla.org/security-centre/685-20170403-core-xss-vulnerab…
*** [20170404] - Core - XSS Vulnerability ***
---------------------------------------------
https://developer.joomla.org/security-centre/686-20170404-core-xss-vulnerab…
*** [20170405] - Core - XSS Vulnerability ***
---------------------------------------------
https://developer.joomla.org/security-centre/687-20170405-core-xss-vulnerab…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 21-04-2017 18:00 − Montag 24-04-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Eingebauter Node.js-Server: Per Nvidia-Treiber lassen sich Schädlinge einschleusen ***
---------------------------------------------
Nvidia-Treiber enthalten einen Node.js-Server - keine gute Idee: Damit lassen sich Sicherungsmechanismen wie Application Whitelisting umgehen.
---------------------------------------------
https://heise.de/-3691119
*** OWASP Top 10: Die zehn wichtigsten Sicherheitsrisiken bekommen ein Update ***
---------------------------------------------
Risiken durch Injections, Fehler beim Session Management und XSS bleiben weiterhin hoch. Im vorliegenden Entwurf finden sich neben bekannten Sicherheitslücken ..
---------------------------------------------
https://www.golem.de/news/owasp-top-10-die-zehn-wichtigsten-sicherheitsrisi…
*** SquirrelMail < 1.4.22 - Remote Code Execution ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017040157
*** Shellcode Analysis- Basics ***
---------------------------------------------
In this article, we will look at how what shellcode is, what is its purpose and various shellcode patterns, etc. Please note that this article will not cover how a shellcode is ..
---------------------------------------------
http://resources.infosecinstitute.com/shellcode-analysis-basics/
*** FIN7 Evolution and the Phishing LNK ***
---------------------------------------------
FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, ..
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
*** Amazon: Phishing-Kampagne ködert mit Datenschutzgrundverordnung ***
---------------------------------------------
Angebliche von Amazon versendete Mails sind derzeit häufig im E-Mail-Postfach zu finden. Nach gefälschten Umsatzsteuerrechnungen gibt es neuerdings eine Phishing-Kampagne, die ..
---------------------------------------------
https://www.golem.de/news/amazon-phishing-kampagne-koedert-mit-datenschutzg…
*** Sicherheitsupdate: Angreifer könnten Inhalte von Confluence-Wikis einsehen ***
---------------------------------------------
Wer Confluence einsetzt, sollte eine der ab sofort verfügbaren abgesicherte Version installieren.
---------------------------------------------
https://heise.de/-3692816
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 20-04-2017 18:00 − Freitag 21-04-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** 20 Linksys Router Models Vulnerable To Attack ***
---------------------------------------------
Researchers say more than 100,000 Linksys routers in use today could be vulnerable to 10 flaws found in 20 separate router models made by the company.
---------------------------------------------
http://threatpost.com/20-linksys-router-models-vulnerable-to-attack/125085/
*** The History of Fileless Malware - Looking Beyond the Buzzword ***
---------------------------------------------
What's the deal with "fileless malware"? Though many security professionals cringe when they hear this term, lots of articles and product brochures mention fileless malware in the context of threats that are difficult to resist and investigate. Below is my attempt to look beyond the buzzword, tracing the origins of this term and outlining the malware samples that influenced how we use... Read more
---------------------------------------------
https://zeltser.com/fileless-malware-beyond-buzzword/
*** Archive.org Abused to Deliver Phishing Pages ***
---------------------------------------------
The Internet Archive is a well-known website and more precisely for its "WaybackMachine" service. It allows you to search for and display old versions of websites. The current Alexa ranking is 262 which makes it a "popular and trusted" website. Indeed, like I explained in a recent SANS ISC diary, whitelists [...]
---------------------------------------------
https://blog.rootshell.be/2017/04/20/archive-org-abused-deliver-phishing-pa…
*** Analysis of a Maldoc with Multiple Layers of Obfuscation, (Fri, Apr 21st) ***
---------------------------------------------
Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called Invoice_6083.doc (which was delivered in a zip archive). I had a quick look [...]
---------------------------------------------
https://isc.sans.edu/diary/Analysis+of+a+Maldoc+with+Multiple+Layers+of+Obf…
*** TLS-Interception: Sophos-Firewall wird von Chrome-Änderung überrascht ***
---------------------------------------------
Nutzer, die den Chrome-Browser hinter einer Firewall von Sophos nutzen, sehen zur Zeit nur Zertifikatswarnungen. Die neue Chrome-Version ignoriert den sogenannten CommonName, der schon seit 17 Jahren als veraltet gilt. (Sophos, Browser)
---------------------------------------------
https://www.golem.de/news/tls-interception-sophos-firewall-wurd-von-chrome-…
*** Domain Fronting ***
---------------------------------------------
In this article, we are going to learn about a very interesting and powerful technique known as Domain Fronting which is a circumvention technique based on HTTPS that hides the true destination from the censor. What is Domain Fronting? Domain fronting is a technique to circumvent the censorship employed for certain domains(censorship may be for [...]
---------------------------------------------
http://resources.infosecinstitute.com/domain-fronting/
*** Top-ranked programming Web tutorials introduce vulnerabilities into software ***
---------------------------------------------
Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. The process The researchers identified popular tutorials by inputing search terms such as "mysql tutorial", [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/04/21/programming-tutorials-vulnerabil…
*** Security vulnerability in unmaintained Drupal contrib module puts 120000 sites at risk ***
---------------------------------------------
[...] The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38: [...]
---------------------------------------------
http://drupal.sh/vulnerable-drupal-contrib-module-puts-120000-sites-at-risk
*** References - Unsupported - SA-CONTRIB-2017-38 ***
---------------------------------------------
[...] Updates: 2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2
---------------------------------------------
https://www.drupal.org/node/2869138
*** cURL/libcurl TLS Session Resumption Client Certificate Bug Lets Remote Users Bypass Security Restrictions on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1038341
*** SSHD vulnerability CVE-2017-6128 ***
---------------------------------------------
https://support.f5.com/csp/article/K92140924
*** DFN-CERT-2017-0704: FreeType: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0704/
*** Security Advisory - Buffer Overflow vulnerability in the GaussDB ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170420-…
*** Security updates available in Foxit Reader 8.3 and Foxit PhantomPDF 8.3 ***
---------------------------------------------
Foxit has released Foxit Reader 8.3 and Foxit PhantomPDF 8.3, which address potential security and stability issues.
---------------------------------------------
https://www.foxitsoftware.com/support/security-bulletins.php
*** Vuln: Linux Kernel CVE-2017-7645 Multiple Denial of Service Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/97950
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274) ***
http://www.ibm.com/support/docview.wss?uid=swg22002280
---------------------------------------------
*** IBM Security Bulletin: Plugin Uploads in IBM UrbanCode Deploy Vulnerable to XML Injection (CVE-2016-9007) ***
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000289
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM BigFix Remote Control. ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000544
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions(CVE-2016-5556, CVE-2016-5597 and CVE-2016-5542) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21996985
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerability in IBM Java Runtime affect IBM Security SiteProtector System (CVE-2016-5597 CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000580
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Pivotal Spring Framework affects IBM Marketing Software products suite (CVE-2014-3625) ***
http://www.ibm.com/support/docview.wss?uid=swg22002110
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect InfoSphere Optim Performance Manager (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002204
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 19-04-2017 18:00 − Donnerstag 20-04-2017 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** DFN-CERT-2017-0683/">GnuTLS: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes mit den Rechten des Dienstes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0683/
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco ASA Software DNS Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Unified Communications Manager Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Prime Network Registrar DNS Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco IOS XE Software Simple Network Management Protocol Subsystem Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Firepower Detection Engine Pragmatic General Multicast Protocol Decoding Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco FindIT Network Probe Information Disclosure Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Prime Infrastructure Web Framework Code Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Integrated Management Controller Arbitrary Code Execution Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Integrated Management Controller User Session Hijacking Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Integrated Management Controller Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco Integrated Management Controller Command Execution Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco ASA Software Internet Key Exchange Version 1 XAUTH Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco ASA Software SSL/TLS Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco ASA Software and Cisco FTD Software TCP Normalizer Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Cisco ASA Software IPsec Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
---------------------------------------------
*** Bereiten Sie sich schon 2017 auf die Datenschutz-Grundverordnung vor: Wichtige Fragen ***
---------------------------------------------
Die neue Datenschutz-Grundverordnung wird in diesem Jahr in vielen Branchen bei Entscheidungen zu Sicherheitslösungen eine wichtige Rolle spielen. Die Höhe der möglichen Geldbußen ..
---------------------------------------------
https://securingtomorrow.mcafee.com/languages/german/bereiten-sie-sich-scho…
*** Drupal Core - Critical - Access Bypass - SA-CORE-2017-002 ***
---------------------------------------------
https://www.drupal.org/SA-CORE-2017-002
*** Organizations are not effectively dealing with open source security threats ***
---------------------------------------------
Black Duck conducts hundreds of open source code audits annually, primarily related to Merger & Acquisition transactions. Its Center for Open Source Research & Innovation ..
---------------------------------------------
https://www.helpnetsecurity.com/2017/04/20/open-source-security-threats/
*** DNS Query Length... Because Size Does Matter, (Thu, Apr 20th) ***
---------------------------------------------
In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass securitycontrols. DNS tunnelling is a common way to establish ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22326
*** Malware: Schadsoftware bei 1.200 Holiday-Inn- und Crown-Plaza-Hotels ***
---------------------------------------------
Wer im vergangenen Jahr auf Geschäftsreise oder im Urlaub in den USA gewesen ist, sollte seine Kreditkartenabrechnungen prüfen: Zahlungsterminals zahlreicher ..
---------------------------------------------
https://www.golem.de/news/malware-schadsoftware-bei-1-200-holiday-inn-und-c…
*** Spyware Disguised as System Update Survived on Play Store for Almost Three Years ***
---------------------------------------------
An Android app named "System Update" that secretly contained a spyware family named SMSVova, survived on the official ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/spyware-disguised-as-system-…
*** [R2] Tenable Appliance 4.5.0 Fixes Multiple Vulnerabilities ***
---------------------------------------------
On 2017-04-18, security researcher "agix" published an exploit for the remote command execution flaw (VulnDB 153135). As such, customers are more strongly encouraged to upgrade immediately.
---------------------------------------------
https://www.tenable.com/security/tns-2017-07
*** Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) ***
---------------------------------------------
In the last few months, I have been testing several Trend Micro products with Steven Seeley (@steventseeley). Together, we have found more than 200+ RCE (Remote Code Execution) vulnerabilities ..
---------------------------------------------
http://blog.malerisch.net/2017/04/trend-micro-threat-discovery-appliance-se…
*** Stealing sensitive browser data with the W3C Ambient Light Sensor API ***
---------------------------------------------
In this post we describe and demonstrate a neat trick to exfiltrate sensitive information from your //
---------------------------------------------
https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c…
*** Combating a spate of Java malware with machine learning in real-time ***
---------------------------------------------
In recent weeks, we have seen a surge in emails carrying fresh malicious Java (.jar) malware that use new techniques to evade antivirus protection. But with our research team’s automated expert ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/04/20/combating-a-wave-of-jav…
*** Browser-Updates für Chrome und Firefox stopfen kritische Lücken ***
---------------------------------------------
Sowohl Google als auch Mozilla haben kritische Sicherheitslücken in ihren Web-Browsern gestopft. Diese können von Angreifern für Drive-By-Attacken missbraucht werden.
---------------------------------------------
https://heise.de/-3689571
*** Abusing NVIDIAs node.js to bypass application whitelisting ***
---------------------------------------------
Application WhitelistingApplication whitelisting is an important security concept which can be found in many environments during penetration testing. The basic idea is to create a ..
---------------------------------------------
http://blog.sec-consult.com/2017/04/application-whitelisting-application.ht…
*** DNSSEC: ISC läutet Schlüsseltausch für BIND9 ein ***
---------------------------------------------
Das Update ist für alle BIND9-Betreiber wichtig, die die Software zum Validieren von signierten DNS-Antworten einsetzen, aber kein automatisches Schlüssel-Update eingerichtet haben.
---------------------------------------------
https://heise.de/-3689170
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 18-04-2017 18:00 − Mittwoch 19-04-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Trojaner greift gezielt österreichische Banken-Apps an ***
---------------------------------------------
Eine kürzlich im Play Store entdeckte Malware versucht Bankdaten von 400 Apps abzugreifen, darunter Bawag, Erste Bank und Volksbank.
---------------------------------------------
https://futurezone.at/digital-life/trojaner-greift-gezielt-oesterreichische…
*** Hajime IoT worm infects devices to head off Mirai ***
---------------------------------------------
Mirai is the name of the worm that has taken control of many IoT devices around the world and used them to mount DDoS attacks, the most high-profile of which was directed against US-based DNS provider Dyn and resulted in many websites and online services being inaccessible for hours on end. Its source code was leaked by the author, which lead to the creation of more botnets, and an increased fear that [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/04/19/hajime-iot-worm/
*** Firmware-Status von AVM-Routern checken: Kritisches Sicherheitsloch in Fritzbox-Firmware gestopft ***
---------------------------------------------
Durch eine kritische Sicherheitslücke in FritzOS könnten Angreifer beliebte Fritzbox-Modelle wie die 7490 aus der Ferne kapern. AVM hat die Lücke in den Routern bereits mit Firmware-Version 6.83 geschlossen - allerdings ohne es zu wissen.
---------------------------------------------
https://heise.de/-3687437
*** Hunting for Malicious Excel Sheets, (Wed, Apr 19th) ***
---------------------------------------------
Recently, I found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros: But below, around the 1000th row, some cells were hidden: Once expanded, they revealed interesting values: The macro code used the contain of those cells: [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22322&rss
*** Owncloud/Nextcloud: Passwörter im Bugtracker ***
---------------------------------------------
Wer bei Owncloud oder Nextcloud einen Bugreport melden möchte, wird nach dem Inhalt seiner Konfigurationsdatei gefragt. Viele Nutzer kamen dem nach - und gaben damit ihre Passwörter öffentlich preis.
---------------------------------------------
https://www.golem.de/news/owncloud-nextcloud-passwoerter-im-bugtracker-1704…
*** A Remote Attack on the Bosch Drivelog Connector Dongle ***
---------------------------------------------
In this blog post, I discuss the vulnerabilities of the Bosch Drivelog Connector OBD-II dongle found by the Argus Research Team. The vulnerabilities allowed us to stop the engine of a moving vehicle using the Drivelog platform.
---------------------------------------------
https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/
*** Internet routing weakness could cost Bitcoin users ***
---------------------------------------------
A flaw in the underlying design of the Internet could be very expensive for Bitcoin users, researchers find.
---------------------------------------------
https://nakedsecurity.sophos.com/2017/04/18/internet-routing-weakness-could…
*** Meet PINLogger, the drive-by exploit that steals smartphone PINs ***
---------------------------------------------
Sensors in phones running both iOS and Android reveal all kinds of sensitive info.
---------------------------------------------
https://arstechnica.com/security/2017/04/meet-pinlogger-the-drive-by-exploi…
*** BrickerBot Permanent Denial-of-Service Attack (Update A) ***
---------------------------------------------
This updated alert is a follow-up to the original alert titled ICS-ALERT-17-102-01A BrickerBot Permanent Denial-of-Service Attack that was published April 12, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of open-source reports of "BrickerBot" attacks, which exploit hard-coded passwords in IoT devices in order to cause a permanent denial of service (PDoS). This family of botnets, which consists of BrickerBot.1 and BrickerBot.2, was described in a Radware Attack Report.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A
*** Cryptographic security risks are amplified in DevOps settings ***
---------------------------------------------
Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications, according to a study conducted by Dimensional Research. According to the study, many organizations fail to enforce vital cryptographic security measures in their DevOps environments. These problems are especially acute among organizations that are in the midst of adopting DevOps practices, but even organizations that say their [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/04/19/devops-settings/
*** What is File Integrity Monitoring and Why You Need It ***
---------------------------------------------
The news is rife with stories of successful attacks against servers, point-of-sale (POS) systems, IoT devices and more where an attacker has gained access to an organization's IT assets and changed or inserted new files and data to do something malicious. Just a search on malware highlights a seemingly-endless list of variants including the recent exposure of NSA-backed malware that exploits Windows systems, the re-emergence of Dridex (designed to capture banking credentials), new malware [...]
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/what-is-file-integrity…
*** HPESBGN03734 rev.1 - HPE Vertica Analytics Platform, Remote Gain Privileged Access ***
---------------------------------------------
A potential security vulnerability has been identified in HPE Vertica Analytics Platform. This vulnerability could be remotely exploited to gain privileged access.
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn037…
*** VMSA-2017-0008 ***
---------------------------------------------
VMware Unified Access Gateway, Horizon View and Workstation updates resolve multiple security vulnerabilities
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2017-0008.html
*** Oracle Critical Patch Update - April 2017 ***
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
*** Solaris Third Party Bulletin - April 2017 ***
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/bulletinapr2017-3680911.h…
*** Oracle Linux Bulletin - April 2017 ***
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2017-3664…
*** Oracle VM Server for x86 Bulletin - April 2017 ***
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/ovmbulletinapr2017-366462…
*** Huawei Security Advisories ***
---------------------------------------------
*** Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Products ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-…
---------------------------------------------
*** Security Advisory - OpenSSL Montgomery multiplication may produce incorrect results Vulnerability ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-…
---------------------------------------------
*** Security Advisory - DoS Vulnerability in Some Huawei Products ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-…
---------------------------------------------
*** Security Advisory - Input Validation Vulnerability in Multiple Huawei Products ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-…
---------------------------------------------
*** Security Advisory - Plaintext Storage of Users' Safe Passwords in the Files APP in Huawei Mobile Phones ***
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in zlib affect IBM SDK for Node.js (CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843) ***
http://www.ibm.com/support/docview.wss?uid=swg22001567
---------------------------------------------
*** IBM Security Bulletin: Privilege escalation vulnerability affects IBM Security Guardium (CVE-2017-1122) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21997868
---------------------------------------------
*** IBM Security Bulletin: Fix available for Sensitive Data Exposure Vulnerability in IBM Cúram Social Program Management (CVE-2016-9978) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001782
---------------------------------------------
*** IBM Security Bulletin: Fix available for DOM based Cross Site Scripting (XSS) Vulnerability in IBM Cúram Social Program Management (CVE-2016-9979) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001780
---------------------------------------------
*** IBM Security Bulletin: Fix available for Reflected Cross Site Scripting (XSS) Vulnerability in IBM Cúram Social Program Management (CVE-2016-9980) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001779
---------------------------------------------
*** IBM Security Bulletin: Fix available for a Privilege Escalation Vulnerability in IBM Cúram Social Program Management (CVE-2016-8923) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001774
---------------------------------------------
*** IBM Security Bulletin: Access Manager Client in IBM DataPower Gateways is vulnerable to a denial of service attack. ***
http://www.ibm.com/support/docview.wss?uid=swg22001789
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the IBM FlashSystem models 840 and 900 ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010111
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the IBM FlashSystem model V840 ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010112
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 14-04-2017 18:00 − Dienstag 18-04-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Protecting customers and evaluating risk ***
---------------------------------------------
Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation. When a potential vulnerability is reported to...
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-an…
*** Ab sofort keine Updates mehr für Windows 7 und 8.1-Nutzer mit neuer Hardware ***
---------------------------------------------
Es bleibt den Usern somit nur mehr das Upgrade auf Windows 10
---------------------------------------------
http://derstandard.at/2000056017223
*** Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers ***
---------------------------------------------
Microsoft fixed critical vulnerabilities in uncredited update released in March.
---------------------------------------------
https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-wer…
*** Warnung - Betrugsversuche ***
---------------------------------------------
Wir weisen darauf hin, dass E-Mails im Umlauf sind, die von gefälschten OeNB-Absende-Adressen aus verschickt werden. [...] Die versendeten E-Mails beinhalten Schadsoftware [...]
---------------------------------------------
https://www.oenb.at/Ueber-Uns/Rechtliche-Grundlagen/warnung-betrugsversuche…
*** Email Tracking Pixels Used for Pre-Hack Info Gathering ***
---------------------------------------------
A simple email marketing trick is also abused by cyber-criminals, who are employing a technique known as "pixel tracking" to gather information on possible targets or to improve the efficiency of phishing attacks. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/email-tracking-pixels-used-f…
*** FIRST releases twenty years of conference materials ***
---------------------------------------------
The leading association of incident response and security teams publishes its repository of twenty years of incident response learnings.
---------------------------------------------
https://www.first.org/newsroom/releases/20170418
*** Edge Plagued by Various Security Flaws, Not as Secure as Microsoft Boasts ***
---------------------------------------------
Microsoft never shied away from claiming that Edge is a much more secure browser than Chrome. Even some third-party tests have sustained its claims. Nonetheless, there are currently three different issues affecting Edge, which Microsoft might not like you knowing about. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/edge-plagued-by-various-secu…
*** Wartungsarbeiten Donnerstag, 20. 4. 2017 ***
---------------------------------------------
Am Donnerstag, 20. April 2017, ab etwa 19h, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu kurzen Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen,...
---------------------------------------------
http://www.cert.at/services/blog/20170418151642-1969.html
*** VU#676632: IBM Lotus Domino server IMAP EXAMINE command stack buffer overflow ***
---------------------------------------------
Vulnerability Note VU#676632 IBM Lotus Domino server IMAP EXAMINE command stack buffer overflow Original Release date: 17 Apr 2017 | Last revised: 17 Apr 2017 Overview IBM Lotus Domino server, versions IMAP service contains a stack-based buffer overflow vulnerability in the EXAMINE command. This can allow a remote, authenticated attacker to execute arbitrary code with the privileges of the Domino server Description IBM Lotus Domino includes an IMAP server. This server contains a stack buffer...
---------------------------------------------
http://www.kb.cert.org/vuls/id/676632
*** NETGEAR ProSAFE Plus Configuration Utility vulnerable to improper access control ***
---------------------------------------------
ProSAFE Plus Configuration Utility is vulnerable to improper access control.
---------------------------------------------
http://jvn.jp/en/jp/JVN08740778/
*** Security Notice - Statement on Command Injection Vulnerability in Huawei HG532n Product ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170418-01-…
*** 2107-04 Security Bulletin: Multiple Vulnerabilities in NorthStar Controller Application before version 2.1.0 Service Pack 1. ***
---------------------------------------------
Multiple vulnerabilities have been resolved in the NorthStar Controller Application starting from version 2.1.0 Service Pack 1 and all subsequent releases.
---------------------------------------------
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10783&cat=SIRT_1…
*** cURL and libcurl vulnerabilities in F5 products ***
---------------------------------------------
https://support.f5.com/csp/article/K84940705https://support.f5.com/csp/article/K85235351https://support.f5.com/csp/article/K17742627
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Tealeaf Customer Experience (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000439
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-8610 and CVE-2017-3731 ) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021869
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Systems Director Platform Agent (CVE-2017-3731, CVE-2017-3732) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025103
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA (CVE-2016-5597, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000386
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Docs is Vulnerable to a Denial of Service (CVE-2016-4483) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001680
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900 ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010105
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem model V840 ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010106
---------------------------------------------
*** IBM Security Bulletin: Multiple security issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000445
---------------------------------------------
*** IBM Security Bulletin: Multiple ZLIB vulnerabilities affect IBM Mobile Connect ***
http://www.ibm.com/support/docview.wss?uid=swg22000094
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the Firefox component of the Synthetic Playback agent affects IBM Performance Management products. ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000816
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Monitoring Basic Services component. (CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg22001712
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSH affect the IBM FlashSystem models 840 and 900 ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010012
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Campaign, IBM Contact Optimization ***
http://www.ibm.com/support/docview.wss?uid=swg21992598
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 13-04-2017 18:00 − Freitag 14-04-2017 18:02
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Zero Day Exploit: Magento-Onlineshops sind wieder gefährdet ***
---------------------------------------------
Wer eine Magento-basierte Onlineshop-Lösung verwendet, sollte dringend seine Einstellungen überprüfen. Ein Sicherheitslücke erlaubt die Kompromittierung der Installation und bringt die Kunden in Gefahr. Der Hersteller arbeitet wohl an einem Patch, kommuniziert dies jedoch nicht vernünftig.
---------------------------------------------
https://www.golem.de/news/zero-day-exploit-magento-onlineshops-sind-wieder-…
*** Exploit Kit Activity Quiets, But Is Far From Silent ***
---------------------------------------------
Here are the exploit kits to watch for over the next three to six months.
---------------------------------------------
http://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/12…
*** Shadow Brokers Release New Batch of Files Containing Windows and SWIFT Exploits ***
---------------------------------------------
On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsofts Windows OS and the SWIFT banking system. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/shadow-brokers-release-new-b…
*** BSI definiert Mindeststandard für sichere Web-Browser ***
---------------------------------------------
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat Mindestanforderungen für sichere Web-Browser veröffentlicht. In einer Tabelle vergleicht die Behörde vier aktuelle Browser - einer wies demnach eine schwerwiegende Einschränkung auf.
---------------------------------------------
https://heise.de/-3686044
*** Phishing with Unicode Domains ***
---------------------------------------------
If I told you this could be a phishing site, would you believed me? tl;dr: check out the proof-of-concept
---------------------------------------------
https://www.xudongz.com/blog/2017/idn-phishing/
*** Critical Patch Update - April 2017 - Pre-Release Announcement ***
---------------------------------------------
Critical Patch Update - April 2017 - Pre-Release Announcement
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
*** 2017-04 Security Bulletin: EX Series: Crafted IPv6 NDP packet causing a slow memory leak on EX Series Switches (CVE-2017-2315) ***
---------------------------------------------
A vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet destined to an EX Series Ethernet Switches to cause a slow memory leak. A malicious network-based packet flood of these crafted IPv6 NDP packets may eventually lead to resource exhaustion and a denial of service.
---------------------------------------------
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10781
*** Heap Overflow Vulnerability in Citrix NetScaler Gateway Could Result in Arbitrary Code Execution ***
---------------------------------------------
A heap overflow vulnerability has been identified in Citrix NetScaler Gateway that could allow a remote, authenticated user to execute arbitrary commands on the NetScaler Gateway appliance as a root user.
---------------------------------------------
https://support.citrix.com/article/CTX222657
*** cURL and libcurl vulnerability CVE-2016-8622 ***
---------------------------------------------
cURL and libcurl vulnerability CVE-2016-8622. Security Advisory. Security Advisory Description. ** RESERVED ** This candidate ...
---------------------------------------------
https://support.f5.com/csp/article/K23391972
*** VMSA-2017-0007 ***
---------------------------------------------
VMware vCenter Server updates resolve a remote code execution vulnerability via BlazeDS
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2017-0007.html
*** Wecon Technologies LEVI Studio HMI Editor ***
---------------------------------------------
This advisory contains mitigation details for heap-based buffer overflow and stack-based buffer overflow vulnerabilities in the Wecon Technologies LEVI Studio HMI Editor.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-103-01
*** Schneider Electric Modicon M221 PLCs and SoMachine Basic ***
---------------------------------------------
This advisory contains mitigation details for use of hard-coded cryptographic key and protection mechanism failure vulnerabilities in Schneider Electric's Modicon M221 PLCs and SoMachine Basic.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-103-02
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Financial Transaction Manager for ACH Services, Check Services and Corporate Payment Services potential Cross Site Scripting vulnerabilities (CVE-2017-1160) ***
http://www.ibm.com/support/docview.wss?uid=swg22001574
---------------------------------------------
*** IBM Security Bulletin: IBM API Connect Developer Portal is vulnerable to unauthenticated remote code execution (CVE-2017-1161) ***
http://www.ibm.com/support/docview.wss?uid=swg22000316
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Financial Transaction Manager for ACH Services, Check Services and Corporate Payment Services ***
http://www.ibm.com/support/docview.wss?uid=swg22001536
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by tar vulnerabilities (CVE-2010-0624 CVE-2016-6321) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1025085
---------------------------------------------
*** IBM Security Bulletin: Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerability (CVE-2016-6816) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21998864
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Insight ***
http://www.ibm.com/support/docview.wss?uid=swg21999652
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos TM1 ***
http://www.ibm.com/support/docview.wss?uid=swg21999649
---------------------------------------------
*** IBM Security Bulletin: Unvalidated redirection URL vulnerability in IBM Marketing Platform (CVE-2016-0228) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001952
---------------------------------------------
Next End-of-Shift report: 2017-04-18
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 12-04-2017 18:00 − Donnerstag 13-04-2017 18:02
Handler: Alexander Riepl
Co-Handler: n/a
*** BrickerBot Permanent Denial-of-Service Attack ***
---------------------------------------------
NCCIC/ICS-CERT is aware of open-source reports of “BrickerBot” attacks, which exploit hard-coded passwords in IoT devices in order to cause a permanent denial of ..
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01
*** India to world+dog: Go ahead, please hack our elections ... if you can ***
---------------------------------------------
Не волнуйтесь. Мы уже это сделали, товарищи Following demands for an investigation into the security of Indias electronic voting machines, the countrys ..
---------------------------------------------
www.theregister.co.uk/2017/04/12/india_electronic_election_hacking/
*** Hintergrund: Forensik-Tools patzen bei neuer Windows-Kompression ***
---------------------------------------------
Mit Hilfe einer noch weitgehend unbekannten Dateikompression namens 'Compact OS' könnten sich Schad-Programme und andere Beweismittel einer forensischen Untersuchung eines PCs entziehen. Wir haben sechs Standard-Forensik-Tools getestet.
---------------------------------------------
https://heise.de/-3676075
*** WordPress plugin "WP Statistics" vulnerable to cross-site scripting ***
---------------------------------------------
http://jvn.jp/en/jp/JVN62392065/
*** SAP schließt kritische Lücke in der Search Engine TREX ***
---------------------------------------------
TREX ist in über einem Dutzend SAP-Produkten verbaut und erlaubte fast zwei Jahre das Einschleusen und Ausführen von Code. Diese und 14 weitere Lücken schließt der Hersteller im Rahmen des April-Patchdays.
---------------------------------------------
https://heise.de/-3685632
*** Akamai reports UDP DDOS Using C-LDAP reaching 24Gbps, (Thu, Apr 13th) ***
---------------------------------------------
Akamai researchers Jose Arteaga Wilber Mejia have posted details on a new reflected DDOS apprach, using the Connectionless LDAP protocol (on udp/389). Reflected UDP attacks arent new, but using CLDAP seems to be. Which made me wonder who are the folks that decided that their AD (or other LDAP directory) ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22300
*** Samsung: Keine Sicherheitslücken in Smart-TVs ***
---------------------------------------------
Der Elektronikkonzern will die Sicherheit seines in die Kritik geratenen Betriebssystems Tizen ins rechte Licht rücken und verkündet, dass weder Smart TVs noch Smartwatches ..
---------------------------------------------
https://heise.de/-3685732
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 11-04-2017 18:00 − Mittwoch 12-04-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Fake News at Work in Spam Kingpin’s Arrest? ***
---------------------------------------------
Over the past several days, many Western news media outlets have predictably devoured thinly-sourced reporting from a Russian publication that the arrest last week of a Russian spam kingpin in Spain was related to hacking attacks linked to last year’s U.S. election. While there ..
---------------------------------------------
https://krebsonsecurity.com/2017/04/fake-news-at-work-in-spam-kingpins-arre…
*** Schneider Electric Modicon Modbus Protocol ***
---------------------------------------------
This advisory contains mitigation details for authentication bypass by capture-replay and violation of secure design principles vulnerabilities in Schneider Electric’s Modicon Modbus protocol.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-101-01
*** Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2) ***
---------------------------------------------
Posted by Gal Beniamini, Project ZeroIn this blog post well continue our journey into gaining remote kernel code execution, by means of Wi-Fi communication alone. Having previously developed a remote code execution exploit ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms…
*** CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler ***
---------------------------------------------
FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability ..
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handl…
*** Patchday: Adobe stopft kritische Lücken in Acrobat, Reader, Flash und Photoshop ***
---------------------------------------------
Kritische Lücken in Flash sowie in Adobe Acrobat und Reader benötigen sofortige Aufmerksamkeit. Auf ungepatchten Systemen können Angreifer Schadcode aus der Ferne ausführen. Photoshop ist diesmal auch mit Sicherheitslücken beim Patchday dabei.
---------------------------------------------
https://heise.de/-3682970
*** Malicious Image Defacement Hidden from Search Engines ***
---------------------------------------------
After carefully designing a theme and images that represent your brand, nothing is worse than seeing a malicious image suddenly associated with your business or website. In a recent blog post, we discussed a case in which a ..
---------------------------------------------
https://blog.sucuri.net/2017/04/malicious-image-defacement-hidden-from-sear…
*** JSA10753 - 2016-07 Security Bulletin: SRX Series: Upgrades using partition option may allow unauthenticated root login (CVE-2016-1278) ***
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10753
*** Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns ***
---------------------------------------------
With another player out at the moment, we take a look at a rebranded exploit kit in current malware ..
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2017/04/sundown-ek-gone-missi…
*** IT-Sicherheit: Wie ich mein Passwort im Stack Trace fand ***
---------------------------------------------
Unser Autor hat versehentlich das MySQL-Passwort seiner Webseite veröffentlicht. Hier schreibt er, wie es dazu kam. Er berichtet, warum Fehler selbst dann passieren, wenn ..
---------------------------------------------
https://www.golem.de/news/it-sicherheit-wie-ich-mein-passwort-im-stack-trac…
*** Patchday: Microsoft sichert Office gegen aktive Angriffe ab ***
---------------------------------------------
Im April verteilt Microsoft zwölf Sicherheitsupdates und stopft mehrere als kritisch eingestufte Schwachstellen. Aktuell haben es Angreifer gezielt auf eine Office-Lücke abgesehen.
---------------------------------------------
https://heise.de/-3683358
*** Investigation Finds Inmates Built Computers, Hid Them In Prison Ceiling ***
---------------------------------------------
An anonymous reader quotes a report from WRGB: The discovery of two working computers hidden in a ceiling at the Marion Correctional Institution prompted an investigation by the state into how inmates got access. In late ..
---------------------------------------------
https://hardware.slashdot.org/story/17/04/12/0328239/investigation-finds-in…
*** Kelihos.E ***
---------------------------------------------
Kelihos.E Botnet – Law Enforcement Takedown On Monday April 10th 2017, The US Department of Justice (DOJ) announced a successful operation to take down the Kelihos Botnet and arrest the suspected botnet operator. The ..
---------------------------------------------
http://blog.shadowserver.org/2017/04/12/kelihos-e/
*** New NAS Vulnerabilities are as Bad as they Get ***
---------------------------------------------
If you have a QNAP network attached storage (NAS) device, you’d better make sure the firmware is updated. Earlier this year, F-Secure Senior Security ..
---------------------------------------------
https://safeandsavvy.f-secure.com/2017/04/12/new-nas-vulnerabilities-are-pr…