=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 07-06-2016 18:00 − Mittwoch 08-06-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Microsoft Bounty Program expansion - .NET Core and ASP.NET RC2 Beta Bounty ***
---------------------------------------------
Today I have another exciting expansion of the Microsoft Bounty Program. Please visit https://aka.ms/BugBounty to find out more. As we approach release for .NET Core and ASP.NET, we would like to get even more feedback from the security research community. We are offering a bounty on the .NET Core and ASP.NET Core RC2 Beta Build which...
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2016/06/07/microsoft-bounty-progra…
*** SWIFT May Ban Banks Without Strong Cybersecurity (June 3, 2016) ***
---------------------------------------------
The head of SWIFT says that banks without adequate cybersecurity measures in place could find themselves suspended from using the SWIFT financial transfer communication network...
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/18/45/202
*** Ransomware Leaves Server Credentials in its Code ***
---------------------------------------------
While SNSLocker isn't a stand-out crypto-ransomware in terms of routine or interface, its coarse and bland facade hid quite a surprise. After looking closer at its code, we discovered that this Ransomware contains the credentials for the access of its own server. We also found out that they used readily-available servers and payment systems. This...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/gADipA92iAA/
*** Phishers Abuse Hosting Temporary URLs ***
---------------------------------------------
Recently we told you how hackers use alternative domain names provided by web hosts to make their URLs look less suspicious. This time we'll show a similar trick used by phishers. Phishing web pages get blacklisted very fast. That's why hackers need to purchase many domains or compromise many websites so that they can point...
---------------------------------------------
https://blog.sucuri.net/2016/06/phishers-abuse-hosting-temporary-urls.html
*** Neutrino EK and CryptXXX, (Wed, Jun 8th) ***
---------------------------------------------
Introduction By Monday 2016-06-06, the pseudo-Darkleech campaign began using Neutrino exploit kit (EK) to send CryptXXX ransomware [1]. Until then, Id only seen Angler EK distribute CryptXXX. However, this is not the first time weve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK [2, 3, 4, 5]. It was documented as early as August 2015 [2]. This can be confusing, especially if youre expecting Angler EK. Campaigns can (and occasionally do) switch EKs. For an...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21141&rss
*** Millions of must be firewalled services are open to the entire internet - research ***
---------------------------------------------
15m telnet nodes, 4.5m printers TCP port 445... Millions of services that ought to be restricted are exposed on the open internet, creating a huge risk of hacker attack against databases and more.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/06/08/services_be…
*** How to Prevent Ransomware in Industrial Control Systems ***
---------------------------------------------
Del Rodillas, our solution lead for SCADA & Industrial Control Systems, recently appeared in Electric Light & Power to discuss ransomware as an emerging threat for Operational Technology environments. With ransomware on everyone's mind these...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/06/how-to-prevent-ransomwar…
*** Linkedln-Nutzer erhalten unechte Geschäftsrechnung ***
---------------------------------------------
Kriminelle versenden gezielt vermeintlich offene Unternehmensrechnungen an Nutzer/innen des Sozialen Netzwerks Linkedln. Darin führen sie die auf der Plattform veröffentlichten und richtigen Informationen, wie den Namen, die Berufsposition und das Unternehmen, an. Empfänger/innen sollen den beigefügten Dateianhang öffnen. Er verbirgt Schadsoftware.
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/linkedln-nutzer-er…
*** Google To Deprecate SSLv3, RC4 in Gmail IMAP/POP Clients ***
---------------------------------------------
Google will next week begin a gradual deprecation of unsafe crypto protocol SSLv3 and cipher RC4 in Gmail IMAP/POP clients.
---------------------------------------------
http://threatpost.com/google-to-deprecate-sslv3-rc4-in-gmail-imappop-client…
*** ENISA zeigt Möglichkeiten der forensischen Analyse bei Cloud-Vorfällen ***
---------------------------------------------
Als Hilfestellung - nicht nur - für Anbieter von Cloud-Diensten hat die europäische Sicherheitsbehörde ENISA ein Papier zum technischen Stand der Analyse von Sicherheitsvorfällen in der Cloud veröffentlicht.
---------------------------------------------
http://heise.de/-3231521
*** But have I really been pwned? Vetting your data ***
---------------------------------------------
The news has been full of leaked passwords for some popular services recently. But these numbers of hacked accounts can be exaggerated for effect, and sometimes blatantly wrong.Categories: Criminals Threat analysis(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/threat-analysis/2016/06/but-have-i-really-bee…
*** Cisco IOS XR Software LPTS Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** DSA-3597 expat - security update ***
---------------------------------------------
Two related issues have been discovered in Expat, a C library for parsingXML.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3597
*** Symantec Embedded Security: Critical System Protection and Symantec Data Center Security: Server Advanced, Multiple Security Issues ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** DFN-CERT-2016-0918: GnuTLS: Eine Schwachstelle ermöglicht die Manipulation beliebiger Dateien ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0918/
*** Trihedral VTScada Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for several vulnerabilities in Trihedral Engineering Ltd.'s Trihedral VTScada.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-159-01
*** KMC Controls Conquest BACnet Router Vulnerabilities ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on May 5, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for authentication and cross-site request forgery vulnerabilities in KMC Controls Conquest BACnet routers through its web interface.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-126-01
*** Security Advisory - Several Vulnerabilities in Huawei Honor Routers ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160607-…
*** Security Advisory - Memory Leak Vulnerability in Some Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160608-…
*** Security Advisory: SQLite vulnerabilities CVE-2015-3414 and CVE-2015-3415 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/37/sol37236006.html?…
*** Security Advisory: SQLite vulnerability CVE-2015-3416 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16950.htm…
*** Bugtraq: [security bulletin] HPSBGN03623 rev.1 - HPE Universal CMDB, Remote Disclosure of Sensitive Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538623
*** Bugtraq: [security bulletin] HPSBGN03622 rev.1 - HPE UCMDB, Universal Discovery, and UCMDB Configuration Manager using Apache Commons Collection, Remote Code Executon ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538622
*** Bugtraq: [security bulletin] HPSBGN03621 rev.1 - HPE Universal CMDB using OpenSSL, Remote Disclosure of Sensitive Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538621
*** IBM Security Bulletin: A vulnerability in the instance runAsUser function was found in IBM InfoSphere Streams (CVE-2016-2867) ***
---------------------------------------------
There is a potential vulnerability in IBM InfoSphere Streams when the instance runAsUser property is set. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2016-2867 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 4.0.1.1 and earlier IBM Streams Version 4.1.1.0 and earlier Refer to the following reference URLs for remediation and additional vulnerability details:Source
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21983444
*** IBM Security Bulletin:Multiple security vulnerabilities in Open Source Apache Tomcat affect IBM Cognos Business Viewpoint (CVE-2016-0714 , CVE-2015-5174) ***
---------------------------------------------
There are multiple vulnerabilities in Open Source Apace Tomcat that is used by IBM Cognos Business Viewpoint. These were disclosed in the 02/22/2016 X-Force Reports. IBM Cognos Business Viewpoint has addressed the applicable CVEs. CVE(s): CVE-2016-0714, CVE-2015-5174 Affected product(s) and affected version(s): IBM Cognos Business Viewpoint 10.1 FP1 IBM Cognos Business Viewpoint 10.1.1 FP2 Refer...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21984197
*** IBM Security Bulletin:InstallAnywhere generates installation executables which are vulnerable to an DLL-planting vulnerability (CVE-2016-4560) ***
---------------------------------------------
InstallAnywhere generates installation executables which are vulnerable to an DLL-planting vulnerability affect IBM Security AppScan Source CVE(s): CVE-2016-4560 Affected product(s) and affected version(s): IBM Security AppScan Source 8.7, 8.8, 9.0, 9.0.1, 9.0.2, 9.0.3 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21983037X-Force Database:...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21983037
*** IBM Security Bulletin: Vulnerabilities in IBM Domino Keyview PDF Filters (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0277) ***
---------------------------------------------
IBM Domino has four vulnerabilities in Keyview PDF filters. CVE(s): CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301 Affected product(s) and affected version(s): IBM Domino 9.0.1 FP5 and earlier releases. IBM Domino 9.0 IF4 and earlier releases. IBM Domino 8.5.3 FP6 IF12 and earlier releases. IBM Domino 8.5.2 FP4 IF3 and earlier releases. IBM Domino 8.5.1 FP5 IF3 and...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21983292
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2016-2073) ***
---------------------------------------------
There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2016-2073 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21983372
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2015-8710) ***
---------------------------------------------
There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2015-8710 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21983371
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2016-2108, CVE-2016-2107). ***
---------------------------------------------
OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM Sterling Connect:Direct for UNIX. IBM Sterling Connect:Direct for UNIX has addressed the applicable CVEs. CVE(s): CVE-2016-2108, CVE-2016-2107 Affected product(s) and affected version(s): IBM Sterling Connect:Direct for Unix 4.1.0 IBM Sterling Connect:Direct for Unix 4.0.0 Refer to the following...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21983909
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 06-06-2016 18:00 − Dienstag 07-06-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Gezielte Trojaner-Mails mit persönlichen Daten aus dem LinkedIn-Hack ***
---------------------------------------------
Aktuell kursieren gefälschte Rechnungen mit Trojaner im Gepäck, die sich LinkedIn-Daten zunutze machen und deswegen plausibel wirken.
---------------------------------------------
http://heise.de/-3228473
*** Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript ***
---------------------------------------------
This post was prepared with the invaluable assistance of Rahamathulla Hussain and Girish Kulkarni. During the last couple of weeks, McAfee Labs has observed a huge increase in spam related to Locky, a new ransomware threat spread via spam campaigns. The contents of the spam email are carefully crafted to lure victims using social engineering...
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/locky-ransomware-hides-under-multiple-…
*** Threat Actors Employ COM Technology in Shellcode to Evade Detection ***
---------------------------------------------
COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the fundamental architectures in Windows. From the security point of view, several "features" built into COM have lead to many security vulnerabilities. These features include ActiveX (an Internet Explorer plug-in technology), the...
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/threat-actors-employ-com-technology-sh…
*** FastPOS malware exfiltrates data immediately after harvesting it ***
---------------------------------------------
POS malware might have taken a backseat when ransomware became the go-to malware for many cyber crooks, but stealing payment card information to effect fraudulent transactions is still a lucrative business. Trend Micro researchers have recently analyzed a new POS malware family sporting some interesting functionalities. One of these is what made them dub the threat FastPOS: the malware does not wait to collect a batch of data and then send it periodically to the...
---------------------------------------------
https://www.helpnetsecurity.com/2016/06/07/fastpos-malware/
*** Check your BITS, because deleting malware might not be enough ***
---------------------------------------------
Attackers are abusing the Windows Background Intelligent Transfer Service (BITS) to re-infect computers with malware after theyve been already cleaned by antivirus products.The technique was observed in the wild last month by researchers from SecureWorks while responding to a malware incident for a customer. The antivirus software installed on a compromised computer detected and removed a malware program, but the computer was still showing signs of malicious activity at the network level.
---------------------------------------------
http://www.cio.com/article/3080016/check-your-bits-because-deleting-malware…
*** Android gets patches for serious flaws in hardware drivers and media server ***
---------------------------------------------
The June batch of Android security patches addresses nearly two dozen vulnerabilities in system drivers for various hardware components from several chipset makers.The largest number of critical and high severity flaws were patched in the Qualcomm video driver, sound driver, GPU driver, Wi-Fi driver, and camera driver. Some of these privilege escalation vulnerabilities could allow malicious applications to execute malicious code in the kernel leading to a permanent device compromise. Similar...
---------------------------------------------
http://www.csoonline.com/article/3079726/security/android-gets-patches-for-…
*** Android Security Bulletin - June 2016 ***
---------------------------------------------
[...] The most severe issue is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.
---------------------------------------------
https://source.android.com/security/bulletin/2016-06-01.html
*** BlackBerry powered by Android Security Bulletin - June 2016 ***
---------------------------------------------
BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available build, as outlined in the Available Updates section.
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?articleNumber=000038209
*** NTP.org ntpd is vulnerable to denial of service and other vulnerabilities ***
---------------------------------------------
NTP.orgs reference implementation of NTP server, ntpd, contains multiple vulnerabilities. A brief overview follows, but details may be found in NTPs security advisory listing and in the individual links below.
---------------------------------------------
https://www.kb.cert.org/vuls/id/321640
*** DFN-CERT-2016-0840: IPv6-Protokoll: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ***
---------------------------------------------
Version 1 (2016-05-26 11:34) Neues Advisory Version 2 (2016-05-27 09:49) Cisco aktualisiert die referenzierte Sicherheitsmeldung [...] Version 3 (2016-06-01 11:36) Cisco aktualisiert die referenzierte Sicherheitsmeldung [...] Version 4 (2016-06-03 14:31) Cisco aktualisiert cisco-sa-20160525-ipv6 und weist darauf hin, dass es sich nicht um einen Cisco spezifischen Fehler handelt, [...] Version 5 (2016-06-06 15:12) Juniper Networks informiert darüber, dass EX4300, EX4600, QFX3500 und QFX5100...
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0840/
*** Bugtraq: [security bulletin] HPSBGN03620 rev.1 - HPE Helion OpenStack using OpenSSL and QEMU, Remote Unauthorized Data Access ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538612
*** Bugtraq: [security bulletin] HPSBGN03619 rev.1 - HPE Discovery and Dependency Mapping Inventory (DDMi) using Java Deserialization, remote Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538611
*** Bugtraq: [security bulletin] HPSBGN03442 rev.2 - HP Helion OpenStack using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538610
*** IBM Security Bulletin: Path Traversal affects IBM Security Guardium Database Activity Monitor (CVE-2016-0298) ***
---------------------------------------------
IBM Security Guardium Database Activity Monitor could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to view arbitrary files on the system. CVE(s): CVE-2016-0298 Affected product(s) and affected version(s): IBM Security Guardium Database Activity Monitor V10 Refer to the following reference URLs for remediation and...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21981749
*** IBM Security Bulletin: Using Components with Known Vulnerabilities affects IBM Security Guardium (multiple CVEs) ***
---------------------------------------------
IBM Security Guardium is vulnerable to several possible remote attacks CVE(s): CVE-2015-4881, CVE-2015-7181, CVE-2015-7981, CVE-2013-1981, CVE-2015-3416, CVE-2015-2730, CVE-2015-7704, CVE-2015-3238, CVE-2015-5312, CVE-2015-5288 Affected product(s) and affected version(s): IBM Security Guardium V10 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21981747X-Force Database:...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21981747
*** IBM Security Bulletin: Cacheable SSL Page vulenrability affects IBM Security Guardium Database Activity Monitor (CVE-2016-0237) ***
---------------------------------------------
IBM Security Guardium Database Activity Monitor contains locally cached browser data, that could allow a local attacker to obtain sensitive information. CVE(s): CVE-2016-0237 Affected product(s) and affected version(s): IBM Security Guardium Database Activity Monitor V10 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21981631X-Force Database:...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21981631
*** IBM Security Bulletin: Use of Hard-coded Cryptographic Key vulenrability affects IBM Security Guardium Database Activity Monitor (CVE-2016-0235) ***
---------------------------------------------
IBM Security Guardium Database Activity Monitor uses a hard-coded password for the which is available to the administrator or a user with root access. This password could be used across other GRUB systems. CVE(s): CVE-2016-0235 Affected product(s) and affected version(s): IBM Security Guardium Database Activity Monitor V10 Refer to the following reference URLs for remediation...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21981748
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Streams (CVE-2016-0466, CVE-2016-0448) ***
---------------------------------------------
There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 Service Refresh 2 Fix Pack 11 and earlier releases, Version 7R1 Service Refresh 3 Fix Pack 31 and earlier releases, and Version 6 Service Refresh 16 Fix Pack 21 and earlier releases. If you run your own Java code using the IBM Java...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21983436
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2015-8317) ***
---------------------------------------------
There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2015-8317 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21983370
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM MQ AMS (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) ***
---------------------------------------------
OpenSSL vulnerabilities were disclosed on December 3, 2015 by the OpenSSL Project. OpenSSL is used by IBM MQ Advanced Message Security (AMS) on IBM i. IBM MQ has addressed the applicable CVEs. CVE(s): CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 Affected product(s) and affected version(s): IBM MQ 8.0 Advanced Message Security (AMS) on IBM i only Fix Pack 8.0.0.4...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21983823
*** IBM Security Bulletin: A vulnerability in XML processing affects IBM InfoSphere Streams (CVE-2015-1819) ***
---------------------------------------------
IBM InfoSphere Streams may be vulnerable to a denial of service attack due to the use of Libxml2 (CVE-2015-1819) CVE(s): , CVE-2015-1819 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21981066
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM BigFix Remote Control (CVE-2016-2107) ***
---------------------------------------------
OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM BigFix Remote Control. IBM BigFix Remote Control has addressed the applicable CVEs. CVE(s): CVE-2016-2107 Affected product(s) and affected version(s): IBM BigFix Remote Control version 9.1.2 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin:...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21984111
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 03-06-2016 18:00 − Montag 06-06-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Magento Credit Card Stealer for Braintree Extension ***
---------------------------------------------
We regularly find and write about malware that steals credit card details from Magento sites because attackers discover new techniques to obtain sensitive data daily. This time, the malicious code is specifically designed for Magento sites that use the Braintree extension. This extension connects a Magento store with the Braintree payment processing service that is...
---------------------------------------------
https://blog.sucuri.net/2016/06/magento-credit-card-stealer-braintree-exten…
*** WordPress Sites Under Attack From New Zero-Day In WP Mobile Detector Plugin ***
---------------------------------------------
An anonymous reader writes: A large number of websites have been infected with SEO spam thanks to a new zero-day in the WP Mobile Detector plugin that was installed on over 10,000 websites. The zero-day was used in real-world attacks since May 26, but only surfaced to light on May 29 when researchers notified the plugins developer. Seeing that the developer was slow to react, security researchers informed Automattic, who had the plugin delisted from WordPress.orgs Plugin Directory on May 31. In...
---------------------------------------------
https://tech.slashdot.org/story/16/06/03/2243238/wordpress-sites-under-atta…https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-expl…
*** Whats Going on With libtiff?, (Sun, Jun 5th) ***
---------------------------------------------
libtiff, as the name implies, is a library used to parse TIFF formatted images. While you dont run into TIFF images on the web every day, the format is quite popular for higher-resolution/high qualityapplications like printing. TIFF allows the user to select between lossless or lossycompression depending on the preferences of the user. While the library is very popular, a reader wrote in last week asking if the library is still maintained. Currently, there are three security issues listed in...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21131&rss
*** Destructive BadBlock ransomware can be foiled ***
---------------------------------------------
If you have been hit with ransomware, you want that malware to be BadBlock - but only if you haven't restarted your computer. This particular malware is a lacklustre attempt to create something on par with more popular ransomware, and that allowed Emsisoft security researcher Fabian Wosar to create a decrypter tool for it. The tool can be downloaded for free, and Bleeping Computer has offered instructions on how to use it. But, aside from...
---------------------------------------------
https://www.helpnetsecurity.com/2016/06/06/destructive-badblock-ransomware-…
*** Researchers hack the Mitsubishi Outlander SUV, shut off alarm remotely ***
---------------------------------------------
Mitsubishi Outlander, a popular hybrid SUV sold around the world, can be easily broken into by attackers exploiting security weaknesses in the setup that allows the car to be remotely controlled via an app. The weaknesses were discovered by Pen Test Partners, and include: The mobile app connects to the car through a Wi-Fi access point on it, instead via a web service and GSM module, making it impossible to use if one is not...
---------------------------------------------
https://www.helpnetsecurity.com/2016/06/06/researchers-hack-mitsubishi-outl…
*** Dangerous self-spreading successor of Zeus and Carberp discovered ***
---------------------------------------------
June 3, 2016 In June, Doctor Web security researchers examined a new dangerous virus targeting Russian bank clients. The virus is designed to steal money from bank accounts and monitor user activity. It has borrowed a lot of features from its predecessors Zeus (Trojan.PWS.Panda) and Carberp. Yet, unlike them, it can be spread without any user intervention infecting executable files. Besides, curing of the infected computer is rather complicated and may take several hours. Due to the ability to...
---------------------------------------------
http://news.drweb.com/show/?i=9999&lng=en&c=9
*** Firmware Analysis for IoT Devices ***
---------------------------------------------
Introduction This is the second post in the IoT Exploitation and Penetration Testing series. In this post, we are going to have a look at a key component in an IoT device architecture - Firmware. Any IoT device you use, you will be interacting with firmware, and this is because firmware can be thought of...
---------------------------------------------
http://resources.infosecinstitute.com/firmware-analysis-for-iot-devices/
*** Widespread exploits evade protections enforced by Microsoft EMET ***
---------------------------------------------
Its bad news for businesses. Hackers have launched large-scale attacks that are capable of bypassing the security protections added by Microsofts Enhanced Mitigation Experience Toolkit (EMET), a tool whose goal is to stop software exploits.Security researchers from FireEye have observed Silverlight and Flash Player exploits designed to evade EMET mitigations such as Data Execution Prevention (DEP), Export Address Table Access Filtering (EAF) and Export Address Table Access Filtering Plus
---------------------------------------------
http://www.cio.com/article/3079747/widespread-exploits-evade-protections-en…
*** Cisco Aironet Access Points Command-Line Interpreter Linux Shell Command Injection Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IP 8800 Series Phones btcli Utility Command Injection Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** JSA10749 - IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability (CVE-2016-1409) ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10749&actp=RSS
*** Security Advisory: NTP vulnerability CVE-2016-1548 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/63/sol63675293.html?…
*** DSA-3595 mariadb-10.0 - security update ***
---------------------------------------------
Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.25. Please see the MariaDB 10.0 Release Notes for furtherdetails:
---------------------------------------------
https://www.debian.org/security/2016/dsa-3595
*** Bugtraq: [security bulletin] HPSBUX03616 SSRT110128 rev.2 - HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538597
*** DFN-CERT-2016-0908: VideoLAN VLC Media Player: Eine Schwachstelle ermöglicht u.a. die Ausführung beliebigen Programmcodes mit Benutzerrechten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0908/
*** Citrix NetScaler Gateway Lets Remote Users Hijack the Target Users Login Form Credentials ***
---------------------------------------------
http://www.securitytracker.com/id/1036020
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 02-06-2016 18:00 − Freitag 03-06-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Trillium Exploit Kit Update Offers 'Security Tips' ***
---------------------------------------------
McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums. We have analyzed the new version of the tool ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/trillium-exploit-kit-update-offers-sec…
*** DSA-3593 libxml2 - security update ***
---------------------------------------------
Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3593
*** GE MultiLink Series Hard-coded Credential Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a hard-coded credential vulnerability in GE's MultiLink series managed switches.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-154-01
*** WP Mobile Detector <= 3.5 - Arbitrary File Upload ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8505
*** Understanding Angler Exploit Kit - Part 1: Exploit Kit Fundamentals ***
---------------------------------------------
Generally speaking, criminal groups use two methods for widespread distribution of malware. The most common method is malicious spam (malspam). This is a fairly direct mechanism, usually through an email attachment or ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-ang…
*** MySQL is YourSQL ***
---------------------------------------------
Its The End of the World and We Know It If you listen to the press - those purveyors of doom, those nattering nabobs of negativism - you arrive at a single, undeniable conclusion: The worldis going to hell in a hand-basket. They ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21117
*** Nach Kontroversen: Teamviewer führte neue Accountsicherungen ein ***
---------------------------------------------
Wenige Tage nach zahlreichen Nutzerbeschwerden über gehackte Accounts reagiert Teamviewer mit einem vorgezogenen Sicherheitsupdate. Wir haben mit dem Unternehmen darüber gesprochen.
---------------------------------------------
http://www.golem.de/news/nach-kontroversen-teamviewer-fuehrte-neue-accounts…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 01-06-2016 18:00 − Donnerstag 02-06-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3591 imagemagick - security update ***
---------------------------------------------
Bob Friesenhahn from the GraphicsMagick project discovered a commandinjection vulnerability in ImageMagick, a program suite for imagemanipulation. An attacker with control on input image or the inputfilename can execute arbitrary commands with the privileges of the userrunning the application.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3591
*** Lenovo advises users to remove a vulnerable support tool preinstalled on their systems ***
---------------------------------------------
PC maker Lenovo is recommending that users remove an application preloaded on their computers because it contains a high-severity flaw that could allow attackers to take over their systems.The vulnerable tool is called ..
---------------------------------------------
http://www.csoonline.com/article/3077935/security/lenovo-advises-users-to-r…
*** Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031 ***
---------------------------------------------
https://www.drupal.org/node/2738707
*** DSA-3592 nginx - security update ***
---------------------------------------------
It was discovered that a NULL pointer dereference in the Nginx coderesponsible for saving client request bodies to a temporary file mightresult in denial of service: Malformed requests could crash workerprocesses.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3592
*** Researchers spot 35-fold increase in newly observed ransomware domains ***
---------------------------------------------
A record 35-fold increase in newly observed ransomware domains compared to the fourth quarter of 2015 have been spotted by Infoblox researchers.
---------------------------------------------
http://www.scmagazine.com/infoblox-researchers-spotted-a-huge-uptick-in-dns…
*** Yahoo Publishes National Security Letters After FBI Drops Gag Orders ***
---------------------------------------------
Yahoo just became the first company to disclose that it has received NSLs without having to go to court to do so.
---------------------------------------------
http://www.wired.com/2016/06/yahoo-publishes-national-security-letters-fbi-…
*** Docker Containers Logging ***
---------------------------------------------
In a previous diary, Jim talked about forensic operations against Docker containers. To be able to perform investigations after an incident, we must have some ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21121
*** Die meisten Android-Virenscanner sind unsicher ***
---------------------------------------------
Eigentlich sollte AV-Software das Smartphone vor Schadcode schützen. Wie Forscher nun festgestellt haben, weisen viele Virenjäger für Android allerdings selbst eklatante Sicherheitsmängel auf.
---------------------------------------------
http://heise.de/-3225169
*** Trend Micro enterprise products multiple vulnerabilities ***
---------------------------------------------
Multiple enterprise products provided by Trend Micro Incorporated contain multiple vulnerabilities.
---------------------------------------------
http://jvn.jp/en/jp/JVN48847535/
*** Trend Micro Internet Security multiple vulnerabilities ***
---------------------------------------------
Trend Micro Internet Security provided by Trend Micro Incorporated contains multiple vulnerabilities.
---------------------------------------------
http://jvn.jp/en/jp/JVN48789425/
*** Mitnick Attack Reappears at GeekPwn Macau Contest ***
---------------------------------------------
Cao Yue, a Ph.D. student from University of California, Riverside, delivered a stunning show at the GeekPwn 2016 Macau Contest on May 12 attended by top-caliber white hat hackers worldwide. Cao succeeded in remotely hijacking TCP connections at his random choice.
---------------------------------------------
http://www.prnewswire.com/news-releases/mitnick-attack-reappears-at-geekpwn…
*** Hacker Lexicon: What Is Fuzzing? ***
---------------------------------------------
Sometimes hacking isnt about taking a program apart: Its about throwing random objects at it to see what breaks.
---------------------------------------------
http://www.wired.com/2016/06/hacker-lexicon-fuzzing/
*** [2016-06-02] Multiple critical vulnerabilities in Ubee EVW3226 Advanced wireless voice gateway ***
---------------------------------------------
The firmware for the cable modem Ubee EVW3226 contains multiple critical vulnerabilities, which can be exploited to gain full system-level access to the device. This allows for inspection, modification and redirection of traffic.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activityon SCADA Systems ***
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.h…
*** TeamViewer users claim accounts hacked ***
---------------------------------------------
TeamViewer is a remote desktop connection software that allows users to share screens and allow remote access from anywhere in the world. In the past 24 hours, many customers ..
---------------------------------------------
http://www.inquisitr.com/3156809/teamviewer-accounts-hacked-users-claim/
*** Erpresser-Mails drohen mit Rufschädigung über Social Media ***
---------------------------------------------
Erpresser machen sich die Berichterstattung über aktuelle Hackerangriffe zunutze, um Droh-Mails zu verschicken, in denen sie den Opfern damit drohen, sensible Informationen auf deren Online-Konten zu veröffentlichen.
---------------------------------------------
http://heise.de/-3225619
*** 93% Of Phishing Emails Are Now Ransomware ***
---------------------------------------------
According to the latest data from security firm PhishMe, 93% of all phishing emails as of the end of March contained encryption ransomware. The numbers ..
---------------------------------------------
https://tech.slashdot.org/story/16/06/02/1356241/93-of-phishing-emails-are-…
*** How Russian cybercrime bosses crafted a ransomware empire out of an economic crisis ***
---------------------------------------------
Amid a crashing ruble and shaken markets due to global sanctions over Russian president Vladimir Putins ..
---------------------------------------------
http://www.neowin.net/news/how-russian-cybercrime-bosses-crafted-a-ransomwa…
*** XSA-178 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-178.html
*** XSA-175 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-175.html
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 31-05-2016 18:00 − Mittwoch 01-06-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Tor Browser 6.0: Ditches SHA-1 Support, Uses DuckDuckGo For Default Search Results ***
---------------------------------------------
The version 6.0 of Tor Browser, a free software for enabling anonymous communication, is now available to download. The new version introduces several changes, including disabling SHA-1 support, and removing ..
---------------------------------------------
https://tech.slashdot.org/story/16/05/31/1643234/tor-browser-60-ditches-sha…
*** Drupal SQLi (Drupalgeddon) Attack Trend CVE-2014-3704 / SA-CORE-2014-005 ***
---------------------------------------------
It has been over 19 months since Drupalgeddon, which refers to Drupal's Security Advisory (SA) SA-CORE-2014-005. For those unfamiliar with it, it ..
---------------------------------------------
https://blog.sucuri.net/2016/05/drupal-sqli-drupalgeddon-attack-trend-cve-2…
*** Finding Conditional Drupal Database Spam ***
---------------------------------------------
Nobody likes spam. It's never fun (unless you're watching Monty Python). For us it comes with the territory; removing SEO spam has been at the core of what we deal with since our inception, giving us some pretty good ..
---------------------------------------------
https://blog.sucuri.net/2016/05/finding-conditional-drupal-database-spam.ht…
*** Cluster of 'megabreaches' compromises a whopping 642 million passwords ***
---------------------------------------------
MySpace, Tumblr, and Fling are the latest services to join discredited LinkedIn.
---------------------------------------------
http://arstechnica.com/security/2016/05/cluster-of-megabreaches-compromise-…
*** Moxa UC 7408-LX-Plus Firmware Overwrite Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a firmware overwrite vulnerability in Moxa's UC 7408-LX-Plus device.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-152-01
*** ABB PCM600 Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for one use of password hash with insufficient computational effort and three insufficiently protected credentials vulnerabilities in ABB's PCM600.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-152-02
*** Unfalsifiability of security claims ***
---------------------------------------------
There is an inherent asymmetry in computer security: things can be declared insecure by observation, but not the reverse. There is no observation that allows us to declare an arbitrary system or technique secure. We ..
---------------------------------------------
http://research.microsoft.com/pubs/256133/unfalsifiabilityOfSecurityClaims.…
*** Lücke in ImageMagick und GraphicsMagick ermöglicht erneute Angriffe ***
---------------------------------------------
Manipulierte Dateinamen können Schadcode über die popen()-Funktion des Betriebssystems zur Ausführung bringen. Patches stehen bereit.
---------------------------------------------
http://heise.de/-3223811
*** Scrum.org hacked, may have lost crypto keys and some user data ***
---------------------------------------------
Dont go dissing DevOps: a supplier has fessed up to a website vuln Scrum.org, the Scrum certification ..
---------------------------------------------
www.theregister.co.uk/2016/06/01/scrumorg_hacked_may_have_lost_crypto_keys_…
*** Heikle Sicherheitslücken in vorinstallierter Laptop-Software ***
---------------------------------------------
http://derstandard.at/2000038006783
*** Microsoft: Spamfilter für Hotmail und Outlook kaputt ***
---------------------------------------------
Unternehmen arbeitet mit Hochdruck an Lösung, manche Nutzer sollen "extreme Menge" an Spam-Mails erhalten
---------------------------------------------
http://derstandard.at/2000038023486
*** The impossible task of creating a 'Best VPNs' list today ***
---------------------------------------------
Our writer set out to make a list of reliable VPNs; turns out the task is complicated.
---------------------------------------------
http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-t…
*** VB2015 paper: Economic Sanctions on Malware ***
---------------------------------------------
Financial pressure can be a proactive and potentially very effective tool in making our computer ecosystems safer. By cleverly employing various trust metrics and technologies such as digital signing, watermarking, and ..
---------------------------------------------
https://www.virusbulletin.com/blog/2016/06/economic-sanctions-malware/
*** DRIDEX Poses as Fake Certificate in Latest Spam Run ***
---------------------------------------------
At a glance, it seems that DRIDEX has dwindled its activities or operation, appearing only for a few days this May. This is quite unusual given that in the past five months or so, this prevalent online banking threat ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-poses-as-…
*** Security: LG muss Android-Firmware reparieren ***
---------------------------------------------
Zwei Sicherheitslücken in LGs-Android Firmware ermöglichen eine Reihe von Angriffen, teilweise auch aus der Ferne. Nutzer sollten schnell reagieren, die Updates stehen bereit.
---------------------------------------------
http://www.golem.de/news/security-lg-muss-android-firmware-reparieren-1606-…
*** Kindernahrung: Mein Baby Club von Hipp wurde gehackt ***
---------------------------------------------
Kopierte Nutzerdaten sind immer ein Ärgernis - besonders, wenn die persönlichen Informationen von Kindern betroffen sind. Der Hersteller Hipp hat seine Kunden jetzt über einen Einbruch in die eigenen Serversysteme des Mein Baby Clubs informiert
---------------------------------------------
http://www.golem.de/news/kindernahrung-mein-baby-club-von-hipp-wurde-gehack…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 30-05-2016 18:00 − Dienstag 31-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Abgeschlossen: Wartungsarbeiten Dienstag, 31. 5. 2016 ***
---------------------------------------------
Abgeschlossen: Wartungsarbeiten Dienstag, 31. 5. 201625. Mai 2016Am Dienstag, 31. Mai 2016, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen, diese können jeweils ..
---------------------------------------------
http://www.cert.at/services/blog/20160525113745-1748.html
*** Österreichische Handy-Signatur anfällig für Phishing ***
---------------------------------------------
Mit einer sogenannten Handy-Signatur können Österreicher auch Dokumente für Kommunikation Behörden rechtsverbindlich unterschreiben. Doch die digitale Unterschrift lässt sich mit einem einfachen Phishing-Angriff fälschen.
---------------------------------------------
http://heise.de/-3222980
*** Vulnerability in Citrix Studio Could Result in Insecure Access Policy Configuration ***
---------------------------------------------
A vulnerability has been identified in Citrix Studio that could allow Access Policy rules to be set insecurely on the Citrix XenDesktop Delivery Controller.
---------------------------------------------
https://support.citrix.com/article/CTX213045
*** Nach Kritik: Pornhub überarbeitet sein Bounty-Programm ***
---------------------------------------------
Mit ihrem Bug-Bounty-Programm hat eine Pornoseite Schlagzeilen gemacht. Doch die Kommunikation mit den Hackern und die gezahlten Bountys sorgten für viel Kritik. Das Unternehmen verspricht jetzt Besserung.
---------------------------------------------
http://www.golem.de/news/nach-kritik-pornhub-ueberarbeitet-sein-bounty-prog…
*** Twitter paid out $322,420 in bug bounties ***
---------------------------------------------
Researchers have proven that bug bounties are a cheaper way for discovering vulnerabilities than hiring full-time bug hunters would be and, in the last few years, many Internet and tech companies have instituted such programs. The security community has praised those who have, and the ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/31/twitter-bug-bounty/
*** Neuer Tor Browser setzt bei der Suche auf DuckDuckGo ***
---------------------------------------------
Die bisherige Standardsuche Disconnect habe auf von Google auf Bing umgestellt, mit katastrophalem Ergebnis, begründen die Entwickler ihre Entscheidung. Weitere Änderungen betreffen Mac-Nutzer und die Anzeige von YouTube-Videos.
---------------------------------------------
http://heise.de/-3210346
*** Bloatware Insecurity Continues to Haunt Consumer, Business Laptops ***
---------------------------------------------
High-severity vulnerabilities were found in pre-installed software updaters present in consumer and business laptops from vendors such as Dell, HP, Lenovo, Asus and Acer.
---------------------------------------------
http://threatpost.com/bloatware-insecurity-continues-to-haunt-consumer-busi…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 27-05-2016 18:00 − Montag 30-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Security baseline for Windows Server 2016 Technical Preview 5 (TP5) ***
---------------------------------------------
Microsoft is pleased to announce the draft release of the security configuration baseline settings for Windows Server 2016, corresponding to Technical ..
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2016/05/27/security-baseline-f…
*** New Locky ransomware campaign sets sights on Amazon customers ***
---------------------------------------------
Amazon customers are the target of a wide-ranging phishing email scam intended to fool recipients into opening up a malicious attachment that results in the downloading of Locky ransomware.
---------------------------------------------
http://www.scmagazine.com/new-locky-ransomware-campaign-sets-sights-on-amaz…
*** How Attackers Use a Flash Exploit to Distribute Crimeware and Other Malware ***
---------------------------------------------
Background Adobe Flash is multimedia software that runs on more than 1 billion systems worldwide. Its long list of security vulnerabilities and huge market presence ..
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/how-attackers-use-a-fl…
*** VMSA-2016-0005.2 ***
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2016-0005.html
*** Security Advisory: Stored XSS in Jetpack ***
---------------------------------------------
During regular research audits for our Sucuri Firewall (Cloud-based WAF), we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin, currently installed on more than a million WordPress sites. The ..
---------------------------------------------
https://blog.sucuri.net/2016/05/security-advisory-stored-xss-jetpack-2.html
*** ZDI-16-361: (Pwn2Own) Apple OS X libATSServer Heap-based Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple OS X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-361/
*** ZDI-16-360: (Pwn2Own) Apple OS X fontd Sandbox Escape Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple OS X. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-360/
*** Microsoft stattet Windows 10 mit doppelten Virenschutz aus ***
---------------------------------------------
http://derstandard.at/2000037805637
*** Nach LinkedIn Datenleck auch bei MySpace ***
---------------------------------------------
Der LinkedIn-Hacker hat laut eigenen Angaben auch 360 Millionen E-Mail-Adressen von MySpace-Nutzern und ..
---------------------------------------------
http://futurezone.at/digital-life/nach-linkedin-datenleck-auch-bei-myspace/…
*** Duqu 2.0 kernel exploitation technique analysis (part 1 of 2) ***
---------------------------------------------
Out of the multiple components used in the sophisticated Duqu 2.0 cyberespionage attack, we had a chance to look into one of the kernel exploits used for its ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/05/29/%e2%80%8bduqu-2-0-kerne…
*** CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename ***
---------------------------------------------
All existing releases of GraphicsMagick and ImageMagick support a file open syntax where if the first character of the file specification is a |, then the remainder of the filename is passed to the shell for execution using the ..
---------------------------------------------
http://permalink.gmane.org/gmane.comp.security.oss.general/19669
*** breaking into a wordpress site without knowing wordpress/php or infosec at all ***
---------------------------------------------
This is a post about how I tried and broke into my colleges wordpress installation without having any prior knowledge of wordpress/php and without any experience with hacking web-servers. The attempts were spread out over a month, ..
---------------------------------------------
https://notehub.org/5zo2v
*** Saudi-Arabien soll Cyberangriffe gegen Iran gestartet haben ***
---------------------------------------------
http://derstandard.at/2000037865736
*** Microsoft geht gegen zu einfache Passwörter vor ***
---------------------------------------------
Künftig sollen Nutzer von Azure und anderen Diensten Warnungen erhalten, wenn ihr Kennwort ..
---------------------------------------------
http://derstandard.at/2000037866342
*** Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the IP Version 6 (IPv6) packet processing functions of Cisco IOS XR Software, Cisco IOS XE Software, and Cisco NX-OS Software could allow an ..
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Angreifer erbeuten Nutzerdaten von sz-magazin.de ***
---------------------------------------------
Ein Unbefugter habe sich Mitte Mai rechtswidrig Zugriff auf einen Datenbankserver des SZ-Magazins verschafft.
---------------------------------------------
http://heise.de/-3222586
*** Hintergrund: Zertifikate sperren - so gehts ***
---------------------------------------------
Verkehrte Welt -- um ein Zertifikat zu sperren, muss man es erst installieren. Mit der folgenden Anleitung ..
---------------------------------------------
http://heise.de/-3222308
*** Zum Weltnichtrauchertag: BSI warnt vor Malware in E-Zigaretten ***
---------------------------------------------
Wer E-Zigaretten raucht, erspart seiner Lunge Teer, setzt aber die Gesundheit seines Rechners aufs Spiel - zumindest, wenn die E-Zigarette per USB aufgeladen wird.
---------------------------------------------
http://www.golem.de/news/zum-weltnichtrauchertag-bsi-warnt-vor-malware-in-e…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 26-05-2016 18:00 − Freitag 27-05-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** VU#482135: MEDHOST Perioperative Information Management System contains hard-coded database credentials ***
---------------------------------------------
MEDHOST Perioperative Information Management System (PIMS) versions prior to 2015R1 contain hard-coded credentials that are used for customer database access.
---------------------------------------------
http://www.kb.cert.org/vuls/id/482135
*** Environmental Systems Corporation Data Controllers Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for data controller vulnerabilities in the Environmental Systems Corporation (ESC) 8832 Data Controller.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-147-01
*** Sixnet BT Series Hard-coded Credentials Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a hard-coded credential vulnerability in Sixnet's BT series routers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-147-02
*** Black Box AlertWerks ServSensor Credential Management Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a credential management vulnerability in Black Box's AlertWerks ServSensor devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-147-03
*** Bugtraq: ESA-2016-061: EMC Isilon OneFS SMB Signing Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538499
*** Up to a dozen banks are reportedly investigating potential SWIFT breaches ***
---------------------------------------------
More banks have reportedly launched investigations into potential security breaches on their networks after hackers stole US$81 million from the Bangladesh ..
---------------------------------------------
http://www.cio.com/article/3075448/up-to-a-dozen-banks-are-reportedly-inves…
*** Cisco WebEx Meeting Center Site Access Control User Account Enumeration Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Security Advisory: NTP vulnerability CVE-2016-2519 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/41/sol41613034.html
*** Security Advisory: NTP vulnerability CVE-2016-2517 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/61/sol61200338.html
*** Multiple Buffalo wireless LAN routers vulnerable to information disclosure ***
---------------------------------------------
http://jvn.jp/en/jp/JVN75813272/
*** Multiple Buffalo wireless LAN routers vulnerable to directory traversal ***
---------------------------------------------
http://jvn.jp/en/jp/JVN81698369/
*** Link (.lnk) to Ransom ***
---------------------------------------------
We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/
*** Spoofer ***
---------------------------------------------
Seeking to minimize Internets susceptibility to spoofed DDoS attacks, we are developing and supporting open-source software tools to assess and report on the deployment of source address validation (SAV) best anti-spoofing practices. This ..
---------------------------------------------
http://www.caida.org/projects/spoofer/
*** Security Advisory - Apache Struts2 Remote Code Execution Vulnerability in Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160527-…
*** Path Traversal in extension "Media management" (media) ***
---------------------------------------------
https://typo3.org/news/article/path-traversal-in-extension-media-management…
*** Cross-Site Scripting in extension "Formhandler" (formhandler) ***
---------------------------------------------
https://typo3.org/news/article/cross-site-scripting-in-extension-formhandle…
*** Global companies arent quick to patch 'high' severity flaw in OpenSSL ***
---------------------------------------------
Yet another Padding Oracle flaw (CVE-2016-2107), allowing decrypting TLS traffic in a MITM attack, remains exploitable on the most popular web and email servers.
---------------------------------------------
https://www.htbridge.com/blog/CVE-2016-2107-padding-oracle-exploit.html
*** TLS-Zertifikate: Google zieht Daumenschrauben der CAs weiter an ***
---------------------------------------------
Ab Juni müssen alle Symantec-CAs ihre Aktivitäten via Certificate Transparency registrieren. Sonst werden die Zertifikats-Inhaber abgestraft. Das könnte auch andere CAs treffen.
---------------------------------------------
http://heise.de/-3215053
*** Cisco Firepower Management Center Web Interface Code Injection Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Android Banking Trojan 'SpyLocker' Targets More Banks in Europe ***
---------------------------------------------
Since the discovery of the Android banking Trojan SpyLocker, Intel Security has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/android-banking-trojan-spylocker-targe…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 24-05-2016 18:00 − Mittwoch 25-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** New Botnets Used for Low and Slow Credential Testing (May 23, 2016) ***
---------------------------------------------
Botnets are being used to test account access credentials...
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/18/41/306
*** Many Ubiquiti Wireless Devices Still Vulnerable (May 20 and 23, 2016) ***
---------------------------------------------
Owners of Ubiquiti wireless devices are being urged to apply a patch that the company released last year; the flaw it fixes is being actively exploited...
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/18/41/308
*** Nulled WordPress Themes: Malvertising and Black Hat SEO ***
---------------------------------------------
If you have been following our blog for some time, you know that we regularly warn about risks associated with the use of third-party software on your site. A benign plugin may sneakingly inject ads into your site which cause malvertising problems for the site visitors (e.g. SweetCaptcha). Other plugins may be hijacked by hackers or... The post Nulled WordPress Themes: Malvertising and Black Hat SEO appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2016/05/nulled-wordpress-themes-malvertising-black-…
*** New Wekby Attacks Use DNS Requests As Command and Control Mechanism ***
---------------------------------------------
We have observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks. Wekby is a group that has been active for a number of years, targeting various industries such...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks…
*** SWIFT exec unveils info sharing plan, calls Bangladesh a watershed event ***
---------------------------------------------
SWIFT CEO Gottfried Leibbrandt issued details of the messaging service companys information-sharing strategy.
---------------------------------------------
http://www.scmagazine.com/swift-exec-unveils-info-sharing-plan-calls-bangla…
*** Stop Using "internal" Top Level Domain Names, (Wed, May 25th) ***
---------------------------------------------
Cert.org this week warned again that internal top level domain names can be used against you, if one of these domains happens to be registered as a new generic top level domain (gTLD). Currently, there are about 1200 approved gTLDs, and the number will only increase even though the initial gold rush seems to have leveled off somewhat [1] US-Cert just sent out a reminder again regarding the use of internal domain names for automatic proxy configuration via WPAD. If this internal, but not...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21095&rss
*** CVE-2015-2545: overview of current threats ***
---------------------------------------------
Cyberespionage attacks conducted by different groups across the Asia-Pacific (APAC) and Far East regions share one common feature: in order to infect their victims with malware, the attackers use an exploit for the CVE-2015-2545 vulnerability.
---------------------------------------------
http://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of…
*** Who's tracking you online, and how? ***
---------------------------------------------
Armed with a tool that mimics a consumer browser but is actually bent on discovering all the ways websites are tracking visitors, Princeton University researchers have discovered several device fingerprinting techniques never before seen in the wild. The web privacy measurement tool is called OpenWPM, and has been open sourced. Its creators are the very same researchers who performed this latest study. They crawled and analyzed measurements collected from 1 million of the most popular...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/25/whos-tracking-you-online/
*** The Answer is always the same: Layers of Security ***
---------------------------------------------
There is a common misperception that now that containers support seccomp we no longer need SELinux to help protect our systems. WRONG. The big weakness in containers is the container possesses the ability to interact with the host kernel and the host file systems. Securing the container processes is all about shrinking the attack surface on the host OS and more specifically on the host kernel.seccomp does a great job of shrinking the attack surface on the kernel. The idea is to limit the number...
---------------------------------------------
https://access.redhat.com/blogs/766093/posts/2334141
*** Skimmers Found at Walmart: A Closer Look ***
---------------------------------------------
Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals.
---------------------------------------------
http://krebsonsecurity.com/2016/05/skimmers-found-at-walmart-a-closer-look/
*** VMSA-2016-0006 ***
---------------------------------------------
VMware vCenter Server updates address an important cross-site scripting issue
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2016-0006.html
*** HPE Service Manager Unspecified Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1035954
*** Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities ***
---------------------------------------------
Multiple ETAP binaries are prone to a stack-based buffer overflow vulnerability because the application fails to handle malformed arguments. An attacker can exploit these issues to execute arbitrary code within the context of the application or to trigger a denial-of-service conditions.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5324.php
*** Operation Technology ETAP 14.1.0 Local Privilege Escalation ***
---------------------------------------------
ETAP suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the C flag (Change) for Authenticated Users group.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5323.php
*** ZDI-16-354: (0Day) ActivePDF Toolkit ImageToPDF IAT Overwrite Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ActivePDF Toolkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-354/
*** Moxa MiiNePort Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for weak credential management, sensitive information not protected, and cross-site request forgery vulnerabilities in Moxa's MiiNePort serial device server module series.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-145-01
*** Security Advisory: Java vulnerabilities CVE-2013-5802 and CVE-2013-5823 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53316849.html?…
*** Security Advisory: Multiple Java vulnerabilities ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/95/sol95313044.html?…
*** Wartungsarbeiten Dienstag, 31.5.2016 ***
---------------------------------------------
Wartungsarbeiten Dienstag, 31. 5. 2016 | 25. Mai 2016 | Am Dienstag, 31. Mai 2016, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen, diese können jeweils mehrere Minuten andauern. Es...
---------------------------------------------
http://www.cert.at/services/blog/20160525113745-1748.html
Next End-of-Shift report: 2016-05-27