=======================
= End-of-Shift report =
=======================
Timeframe: Montag 23-05-2016 18:00 − Dienstag 24-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** DMA Locker 4.0 - Known Ransomware Preparing For A Massive Distribution ***
---------------------------------------------
We take a look at the step towards maturity of DMA Locker how this will be spreading on a bigger scale.Categories: Malware Threat analysisTags: DMA Lockerransomware(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/threat-analysis/2016/05/dma-locker-4-0-known-…
*** Beware of keystroke loggers disguised as USB phone chargers, FBI warns ***
---------------------------------------------
Private industry notification comes 15 months after debut of KeySweeper.
---------------------------------------------
http://arstechnica.com/security/2016/05/beware-of-keystroke-loggers-disguis…
*** SWIFT to unveil new security plan after hackers heists ***
---------------------------------------------
The SWIFT secure messaging service that underpins international banking said it plans to launch a new security program as it fights to rebuild its reputation in the wake of the Bangladesh Bank heist. [...] Users frequently do not inform SWIFT of breaches of their SWIFT systems and even now, the co-operative has not proposed any sanctions for clients who fail to pass on information, which SWIFT itself says is key to stopping future attacks.
---------------------------------------------
http://www.reuters.com/article/us-cyber-banks-swift-idUSKCN0YE2S6
*** Kommentar: Allo, Google? Gehts noch? ***
---------------------------------------------
Googles WhatsApp-Alternative Allo verschlüsselt nicht konsequent, sondern liest stattdessen aktiv mit. Was soll das?
---------------------------------------------
http://heise.de/-3215729
*** WPAD name collision bug opens door for MitM attackers ***
---------------------------------------------
A vulnerability in Web Proxy Auto-Discovery (WPAD), a protocol used to ensure all systems in an organization utilize the same web proxy configuration, can be exploited to mount MitM attacks from anywhere on the Internet, US-CERT warns. "With the New gTLD program, previously undelegated gTLD strings are now being delegated for public domain name registration. These strings may be used by private or enterprise networks, and in certain circumstances, such as when a work computer...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/24/wpad-name-collision-bug/
*** Hacker finds flaw in teleconference tool used by US Army, NASA and CERN ***
---------------------------------------------
Like we need another reason to hate videoconferences Sydney security tester Jamieson OReilly has reported a since-patched vulnerability in popular video platform Vidyo - used by the likes of the US Army, NASA and CERN - that could see videos leaked and systems compromised.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/05/19/popular_tel…
*** Pastejacking im Browser: Codeausführung per Copy and Paste ***
---------------------------------------------
Browser können den Inhalt der Zwischenablage selbstständig verändern. In einem Proof-of-Concept wird gezeigt, wie diese Funktion für Angriffe genutzt werden kann - und Nutzer sich recht einfach schützen können.
---------------------------------------------
http://www.golem.de/news/pastejacking-im-browser-codeausfuehrung-per-copy-a…
*** Bösartige Apps stellen heimlich teure Telefonverbindungen her ***
---------------------------------------------
Warnung der Regulierungsbehörde
---------------------------------------------
http://derstandard.at/2000037564561
*** Neben Erpressung nun auch DDoS: Verschlüsselungs-Trojaner Cerber lernt dazu ***
---------------------------------------------
Mit einer neuen Version von Cerber wollen die Drahtzieher hinter der Ransomware noch mehr Profit generieren: Der Schädling nimmt persönliche Daten als Geisel und die Kriminellen können infizierte Computer für DDoS-Attacken missbrauchen.
---------------------------------------------
http://heise.de/-3217254
*** The Anti-Ransomware Protection Plan You Need to Follow Today ***
---------------------------------------------
Technology has made our lives both easier and more complicated - there's no denying that. Fast Internet access opened up a world of wisdom and all the distractions we can image. But the door is also open for cyber criminals with little to no scruples and a big appetite for money. And there's no better...
---------------------------------------------
https://heimdalsecurity.com/blog/anti-ransomware-protection-plan/
*** Xen Security Advisory CVE-2014-3672 / XSA-180 ***
---------------------------------------------
When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large.
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-180.html
*** Pulse Connect Secure Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1035932
*** Missing Access Check in TYPO3 CMS ***
---------------------------------------------
It has been discovered, that TYPO3 CMS lacks an access check for Extbase actions.
---------------------------------------------
https://typo3.org/news/article/missing-access-check-in-typo3-cms/
*** Missing Access Check in extension "Frontend User Registration" (sf_register) ***
---------------------------------------------
It has been discovered that the extension "Frontend User Registration" (sf_register) lacks a proper access check.
---------------------------------------------
https://typo3.org/news/article/missing-access-check-in-extension-frontend-u…
*** Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager JSON Privilege Escalation Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco UCS Invicta Software Default GPG Key Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: GNU C Library (glibc) vulnerability CVE-2016-3075 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15439022.html?…
---------------------------------------------
*** Security Advisory: OpenSSH vulnerability CVE-2016-1907 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35424631.html?…
---------------------------------------------
*** Security Advisory: glibc vulnerability CVE-2016-3075 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15439022.html?…
---------------------------------------------
*** Security Advisory: Java vulnerabilities CVE-2013-5782 and CVE-2013-5803 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14340611.html?…
---------------------------------------------
*** Security Advisory: PHP Vulnerability CVE-2016-4539 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35240323.html?…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Host On-Demand (CVE-2016-0264 ,CVE-2016-3449) ***
http://www.ibm.com/support/docview.wss?uid=swg21983578
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005812
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Security Update (CVE-2016-0322) ***
http://www.ibm.com/support/docview.wss?uid=swg21982611
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Tomcat may affect IBM WebSphere Application Server Community Edition (CVE-2015-5174) ***
http://www.ibm.com/support/docview.wss?uid=swg21983128
---------------------------------------------
*** IBM Applicable countries and regions ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099367
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities have been identified in the versions of IBM WebSphere Application Server Community Edition bundled with Web Experience Factory 7.0.x and 8.0.x (CVE-2015-5345) (CVE-2016-0706) (CVE-2016-0714) ***
http://www.ibm.com/support/docview.wss?uid=swg21981775
---------------------------------------------
*** IBM Security Bulletin: HTTP response splitting has been identified in IBM WebSphere Application Server Liberty Profile shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-2017) ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000121
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 20-05-2016 18:00 − Montag 23-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Backdoor in Fake Joomla! Core Files ***
---------------------------------------------
We usually write a lot about obfuscation methods on Sucuri Labs and here on the blog. Sometimes we write about free tools to obfuscate your code that aren't that free and we also have an online tool to help decoding the malware you find. But sometimes the malware is not clearly encoded using base64, gzinflate, hex concatenation,... The post Backdoor in Fake Joomla! Core Files appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2016/05/unexpected-backdoor-fake-core-files.html
*** 60 percent of enterprise Android phones prone to QSEE vulnerability ***
---------------------------------------------
Duo Labs researchers found that 60 percent of enterprise Android phones are affected by a critical QSEE vulnerability.
---------------------------------------------
http://www.scmagazine.com/majority-of-enterprise-android-phones-vulnerable-…
*** The strange case of WinZip MRU Registry key, (Sun, May 22nd) ***
---------------------------------------------
When we want to know if a document (.doc, .pdf, whatever) has been opened by the user, in a Windows environment our information goldmine place is the Registry and particularly its MRUs keys. However, it seems this is not always the case. During the analysis of the Retefe case I wrote about in my previous diary, I came across a Registry behavior I did not expect, or at least I was not aware of, about how to verify if the file contained within the zip archive had been opened or not. Regarding...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21087&rss
*** ENISA- Europol issue joint statement ***
---------------------------------------------
ENISA and Europol issue joint statement on lawful criminal investigation that respects 21st Century data protection.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/enisa-europol-issue-joint-state…
*** Geldautomaten: Kriminelle erbeuten Millionen in zwei Stunden ***
---------------------------------------------
Kriminelle Kartenfälscher agieren global: Mit Hilfe von Kreditkarteninformationen einer südafrikanischen Bank erbeutete eine Bande in Japan in nur 2,5 Stunden Bargeld im Wert von mehr als 12 Millionen Euro.
---------------------------------------------
http://www.golem.de/news/geldautomaten-kriminelle-erbeuten-millionen-in-zwe…
*** National coordinators meet to prepare for ECSM launch ***
---------------------------------------------
National coordinators from across Europe gathered in Brussels earlier this month in preparation for the launch of this year's European Cyber Security Month.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/national-coordinators-meet-to-p…
*** Organizations unprepared for employee-caused security incidents ***
---------------------------------------------
While employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior, according to a new Ponemon Institute study. The study, Managing Insider Risk Through Training & Culture, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/23/employee-caused-security-inciden…
*** When Hashing isn't Hashing ***
---------------------------------------------
Anyone working in application security has found themselves saying something like this a thousand times: "always hash passwords with a secure password hashing function." I've said this phrase at nearly all of the developer events I've spoken at, it's become a mantra of sorts for many of us that try to improve the security of applications. We tell developers to hash passwords, then we have to qualify it to explain that it isn't normal hashing.
---------------------------------------------
https://adamcaudill.com/2016/05/23/when-hashing-isnt-hashing/
*** Technical Report about the RUAG espionage case ***
---------------------------------------------
After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in...
---------------------------------------------
https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espion…
*** Hack von Rüstungskonzern: Schweizer Cert gibt Security-Tipps für Unternehmen ***
---------------------------------------------
Daran könnten sich andere Sicherheitsfirmen ein Beispiel nehmen: Das Schweizer Cert hat detailliert die Angriffsmethoden einer APT-Gruppe auf den Technikkonzern Ruag analysiert und gibt Unternehmen Tipps zum Schutz.
---------------------------------------------
http://www.golem.de/news/hack-von-ruestungskonzern-schweizer-cert-gibt-secu…
*** After trio of hacks, SWIFT addresses information sharing concerns ***
---------------------------------------------
Following reports of a cyberattack last year in which hackers stole $9 million from an Ecuadorean bank, SWIFT stated it is taking steps to create more information sharing practices.
---------------------------------------------
http://www.scmagazine.com/after-trio-of-hacks-swift-addresses-information-s…
*** Student convicted after finding encryption flaws in government network ***
---------------------------------------------
He found that the encrypted network often wasnt... but he lost patience when it looked as though nothing was being done about it.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/05/23/student-convicted-after-finding…
*** A recently patched Flash Player exploit is being used in widespread attacks ***
---------------------------------------------
It took hackers less than two weeks to integrate a recently patched Flash Player exploit into widely used Web-based attack tools that are being used to infect computers with malware.The vulnerability, known as CVE-2016-4117, was discovered earlier this month by security researchers FireEye. It was exploited in targeted attacks through malicious Flash content embedded in Microsoft Office documents.When the targeted exploit was discovered, the vulnerability was unpatched, which prompted a...
---------------------------------------------
http://www.cio.com/article/3073558/a-recently-patched-flash-player-exploit-…
*** Security Update Available for Adobe Connect (APSB16-17) ***
---------------------------------------------
A Security Bulletin (APSB16-17) has been published regarding a security update for Adobe Connect. Adobe recommends users update their product installations to the latest version using the instructions referenced in the security bulletin.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1355
*** TA16-144A: WPAD Name Collision Vulnerability ***
---------------------------------------------
Original release date: May 23, 2016 Systems Affected Windows, OS X, Linux systems, and web browsers with WPAD enabled Overview Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers [1]. In combination with the New generic Top Level Domain (gTLD) program's incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA16-144A
*** Bugzilla 4.4.11 and 5.0.2 Security Advisory ***
---------------------------------------------
A specially crafted bug summary could trigger XSS in dependency graphs.
---------------------------------------------
https://www.bugzilla.org/security/4.4.11/
*** DSA-3585 wireshark - security update ***
---------------------------------------------
Multiple vulnerabilities were discovered in the dissectors/parsers forPKTC, IAX2, GSM CBCH and NCP which could result in denial of service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3585
*** SECURITY BULLETIN: Trend Micro InterScan Web Security Virtual Appliance (IWSVA) Multiple Remote Code Execution Vulnerabilities ***
---------------------------------------------
Trend Micro has released new builds of the Trend Micro InterScan Web Security Virtual Appliance. These updates resolve vulnerabilities in the product that could potentially allow a remote attacker to execute arbitrary code on vulnerable installations.
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114185.aspx
*** SECURITY BULLETIN: Trend Micro OfficeScan Path Traversal Vulnerability ***
---------------------------------------------
Trend Micro has released an update for OfficeScan (OSCE) 11.0 Service Pack (SP) 1 which resolves a vulnerability in the product that when certain conditions are met could be exploited to access files and directories located outside of the core product web root folder.
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114097.aspx
*** ZDI-16-353: BitTorrent API Cross Site Scripting Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of BitTorrent and uTorrent. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-353/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-0283, CVE-2015-7417). ***
http://www.ibm.com/support/docview.wss?uid=swg21981914
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7484, CVE-2015-7474, CVE-2015-7485, CVE-2015-7486, CVE-2016-0219) ***
http://www.ibm.com/support/docview.wss?uid=swg21983720
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3193, CVE-2015-3195, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=swg21982608
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Marketing Platform (CVE-2016-0224, CVE-2016-0229, CVE-2016-0233) ***
http://www.ibm.com/support/docview.wss?uid=swg21980989
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways ***
http://www.ibm.com/support/docview.wss?uid=swg21982607
---------------------------------------------
*** IBM Security Bulletin: Vulnerability identified in IBM Domino Java Console (CVE-2016-0304) ***
http://www.ibm.com/support/docview.wss?uid=swg21983328
---------------------------------------------
*** IBM Security Bulletin: OpenSSL vulnerabilities in Node.js found on May 03, 2016 affect Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2016-2107, CVE-2016-2105) ***
http://www.ibm.com/support/docview.wss?uid=swg21983555
---------------------------------------------
*** IBM Security Bulletin: Multiple OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software ***
http://www.ibm.com/support/docview.wss?uid=swg21982949
---------------------------------------------
*** IBM Security Bulletin: One vulnerability in IBM Java SDK affect Application Delivery Intelligence 1.0.0 (CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023804
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: WebSphere Dashboard Framework (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21982528
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: Web Experience Factory (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21982527
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=swg21983002
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems, IBM OS Images for AIX, and Windows. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21983647
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Image Construction and Composition Tool. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21983644
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects Tivoli Provisioning Manager for OS Deployment, Tivoli Provisioning Manager for Images (CVE-2016-2842) ***
http://www.ibm.com/support/docview.wss?uid=swg21982159
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ***
http://www.ibm.com/support/docview.wss?uid=swg21981545
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in ApacheTomcat affect IBM Security SiteProtector System (CVE-2015-5174, CVE-2015-5345, CVE-2016-0706 and CVE-2016-0714) ***
http://www.ibm.com/support/docview.wss?uid=swg21983242
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3197 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21982697
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenStack affect IBM Spectrum Scale V4.2 and V4.1.1 (CVE-2015-8466 and CVE-2016-0738) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005833
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 19-05-2016 18:00 − Freitag 20-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3584 librsvg - security update ***
---------------------------------------------
Gustavo Grieco discovered several flaws in the way librsvg, a SAX-basedrenderer library for SVG files, parses SVG files with circulardefinitions. A remote attacker can take advantage of these flaws tocause an application using the librsvg library to crash.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3584
*** Petya and Mischa - Ransomware Duet (part 1) ***
---------------------------------------------
After being defeated about a month ago, Petya comes back with new tricks. Now, not as a single ransomware, but in a bundle with another malicious payload - Mischa. Both are named after the satellites from the GoldenEye movie. They deploy attacks on ..
---------------------------------------------
https://blog.malwarebytes.org/threat-analysis/2016/05/petya-and-mischa-rans…
*** EITest campaign still going strong, (Fri, May 20th) ***
---------------------------------------------
Originally reported by Malwarebytes in October 2014 [1], the EITest campaign has been going strong ever since. Earlier this year, I documented how the campaign has evolved over time [2]. During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21081
*** TLS/GCM: Gefahr durch doppelte Nonces ***
---------------------------------------------
Moderne TLS-Verbindungen nutzen üblicherweise das AES-GCM-Verschlüsselungsverfahren. Das benötigt einen sogenannten Nonce-Wert, der sich nicht wiederholen darf. Ansonsten ist die Sicherheit dahin.
---------------------------------------------
http://www.golem.de/news/tls-gcm-gefahr-durch-doppelte-nonces-1605-121005.h…
*** Important Security-Bulletin Pre-Announcement ***
---------------------------------------------
https://typo3.org/news/article/important-security-bulletin-pre-announcement…
*** Resource Data Management Intuitive 650 TDB Controller Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for a privilege escalation vulnerability and a cross-site request forgery vulnerability in Resource Data Management's Intuitive 650 TDB Controller.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-140-01
*** Siemens SIPROTEC Information Disclosure Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for information disclosure vulnerabilities in the Siemens SIPROTEC 4 and SIPROTEC Compact.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-140-02
*** Hacked in a public space? Thanks, HTTPS ***
---------------------------------------------
Kali Linux, laptop, coffee - hack on! Have you ever bothered to look at who your browser trusts? The padlock of a HTTPS connection doesnt mean anything if you cant trust the other end of the connection and its upstream signatories. Do you ..
---------------------------------------------
www.theregister.co.uk/2016/05/20/https_wifi_trust_in_a_public_place/
*** Wichtiger Sicherheits-Patch für Typo3 voraus ***
---------------------------------------------
In vielen Typo3-Versionen klafft offensichtlich eine schwerwiegende Sicherheitslücke. Ein Patch soll Anfang nächster Woche erscheinen.
---------------------------------------------
http://heise.de/-3212058
*** l+f: Erpressung für den guten Zweck ***
---------------------------------------------
Ein Verschlüsselungs-Trojaner fordert ein horrende Summe und will damit Gutes tun. Wer's glaubt ...
---------------------------------------------
http://heise.de/-3212111
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 18-05-2016 18:00 − Donnerstag 19-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Website Hacked Trend Report - 2016/Q1 ***
---------------------------------------------
Our Remediation group is comprised of two distinct teams, the Incident Response Team (IRT) and Malware Research Team (MRT). These teams work closely with our customers in an effort to identify and remove website infections to include ..
---------------------------------------------
https://blog.sucuri.net/2016/05/sucuri-hacked-report-2016q1.html
*** Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028 ***
---------------------------------------------
https://www.drupal.org/node/2728711
*** Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027 ***
---------------------------------------------
https://www.drupal.org/node/2728693
*** Web Mailing List vulnerable to cross-site scripting ***
---------------------------------------------
http://jvn.jp/en/jp/JVN43076390/
*** The 5Ws and 1H of Ransomware ***
---------------------------------------------
For the past three months, we have seen ransomware hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada. The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a joint statement about ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ranso…
*** Hackerangriff auf Linkedin: 100 Millionen Nutzer betroffen ***
---------------------------------------------
Attacke fand bereits 2012 statt - Ausmass wurde jedoch erst jetzt in vollem Umfang bekannt
---------------------------------------------
http://derstandard.at/2000037231582
*** Erpressungstrojaner: Teslacrypt-Entwickler geben auf ***
---------------------------------------------
Master-Key veröffentlicht, Entschlüsselungssoftware verfügbar.
---------------------------------------------
http://derstandard.at/2000037236758
*** Ransomware Awareness Tag ***
---------------------------------------------
Unsere Kollegen von der Schweizer Melde- und Analysestelle Informationssicherung MELANI veranstalten heute, am 19. Mai 2016, einen Aktionstag zum Thema Ransomware. Das Ziel ist es, die Informationen zu der Bedrohung ..
---------------------------------------------
http://www.cert.at/services/blog/20160519095712-1737.html
*** Kernel Waiter Exploit from the Hacking Team Leak Still Being Used ***
---------------------------------------------
Although the Hacking Team leak took place several months ago, the impact of this data breach - where exploit codes were made public and spurred a chain of attacks - can still be felt until today. We recently spotted malicious Android apps that appear to use an exploit found in the Hacking Team data ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/kernel-waiter-ex…
*** FBI muss Mozilla keine Informationen über Sicherheitslücke übergeben ***
---------------------------------------------
Der Richter in einem Verfahren gegen einen Nutzer einer Kinderpornographie-Plattform hat es abgelehnt, dass Mozilla sich einmischt, um an Informationen über eine Sicherheitslücke im Tor-Browser zu kommen.
---------------------------------------------
http://heise.de/-3211120
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 17-05-2016 18:00 − Mittwoch 18-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** That Insane, $81M Bangladesh Bank Heist? Here's What We Know ***
---------------------------------------------
Someone stole $81 million from Bangladesh Bank in a matter of hours, and appears to have targeted other banks that use ..
---------------------------------------------
http://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/
*** Academics Make Theoretical Breakthrough in Random Number Generation ***
---------------------------------------------
Two University of Texas academics have made what some experts believe is a breakthrough in random number generation that could have longstanding implications for cryptography and computer security.
---------------------------------------------
http://threatpost.com/academics-make-theoretical-breakthrough-in-random-num…
*** XSA-176 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-176.html
*** First ATM malware is back and badder than ever ***
---------------------------------------------
Original gangster Skimer goes global Cybercriminals have retrofitted a strain of ATM malware first discovered in 2009 to create an even more potent threat.
---------------------------------------------
www.theregister.co.uk/2016/05/17/skimer_atm_malware/
*** Cisco Adaptive Security Appliance XML Parser Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Unified Computing System Central Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Identity Services Engine Active Directory Integration Component Remote Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Malicious macro using a sneaky new trick ***
---------------------------------------------
We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a…
*** Hacker weiden Untergrund-Forum Nulled.IO aus ***
---------------------------------------------
Im Hacker-Forum Nulled.IO treffen sich Gleichgesinnte und handeln etwa mit erbeuteten Nutzer-Konten. Ironischerweise wurde Nulled.IO nun selbst Opfer einer verheerenden Hacker-Attacke.
---------------------------------------------
http://heise.de/-3209682
*** Windows 10 Device Guard and Credential Guard Demystified ***
---------------------------------------------
While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I've observed there's still a lot of confusion regarding the security features of the operating system. This is a shame since some ..
---------------------------------------------
https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-…
*** Scammers target cybersecurity brands ***
---------------------------------------------
Cybersquatting, typosquatting and phishing now target the largest cybersecurity brands.
---------------------------------------------
https://www.htbridge.com/blog/scammers-target-cybersecurity-companies-brand…
*** Google to shutter SSLv3, RC4 from SMTP servers, Gmail ***
---------------------------------------------
Mark your calendars: Google will disable support for the RC4 stream cipher and the SSLv3 protocol on its SMTP servers and Gmail servers on June 16.After the deadline, Googles SMTP servers will no longer exchange mail with servers ..
---------------------------------------------
http://www.cio.com/article/3071866/security/google-to-shutter-sslv3-rc4-fro…
*** Magento 2.0.6 Security Update ***
---------------------------------------------
Magento Enterprise Edition and Community Edition 2.0.6 contain multiple security and functional enhancements. You can find more details about the vulnerabilities addressed below.
---------------------------------------------
https://magento.com/security/patches/magento-206-security-update
*** Magento - Unauthenticated Remote Code Execution ***
---------------------------------------------
The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.
---------------------------------------------
http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-executi…
*** Sicherheitsrichtlinie: EU-Rat billigt Meldepflicht bei Cyberangriffen ***
---------------------------------------------
Die EU-Mitgliedsstaaten haben den Kompromiss zur geplanten Richtlinie über Netz- und Informationssicherheit angenommen, den Verhandlungsführer zuvor mit dem EU-Parlament ausgehandelt hatten. Es geht um Sicherheitsauflagen für Online-Anbieter.
---------------------------------------------
http://heise.de/-3210189
*** Ransomware Activity Spikes in March, Steadily increasing throughout 2016 ***
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2016/05/ransomware_activity.ht…
*** The Ultimate Guide to Angler Exploit Kit for Non-Technical People ***
---------------------------------------------
There's been a lot of talk about the Angler exploit kit lately, but, for most people, the warnings don't strike a chord. And they're definitely not to blame. Not everyone ..
---------------------------------------------
https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-tech…
*** Die Crypto Wars und die Folgen: Wie uns alte Hintertüren weiter verfolgen ***
---------------------------------------------
Erneut fordern Politiker, Geheimdienste und Strafverfolger, Krypto-Software absichtlich zu schwächen. Das war schon einmal vorgeschrieben und die Konsequenzen verfolgen uns noch heute: Verheerende Sicherheitslücken haben genau darin ihren Ursprung.
---------------------------------------------
http://heise.de/-3210209
*** Bitly partners with Let's Encrypt for HTTPS links ***
---------------------------------------------
Bitly processes data associated with more than 12 billion clicks per month, leading to massive troves of intelligence. Now, they're partnering with Let's Encrypt to generate SSL certificates for more than 40,000 Bitly ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/18/bitly-https-links/
*** IRZ RUH2 3G Firmware Overwrite Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a firmware overwrite vulnerability in iRZ's RUH2 device.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-138-01
*** Moxa EDR-G903 Secure Router Vulnerabilities ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on February 11, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for Moxa's ECR G903 secure routers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-042-01
*** Fixing `marked` XSS vulnerability ***
---------------------------------------------
A few weeks ago we added to our DB a Cross-Site Scripting (XSS) vulnerability in the popular marked package. This post explains the vulnerability, shows how to exploit it on a sample app, and explains how to fix the issue in your application.
---------------------------------------------
https://snyk.io/blog/marked-xss-vulnerability/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 13-05-2016 18:00 − Dienstag 17-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Panama Papers: the result of neglected IT security ***
---------------------------------------------
The financial, legal and political world have been turned upside down by the Panama Papers. But how on earth was it possible to steal 2.6 terabytes of data from Mossack Fonseca?
---------------------------------------------
https://blog.gdatasoftware.com/2016/05/28239-panama-papers-the-result-of-ne…
*** Yahoo-owned Tumblr announces email credential compromise ***
---------------------------------------------
Tumblr announced Thursday that a third party accessed a set of Tumblr user email addresses with salted and hashed passwords.
---------------------------------------------
http://www.scmagazine.com/tumblr-announces-email-credentials-compromised/ar…
*** CVE-2016-4117: Flash Zero-Day Exploited in the Wild ***
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-ze…
*** "Bösartiges Design": Wie Webseiten Nutzer reinlegen und betrügen ***
---------------------------------------------
Skrupellose Abzock-Praktiken stehen immer mehr unter Kritik, etwa das automatische Anklicken von Abonnements
---------------------------------------------
http://derstandard.at/2000037009828
*** Unethische Forschung: Wissenschaftler veröffentlichen 70.000 OKCupid-Profile ***
---------------------------------------------
Wissenschaftler aus Dänemark haben Profile von rund 70.000 OKCupid-Nutzern analysiert und veröffentlicht. Den beteiligten Herren ist ein Ethik-Seminar dringend zu empfehlen.
---------------------------------------------
http://www.golem.de/news/unethische-forschung-wissenschaftler-veroeffentlic…
*** Gatecoin: Mehr als zwei Millionen US-Dollar in Kryptowährungen gestohlen ***
---------------------------------------------
Wer seine Bitcoin oder Ether bei dem Anbieter Gatecoin aufbewahrt, sollte seine Accounts checken - rund 15 Prozent der Einlagen wurden gestohlen. Auszahlungen sollen erst ab dem 28. Mai wieder möglich sein, es wird aber an Entschädigungsregeln gearbeitet.
---------------------------------------------
http://www.golem.de/news/gatecoin-ueber-zwei-millionen-us-dollar-in-kryptow…
*** Swift-Attacke abgewehrt: Millionen-Transaktion im Visier von Cyberdieben ***
---------------------------------------------
Ziel der Hacker bei der Tien Phong Bank war eine Transaktion von umgerechnet mehr als einer Million Euro gewesen
---------------------------------------------
http://derstandard.at/2000037024022-1231152558333
*** Carding Sites Turn to the 'Dark Cloud' ***
---------------------------------------------
Crooks who peddle stolen credit cards on the Internet face a constant challenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes. In this ..
---------------------------------------------
http://krebsonsecurity.com/2016/05/carding-sites-turn-to-the-dark-cloud/
*** Chrome könnte Flash noch dieses Jahr standardmässig blockieren ***
---------------------------------------------
Google plant anscheinend, HTML5 noch stringenter als Standard in seinem Webbrowser Chrome einzusetzen. Flash-Inhalte sollen im Zuge dessen entweder gar nicht mehr oder nur in Ausnahmefällen wiedergegeben werden.
---------------------------------------------
http://heise.de/-3208837
*** Android Hacking: Dumping and Analyzing Application's Memory ***
---------------------------------------------
In this article, we will discuss how to dump the memory of a specific application using Android Studio's heap dump feature. We will also explore EclipseMemoryAnalyzer(MAT) to analyze the heap dump we acquire. It is possible to create heap dumps of an application�s heap in Android. We can dump ..
---------------------------------------------
http://resources.infosecinstitute.com/android-hacking-dumping-and-analyzing…
*** Cisco Video Communication Server Session Initiation Protocol Packet Processing Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** OS X El Capitan v10.11.5 and Security Update 2016-003 ***
---------------------------------------------
https://support.apple.com/kb/HT206567
*** DSA-3580 imagemagick - security update ***
---------------------------------------------
Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discoveredseveral vulnerabilities in ImageMagick, a program suite for imagemanipulation. These vulnerabilities, collectively known as ImageTragick,are the consequence of lack of sanitization of untrusted input. Anattacker with control ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3580
*** Secure Coding: How to Account for Input Sanitization ***
---------------------------------------------
On average, a website leverages around 18-20 different plugins in its structure. These plugins enhance the website's functionality and in some instances extend the applications core capabilities. It's great for website owners because they can pick and ..
---------------------------------------------
https://blog.sucuri.net/2016/05/secure-coding-account-input-sanitization.ht…
*** Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Zombie crypto still rules smart grids: OSGP vendors need to kill RC4 ***
---------------------------------------------
Deprecated almost everywhere, researchers crack open smart grid ancient crypto suite AGAIN The Open Smart Grid Protocols custom RC4 encryption has been cracked - again.
---------------------------------------------
www.theregister.co.uk/2016/05/17/zombie_crypto_still_rules_smart_grids/
*** Malicious Android apps slip into Google Play, top third party charts ***
---------------------------------------------
Enlist phones in ad fraud, premium SMS, loser DDoS Malicious Android applications have bypassed Googles Play store security checks to enslave infected devices into distributed denial of service attack, advertising fraud, and spam botnets.
---------------------------------------------
www.theregister.co.uk/2016/05/17/viking_horde_android_app_malware/
*** VMSA-2016-0005 ***
---------------------------------------------
VMware product updates address critical and important security issues
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2016-0005.html
*** Kritische Lücke gefährdet Antiviren-Produkte von Symantec und Norton ***
---------------------------------------------
Ein gefährlicher Bug in der Scan Engine von Symantect zieht weite Kreise und bedroht alle Symantec- und Norton-Produkte auf allen Plattformen, warnt ein Sicherheitsforscher.
---------------------------------------------
http://heise.de/-3208967
*** Security Principles in iOS Architecture ***
---------------------------------------------
I strongly suggest readers checkout my two prior blogs on Cryptography, Principle of Least Privilege, and Biometrics. All of these will be explored in depth throughout this blog.
---------------------------------------------
https://woumn.wordpress.com/2016/05/02/security-principles-in-ios-architect…
*** Killing XSS and CSRF on web server layer ***
---------------------------------------------
Existing and new web security technologies based on actively developed RFCs propose new approaches to common web vulnerabilities remediation.
---------------------------------------------
https://www.htbridge.com/blog/killing-xss-and-csrf-on-web-server-layer.html
*** "Cryptohitman": Erpressungstrojaner ersetzt Sperrbildschirm mit Pornos ***
---------------------------------------------
Verschlüsselt Dateien mit Endung ".porno" - kostenloses Tool rettet Userdaten
---------------------------------------------
http://derstandard.at/2000037097552
*** Finanzministerium warnt vor falschen BMF-Mails ***
---------------------------------------------
Phishing-Attacke - Löschen, löschen, löschen!
---------------------------------------------
http://derstandard.at/2000037101098
*** The Sleepy User Agent ***
---------------------------------------------
>From time to time a customer writes in and asks about certain requests that have been blocked by the CloudFlare WAF. Recently, a customer couldn't understand why it appeared that some simple GET requests for their homepage were ..
---------------------------------------------
https://blog.cloudflare.com/the-sleepy-user-agent/
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 12-05-2016 18:00 − Freitag 13-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Cyber Heist Attribution ***
---------------------------------------------
Written by Sergei Shevchenko and Adrian Nish | BACKGROUND | Attributing a single cyber-attack is a hard task and often impossible. However, when multiple attacks are conducted over long periods of time, they leave a trail of digital evidence. Piecing this together into a campaign can help investigators to see the bigger picture, and even hint at who may be behind the attacks. Our research into malware used on SWIFT based systems running in banks has turned up multiple bespoke tools used by a set of...
---------------------------------------------
http://baesystemsai.blogspot.com/2016/05/cyber-heist-attribution.html
*** Neuer Angriff auf Swift-Netzwerk: Angreifer nutzen manipulierten PDF-Reader ***
---------------------------------------------
Eine Bank setzte zur Überprüfung von Transaktionen offenbar keine Hashwerte der einzelnen Vorgänge ein - sondern nimmt eine Sichtprüfung von PDFs vor. Aus diesem Grund konnten Angreifer erneut illegale Transaktionen im Swift-Netzwerk vornehmen.
---------------------------------------------
http://www.golem.de/news/neuer-angriff-auf-swift-netzwerk-angreifer-nutzen-…
*** EZB plant Meldestelle für Cyber-Angriffe auf Banken ***
---------------------------------------------
Auch die Bankenaufseher der Europäischen Zentralbank reagieren auf die wachsende Zahl von Angriffen mit einer Meldepflicht bei schwerwiegenden Bedrohungen.
---------------------------------------------
http://heise.de/-3207934
*** MISP - Malware Information Sharing Platform, (Fri, May 13th) ***
---------------------------------------------
In a previous diary (Unity Makes Strength), I briefly mentioned MISP(which means Malware Information Sharing Platform). Since this tool is becomingmore and more popular, Id like to give more details about it.Sharing is key could be the slogan of MISP. The ideais to allow different organizations to share IOCs (Indicators of Compromize) like IP addresses, domains, hashes, URLs, filenames, ... Thegoal is to increase their ability to protect themselves against malicious activities. With millions of...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21053&rss
*** Open sourcing our NGINX HTTP/2 + SPDY code ***
---------------------------------------------
In December, we released HTTP/2 support for all customers and last week we released HTTP/2 Server Push support as well. The release of HTTP/2 by CloudFlare had a huge impact on the number of sites supporting and using the protocol. Today, 50% of sites that use HTTP/...
---------------------------------------------
https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code/
*** Meteocontrol WEBlog Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for one authentication and two information exposure vulnerabilities in Meteocontrol's WEB'log application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01
*** TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe ***
---------------------------------------------
Topic: TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe Risk: Medium Text:Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=775 The main component of Trend Micro Antivirus is CoreSe...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016050051
*** Symantec Messaging Gateway 10.6.x ACE Library Static Link to Vulnerable SSL Version ***
---------------------------------------------
Revisions None Severity Severity (CVSS version 2 and CVSS Version 3) CVSS2 ...
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Bugtraq: May 2016 - HipChat Server - Critical Security Advisory ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538378
*** Bugtraq: [security bulletin] HPSBGN03597 rev.1 - HPE Cloud Optimizer (Virtualization Performance Viewer) using glibc Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538371
*** Bugtraq: [security bulletin] HPSBMU03589 rev.1 - HPE Version Control Repository Manager (VCRM), Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538377
*** Bugtraq: [security bulletin] HPSBMU03591 rev.1 - HPE Server Migration Pack, Remote Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538376
*** Bugtraq: [security bulletin] HPSBMU03590 rev.1 - HPE Systems Insight Manager (SIM) on Windows and Linux, Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538379
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server for Bluemix April 2016 CPU (CVE-2016-3426, CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=swg21983039
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Content Manager Enterprise Edition 8.5.0 (CVE-2016-3449, CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21982262
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Sterling Connect:Express for Unix (CVE-2016-2842). ***
http://www.ibm.com/support/docview.wss?uid=swg21982374
---------------------------------------------
*** IBM Security Bulletin: A Security Vulnerability exist in IBM Cognos TM1 ***
http://www.ibm.com/support/docview.wss?uid=swg21981936
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) (Multiple CVEs) ***
http://www.ibm.com/support/docview.wss?uid=swg21973066
---------------------------------------------
Next End-of-Shift Report: 2016-05-17
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 11-05-2016 18:00 − Donnerstag 12-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Security Updates Available for Adobe Flash Player (APSB16-15) ***
---------------------------------------------
A Security Bulletin (APSB16-15) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. Adobe...
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1352
*** Tips to Prevent Ransomware in Healthcare Environments ***
---------------------------------------------
If 2015 was the year of the healthcare breach, 2016 is shaping up to be the year of ransomware. By this time last year, 105 healthcare breaches had been reported to the U.S. Department of...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/05/tips-to-prevent-ransomwa…
*** Entpacker 7-Zip kann zum Ausführen von Schadcode missbraucht werden ***
---------------------------------------------
Über eine Lücke im Kompressions-Tool 7-Zip können Angreifer Schadcode ausführen und eventuell auch den Rechner des Opfers kapern. Besonders brisant: Der Open-Source-Code des Tools steckt auch in Sicherheitssoftware.
---------------------------------------------
http://heise.de/-3206787
*** US-CERT warnt Betreiber von SAP-Systemen ***
---------------------------------------------
Anlass der Sicherheitswarnung des Computer-Notfall-Teams der USA ist ein Bericht, demzufolge mindestens 36 Organisationen in der ganzen Welt über eine SAP-Lücke angegriffen und kompromittiert wurden.
---------------------------------------------
http://heise.de/-3207245
*** New Wave of the Test0.com/Test5.xyz Redirect Hack ***
---------------------------------------------
Last week we described the hack that randomly redirected site visitors either to a parked test0 .com domain or to malicious sites via the default7 .com domain. This week the default7 .com domain went down but the attackers returned with a new wave of site infections and the new redirecting domain - test5 .xyz (registered just a few...
---------------------------------------------
https://blog.sucuri.net/2016/05/test0test5-com-redirect-hack-new-wave.html
*** Popular cache Squid skids as hacker pops lid ***
---------------------------------------------
Yet another mess we can blame on the combination of Flash and advertising Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/05/12/telco_fave_…
*** Giving up Your Roots: A Root Remedy Checklist ***
---------------------------------------------
As an IT organization, should you be concerned that your sysAdmins login as root, su to root, or sudo su to root?The post Giving up Your Roots: A Root Remedy Checklist appeared first on BeyondTrust.
---------------------------------------------
https://www.beyondtrust.com/blog/root-remedy-checklist/
*** Facebook CTF platform is now open source ***
---------------------------------------------
Capture the Flag competitions are a good - not to mention legal - way for hackers to build and hone their skills. But, quality CTF environments are difficult and expensive to build and run. This is a burden that Facebook aims to lighten by open sourcing the Facebook CTF platform, devised for the training of their own employees and used around the world by various organizations looking to interest kids in computer security. The now-free...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/12/facebook-ctf-platform-open-sourc…
*** From the Netherlands Presidency of the EU Council: Coordinated vulnerability disclosure Manifesto signed ***
---------------------------------------------
Approximately 30 organisations have signed the Coordinated Vulnerability Disclosure Manifesto today, in which they declare to support the principle of having a point of contact to report IT vulnerabilities to and already have this set up in their own organisations, or they plan to do so soon. By signing the manifesto, the participating...
---------------------------------------------
https://www.enisa.europa.eu/news/member-states/from-the-netherlands-preside…
*** DFN-CERT-2016-0770: Jenkins: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0770/
*** DFN-CERT-2016-0739: OpenVPN: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0739/
*** Security Notice - Statement on Bogner Florian Revealing Privilege Escalation Vulnerability in Huawei E5373 LTE Mobile Wi-Fi Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160512-01-…
*** F5 Security Advisory: Nginx vulnerabilities CVE-2016-0742, CVE-2016-0746, and CVE-2016-0747 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23073482.html?…
*** BulletProof Security <= .53.3 - Multiple XSS Vulnerabilities ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8492
*** Bugtraq: [security bulletin] HPSBHF03592 rev.1 - HPE VAN SDN Controller OVA using OpenSSL, Multiple Remote Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538359
*** Bugtraq: [security bulletin] HPSBNS03581 rev.2 - HPE NonStop Servers running Samba (NS-Samba), Multiple Remote Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538360
*** Bugtraq: [security bulletin] HPSBST03598 rev.1 - HPE 3PAR OS using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538365
*** Bugtraq: [security bulletin] HPSBST03586 rev.1 - HPE 3PAR OS, Remote Unauthorized Modification ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538364
*** Bugtraq: [security bulletin] HPSBST03599 rev.1 - HPE 3PAR OS running OpenSSH, Remote Denial of Service (DoS), Access Restriction Bypass ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538366
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin:Vulnerability in IBM Java Runtime affect IBM Host On-Demand (CVE-2016-0363) ***
http://www.ibm.com/support/docview.wss?uid=swg21982489
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Web Browser XSS Protection affects IBM Algorithmics Algo Risk Application - CVE-2016-0390 ***
http://www.ibm.com/support/docview.wss?uid=swg21981321
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect WebSphere Application Server shipped with SmartCloud Provisioning ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000105
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Image Construction and Composition Tool. (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=swg21982883
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Workload Deployer. (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=swg21982877
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus ***
http://www.ibm.com/support/docview.wss?uid=swg21982172
---------------------------------------------
*** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7488) ***
http://www.ibm.com/support/docview.wss?uid=swg21982874
---------------------------------------------
*** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7456) ***
http://www.ibm.com/support/docview.wss?uid=swg21982873
---------------------------------------------
*** IBM Security Bulletin: A potential vulnerability in IBM Java SDK affect InfoSphere Streams (CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21973403
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 10-05-2016 18:00 − Mittwoch 11-05-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Security Advisory posted for Adobe Flash Player (APSA16-02) ***
---------------------------------------------
A Security Advisory (APSA16-02) has been published regarding a critical vulnerability (CVE-2016-4117) in Adobe Flash Player. Adobe is aware of a report that an exploit ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1346
*** Security Updates for Adobe Acrobat and Reader and Hotfixes for ColdFusion Available ***
---------------------------------------------
Security Bulletins for Adobe Acrobat and Reader (APSB16-14) as well as ColdFusion (APSB16-16) have been published. Adobe recommends users update their product installations to the latest versions using the instructions in the relevant security ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1350
*** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by vulnerabilities in IBM Spectrum Scale (CVE-2016-0263, CVE2016-0361) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1023767
*** MS16-MAY - Microsoft Security Bulletin Summary for May 2016 - Version: 1.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-MAY
*** May 2016 security update release ***
---------------------------------------------
Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security ..
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2016/05/10/may-2016-security-updat…
*** 5 security experts share their best tips for 'fringe' devices ***
---------------------------------------------
What is a 'fringe' device in IT?For some, it's a gadget everyone has forgotten about - a printer in a corner office, an Android tablet in a public area used to schedule conference rooms. A fringe device can also be one that's common enough to be used ..
---------------------------------------------
http://www.cio.com/article/3068406/security/5-security-experts-share-their-…
*** Panasonic FPWIN Pro Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details concerning buffer overflow vulnerabilities in Panasonic FPWIN Pro software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-131-01
*** DSA-3574 libarchive - security update ***
---------------------------------------------
Rock Stevens, Andrew Ruef and Marcin Icewall Noga discovered aheap-based buffer overflow vulnerability in the zip_read_mac_metadatafunction in libarchive, a multi-format archive and compression library,which may ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3574
*** It's time to get serious about ICS cybersecurity ***
---------------------------------------------
As recently reported by The Register, a proof-of-concept PLC worm could spell disaster for the critical infrastructure by making attacks exponentially more difficult to detect and stop. Unfortunately, the proof of concept of a PLC worm is a viable scenario which could cause immeasurable ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/11/time-get-serious-ics-cybersecuri…
*** Patchday: Microsoft schliesst Zero-Day-Lücke im Internet Explorer ***
---------------------------------------------
Wie jeden Monat heißt es auch im Mai für Windows-Nutzer wieder einmal: Jetzt schnell Patches einspielen! Diesmal ist es besonders dringend, denn eine im Patchday geschlossene Lücke wurde bereits vor ihrer Veröffentlichung aktiv für Angriffe missbraucht.
---------------------------------------------
http://heise.de/-3202816
*** Multiple JVC HDRs and Net Cameras - Multiple Vulnerabilities ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016050040
*** The Art of Searching for Open Source Intelligence ***
---------------------------------------------
The Internet is a big ocean, and it carries loads of information you might be interested in or looking for, but where and how to find that information? Thanks to search engines like Google that make the searches using a query possible, ..
---------------------------------------------
http://resources.infosecinstitute.com/the-art-of-searching-for-open-source-…
*** CryptXXX 2.0 foils decryption tool, locks PCs ***
---------------------------------------------
CryptXXX ransomware, first spotted in mid-April, has reached version 2.0, and a new level of nastiness. It's also on its way to become one of the top ransomware families in the wild. The malware's first version would encrypt files but leave ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/11/cryptxxx-2-0-foils-decryption/
*** Adobe lässt sich Zeit mit Patch für ausgenutzte Lücke ***
---------------------------------------------
Mit dem Sicherheitsupdate für den Flash-Player lässt Adobe sich mehr Zeit, als Nutzer zum Deinstallieren der Software benötigen.
---------------------------------------------
http://www.golem.de/news/kritische-flash-luecke-adobe-laesst-sich-zeit-mit-…
*** Hintergrund: Dridex analysiert ***
---------------------------------------------
Eine kleine Artikelreihe zeigt, wie man einen Bot-Netz-Client mit dem Debugger auseinander nimmt.
---------------------------------------------
http://heise.de/-3204362
*** TA16-132A: Exploitation of SAP Business Applications ***
---------------------------------------------
Original release date: May 11, 2016 Systems Affected Outdated or misconfigured SAP systems Overview At least 36 organizations worldwide are affected by an SAP vulnerability [1]. Security researchers from Onapsis discovered ..
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA16-132A
*** Updated factsheets security of ICS/SCADA systems ***
---------------------------------------------
Malicious persons and security researchers show interest in the (lack of) security of industrial control systems. This relates not only to 'traditional' ICS/SCADA systems, but also to building management systems (incl. HVAC and CCTV).
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/updated-factsheets-security…
*** IBM Security Bulletin: Multiple vulnerabilities in Samba affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg2C1000130
*** IBM Security Bulletin: IBM Emptoris Sourcing is affected by open redirect vulnerability (CVE-2016-0329). ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21982629
*** IBM Security Bulletin: Multiple vulnerabilities in Libxml2 affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg2C1000110
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 09-05-2016 18:00 − Dienstag 10-05-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** [Xen-announce] Xen Security Advisory 179 (CVE-2016-3710, CVE-2016-3712) - QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks ***
---------------------------------------------
Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. But an attacker can easily change access modes after setting the bank ..
---------------------------------------------
http://lists.xen.org/archives/html/xen-announce/2016-05/msg00001.html
*** Finding Conditional SEO Spam in Drupal ***
---------------------------------------------
Nobody likes spam. It's never fun (unless you're watching Monty Python). For us it comes with the territory; removing SEO spam has been at the core of ..
---------------------------------------------
https://blog.sucuri.net/2016/05/seo-spam-in-drupal-database.html
*** DSA-3572 websvn - security update ***
---------------------------------------------
Nitin Venkatesh discovered that websvn, a web viewer for Subversion repositories, is susceptible to cross-site scripting attacks viaspecially crafted file and directory names in repositories.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3572
*** Gamarue, Nemucod, and JavaScript ***
---------------------------------------------
JavaScript is now being used largely to download malware because it's easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod. This ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/05/09/gamarue-nemucod-and-jav…
*** Don�t Put Off Till Tomorrow What You Should Start Today (Part 1) ***
---------------------------------------------
For some, the upcoming EU legislative changes (the General Data Protection Regulation, referred to as GDPR, and the Network and Information Security Directive, referred to as the NIS Directive) may have seemed like they ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/05/cso-dont-put-off-till-to…
*** Performing network forensics with Dshell. Part 1: Basic usage, (Mon, May 9th) ***
---------------------------------------------
I found out recently there is a very interesting tool that enables some interesting capabilities to perform network forensics from a PCAP capture file. It"> in the command prompt. There is a major keyword that launches ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21035
*** This is what a root debug backdoor in the Linux kernel looks like ***
---------------------------------------------
Allwinners all-loser code makes it into shipped firmware A root backdoor for debugging Android gadgets managed to end up in shipped firmware - and were surprised this sort of colossal blunder doesnt happen more often.
---------------------------------------------
www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_na…
*** DSA-3573 qemu - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3573
*** SS7 spookery on the cheap allows hackers to impersonate mobile chat subscribers ***
---------------------------------------------
Flaws in the mobile signalling protocols can be abused to read messaging apps such as WhatsApp and Telegram.
---------------------------------------------
www.theregister.co.uk/2016/05/10/ss7_mobile_chat_hack/
*** Security Advisory: ImageMagick vulnerability CVE-2016-3714 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/03/sol03151140.html
*** Let's stop talking password flaws and instead discuss access management ***
---------------------------------------------
A good bit of attention has been given to a new report that suggests that there are organizations that don't change their administrative passwords at all, ever. While it may be a bit eye opening that many IT professionals said they did not ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/10/password-flaws-access-management/
*** xt:Commerce: Dringende Patches ohne Details ***
---------------------------------------------
Der Anbieter des Online-Shop-Systems xt:Commerce verteilt aktuell einen Sicherheitspatch. Betroffene Admins sollten die abgesicherten Versionen mit "sehr hoher ..
---------------------------------------------
http://heise.de/-3200152
*** Hacker Challenges ***
---------------------------------------------
Want to get started hacking things but don't want to do anything illegal? Here are some challenges others have made to help you practice some hacking skills. By participating in the challenges you could learn the following ..
---------------------------------------------
https://www.tunnelsup.com/hacker-challenges/
*** Ransomware Is Not a 'Malware Problem' - It's a Criminal Business Model ***
---------------------------------------------
Today Unit 42 published our latest paper on ransomware, which has quickly become one of the greatest cyberthreats facing organizations around the world. As a business model, ransomware has proven to be highly effective ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/05/unit-42-ransomware-trend…
*** Lateral Movement: Do You Have Enough Eyes? ***
---------------------------------------------
Sophisticated attackers can find their way into a corporate network in many ways. An attack could come from an external source, through the exploitation of a service, or by being brought in by a user whose laptop has been infected while ..
---------------------------------------------
http://resources.infosecinstitute.com/lateral-movement-do-you-have-enough-e…
*** Böse Bilder: Akute Angriffe auf Webseiten über ImageMagick ***
---------------------------------------------
Die Gnadenfrist ist abgelaufen. Wer ein ungepatchtes ImageMagick auf seinem Server einsetzt, sollte schnellstens handeln, denn nun sind Exploits im Umlauf.
---------------------------------------------
http://heise.de/-3200773
*** Xen Security Advisory CVE-2016-3710,CVE-2016-3712 / XSA-179 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-179.txt
*** IBM Security Bulletin: Vulnerabilities in OpenSource PHP Affect IBM Lotus Protector For Mail Security (CVE-2016-3142 ) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21981983
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg2C1000128
*** Hackers paradise: Outdated Internet Explorer, Flash installs in enterprises ***
---------------------------------------------
Two in five Flash users DO update. Surprised? A quarter of all Windows devices are running outdated and unsupported versions of Internet Explorer, exposing users to more ..
---------------------------------------------
www.theregister.co.uk/2016/05/10/ie_flash_vulns_rife/