=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 20-01-2017 18:00 − Montag 23-01-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** PowerShell 5.1 for Windows 7 and later , (Fri, Jan 20th) ***
---------------------------------------------
Microsoft has released Windows Management Framework 5.1 for windows 7 and later. WMF 5.1 upgrades Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 to the PowerShell, WMI, WinRM and SIL components that were released with Windows Server 2016 and Windows 10 Anniversary Edition.">">"> (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21957&rss
*** Hotel zum vierten Mal von Hackern lahmgelegt ***
---------------------------------------------
Das Seehotel Jägerwirt auf der Turracher Höhe ist bereits zum vierten Mal von Hackern heimgesucht und erpresst worden. Die elektronischen Zimmerschlüssel wurden lahmgelegt. Daher will man jetzt zu normalen Schlüsseln zurückkehren.
---------------------------------------------
http://kaernten.orf.at/news/stories/2821290/
*** Stopping Malware With a Fake Virtual Machine ***
---------------------------------------------
As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting fake virtual machine artefacts or fake analysis tools on a system...
---------------------------------------------
https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtu…
*** Wartungsarbeiten Dienstag, 24. 1. 2017 ***
---------------------------------------------
Am Dienstag, 24. Jänner 2017, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen. Es gehen dabei keine Daten (zb Emails) verloren, die Bearbeitung kann sich allerdings verzögern.
---------------------------------------------
http://www.cert.at/services/blog/20170120104523-1882.html
*** The Week in Ransomware - January 20th 2017 - Satan RaaS, Spora, Locky, and More ***
---------------------------------------------
This week we continue to see more ransomware being released as well as changes in the distribution of the larger ransomware infections. For example, Locky has had a very low distribution lately since the holidays, but according to the Cisco Talos Group, it is starting to pick up again. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-janua…
*** Sage 2.0 Ransomware, (Sat, Jan 21st) ***
---------------------------------------------
Introduction On Friday 2017-01-20, I checked on a malicious spam (malspam) campaign that normally distributes Cerber ransomware. That Friday it delivered ransomware Id never seen before called Sage. More specifically, it was Sage 2.0." /> Shown above: Its always fun to find ransomawre thats not Cerber or Locky. Sage is yet another family of ransomware in an already crowded field. It was noted on BleepingComputer forums back in December 2016 [1, 2], and Sage is apparently a variant of...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21959&rss
*** Symantec schlampt erneut mit TLS-Zertifikaten ***
---------------------------------------------
Offenbar haben mehrere von Symantec betriebene Certificate Authorities (CAs) unberechtigterweise über 100 TLS-Zertifikate ausgestellt. Das kann ein Auslesen des Datenverkehrs von HTTPS-geschützten Websites durch Dritte ermöglichen.
---------------------------------------------
https://heise.de/-3604190
*** Android permissions and hypocrisy ***
---------------------------------------------
I wrote a piece a few days ago about how the Meitu app asked for a bunch of permissions in ways that might concern people, but which were not actually any worse than many other apps. The fact that Android makes it so easy for apps to obtain data thats personally identifiable is of concern, but in the absence of another stable device identifier this is the sort of thing that capitalism is inherently going to end up making use of. Fundamentally, this is Googles problem to fix.
---------------------------------------------
http://mjg59.dreamwidth.org/46403.html
*** Researchers predict upsurge of Android banking malware ***
---------------------------------------------
Android users, beware: source code and instructions for creating a potent Android banking Trojan have been leaked on a hacker forum, and researchers are expecting an onslaught of malware based on it. In fact, one has already been spotted. Masquerading as a variety of benign apps (e.g. Google Play) on third-party Android app markets, the Trojan - dubbed Android.BankBot.149.origin by Dr. Web researchers - is eminently capable. It can: Send and intercept text messages (including...
---------------------------------------------
https://www.helpnetsecurity.com/2017/01/23/upsurge-android-banking-malware/
*** Massive Twitter Botnet Dormant Since 2013 ***
---------------------------------------------
Researchers from the University College London have found a Twitter botnet of 350,000 bots that has been dormant since shortly after the accounts were registered.
---------------------------------------------
http://threatpost.com/massive-twitter-botnet-dormant-since-2013/123246/
*** Heartbleed: OpenSSL hört nicht auf zu bluten ***
---------------------------------------------
Eine Analyse der öffentlich im Internet erreichbaren Systeme zeigt, dass immer noch Hunderttausende für die OpenSSL-Lücke Heartbleed anfällig sind. Die bald drei Jahre alte Lücke findet sich demnach hauptsächlich in Mietservern der Cloud.
---------------------------------------------
https://heise.de/-3605222
*** QNAP Storage Devices Firmware Update Flaw Lets Remote Users Access the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1037663
*** DSA-3769 libphp-swiftmailer - security update ***
---------------------------------------------
Dawid Golunski from LegalHackers discovered that PHP Swift Mailer, amailing solution for PHP, did not correctly validate user input. Thisallowed a remote attacker to execute arbitrary code by passingspecially formatted email addresses in specific email headers.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3769
*** DSA-3770 mariadb-10.0 - security update ***
---------------------------------------------
Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.29. Please see the MariaDB 10.0 Release Notes for furtherdetails:...
---------------------------------------------
https://www.debian.org/security/2017/dsa-3770
*** DFN-CERT-2017-0123: OpenJPEG: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0123/
*** Security Notice - Statement on Flanker Revealing Privilege Elevation Vulnerability in Huawei EMUI Keyguard Application ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170123-01-…
*** Vuln: Red Hat JBoss Enterprise Application Platform CVE-2016-8627 Remote Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95698
*** Security Advisories Relating to Symantec Products - Norton Download Manager DLL Loading ***
---------------------------------------------
Symantec has released an update to address a DLL loading vulnerability detected in the Norton Download Manager for affected products
---------------------------------------------
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s…
*** Vuln: Brocade Network Advisor CVE-2016-8204 Directory Traversal Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95695
*** Vuln: Brocade Network Advisor CVE-2016-8205 Directory Traversal Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95694
*** Vuln: Brocade Network Advisor CVE-2016-8206 Directory Traversal Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95692
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction (CVE-2016-5597, CVE-2016-5542) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21997219
---------------------------------------------
*** IBM Security Bulletin: IBM Forms Experience Builder could be susceptible to a server-side request forgery (CVE-2016-6001) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991280
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099501
---------------------------------------------
*** IBM Security Bulletin: HTTP Response Splitting in WebSphere Application Server affects IBM Virtualization Engine TS7700 (CVE-2016-0359) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009661
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 19-01-2017 18:00 − Freitag 20-01-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Satan: A new ransomware-as-a-service ***
---------------------------------------------
Ransomware as a Service (RaaS) has been growing steadily since it made its debut in 2015 with Tox. With the new Satan ..
---------------------------------------------
https://www.webroot.com/blog/2017/01/19/satan-new-ransomware-service
*** DSA-3767 mysql-5.5 - security update ***
---------------------------------------------
Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3767
*** Unbreakable Locky ransomware is on the march again ***
---------------------------------------------
Necrus botnet wakes up and starts fresh malware-cano Cisco is warning of possible return of a massive ransomware spam ..
---------------------------------------------
www.theregister.co.uk/2017/01/20/locky_ransomware_horrorshow_returns/
*** Internetsicherheit 2016: Erpressungstrojaner boomen in Österreich ***
---------------------------------------------
Unternehmen verstärkt im Visier von DDOS-Erpressern – Geheimdienste verstärkt tätig
---------------------------------------------
http://derstandard.at/2000051229037
*** Angebliche Backdoor: Kryptographen kritisieren Whatsapp-Bericht des Guardian ***
---------------------------------------------
Die Diskussion um die angebliche Backdoor in Whatsapp reißt nicht ab. Bekannte Sicherheitsforscher wie ..
---------------------------------------------
http://www.golem.de/news/angebliche-backdoor-kryptographen-kritisieren-what…
*** Social Engineering: Neue Angriffsmethode richtet sich gegen Firmen ***
---------------------------------------------
In den letzten Tagen wurden der Melde- und Analysestelle Informationssicherung MELANI mehrere Fälle gemeldet, bei denen Betrüger Firmen anrufen, sich als ..
---------------------------------------------
https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/social-…
*** Achtung: Große Anzahl von Netgear-Routern lässt sich über Admin-Interface kapern ***
---------------------------------------------
Gleich 30 Router-Modelle von Netgear enthalten eine Schwachstelle, die es Angreifern ermöglicht, die Admin-Passwörter der Geräte auszulesen und diese komplett zu übernehmen. Die Updates des Herstellers sollten umgehend eingespielt werden.
---------------------------------------------
https://heise.de/-3603918
*** Wieder Ermittlungen gegen Skidata im Betriebsspionage-Verfahren ***
---------------------------------------------
http://derstandard.at/2000051248975
*** ZDI-17-044: Apache Groovy MethodClosure Deserialization of Untrusted Data Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations ..
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-17-044/
*** ZDI-17-045: Adobe Reader DC XSLT apply-templates Heap-based Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-17-045/
*** ZDI-17-053: Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-17-053/
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 18-01-2017 18:00 − Donnerstag 19-01-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Who is Anna-Senpai, the Mirai Worm Author? ***
---------------------------------------------
On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that ..
---------------------------------------------
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-autho…
*** Docker Patches Container Escape Vulnerability ***
---------------------------------------------
Docker has patched a privilege escalation vulnerability that could lead to container escapes, allowing a hacker to affect operations of a host from inside a container.
---------------------------------------------
http://threatpost.com/docker-patches-container-escape-vulnerability/123161/
*** Database Ransom Attacks Hit CouchDB and Hadoop Servers ***
---------------------------------------------
For the past week, unknown groups of cyber-criminals have taken control of and wiped data from CouchDB and Hadoop databases, in some cases asking for a ransom fee to return the ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/database-ransom-attacks-hit-…
*** Adobes naughty Chrome telemetry code had XSS problem ***
---------------------------------------------
Since patched, but a bad look for Adobe when it cant even get snoopware right Adobes pushed out a fix for its already-controversial Chrome telemetry extension after Project Zeros Tavis Ormandy found an ..
---------------------------------------------
www.theregister.co.uk/2017/01/19/adobe_telemetry_patch_patched_against_xss/
*** Insecure Hadoop installs next in net scum crosshairs ***
---------------------------------------------
Because MongoDB, Elasticsearch ransomware attacks are sooo last week Rinse-and-repeat ransomware attacks on data services left unsecured by dozy sysadmins are now hitting Hadoop instances.
---------------------------------------------
www.theregister.co.uk/2017/01/19/insecure_hadoop_installs_under_attack/
*** Ex-Sysadmin fordert 200.000 Dollar für Nennung von Passwort ***
---------------------------------------------
US-amerikanisches College wirft ehemaligem Mitarbeiter Erpressung vor
---------------------------------------------
http://derstandard.at/2000050946919
*** Apple’s malware problem is accelerating ***
---------------------------------------------
For a long time, one of the most common reasons for buying an Apple computer over a Windows-based one was that the former was less susceptible to viruses and other malware. However, the ..
---------------------------------------------
https://www.helpnetsecurity.com/2017/01/19/apple-malware-problem-accelerati…
*** Viren, Spam und Computerausfälle betreffen IT-Sicherheit bei KMU ***
---------------------------------------------
Fehlendes Wissen und Angst vor Kosten wichtigste Gründe, warum Situation nicht verbessert wird
---------------------------------------------
http://derstandard.at/2000051117771
*** DSA-3766 mapserver - security update ***
---------------------------------------------
It was discovered that mapserver, a CGI-based framework for Internetmap services, was vulnerable to a stack-based overflow. This issueallowed a remote user to crash the service, or potentially execute arbitrary code.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3766
*** Google veröffentlicht Riesen-Patch-Paket für Android ***
---------------------------------------------
94 einzelne Lücken, 10 kritische Sicherheitsprobleme; Googles Android Security Bulletin für den Januar hat es in sich.
---------------------------------------------
https://heise.de/-3603108
*** Forcepoint: Carbanak nutzt Google-Dienste für Malware-Hosting ***
---------------------------------------------
Wer seine Malware auf einem Command-und-Control-Server hostet, läuft Gefahr, von Firewall-Regeln erkannt zu werden. Die Carbanak-Gruppe liefert Kommandos daher über Google-Docs aus.
---------------------------------------------
http://www.golem.de/news/forcepoint-carbanak-nutzt-google-dienste-fuer-malw…
*** Hackingvorwürfe: "Deutschland stellt Russland als Aggressor dar" ***
---------------------------------------------
Russisches Außenamt beschwert sich über deutsche Vorgangsweise: "Keine Beweise vorgelegt"
---------------------------------------------
http://derstandard.at/2000051188487
*** Samsung SmartCam-Kameras sind Freiwild für Botnetz-Betreiber ***
---------------------------------------------
Forscher haben vor Jahren Lücken in der SmartCam SNH-1011 entdeckt, die von Samsung nur unzureichend geflickt wurden. Nun sind die IP-Kameras erneut angreifbar.
---------------------------------------------
https://heise.de/-3603201
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 17-01-2017 18:00 − Mittwoch 18-01-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Critical Patch Update - January 2017 ***
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
*** vBulletin Malware – When Hackers Compete for Backdoor Control ***
---------------------------------------------
A common pattern we see in compromised websites is the presence of backdoors and other malicious code. During Q3 of 2016, we found that 72% of all compromises that we encountered had ..
---------------------------------------------
https://blog.sucuri.net/2017/01/vbulletin-malware-hackers-compete-backdoor-…
*** JSA10774 - 2017-01 Security Bulletin: Network and Security Manager (NSM): Multiple OpenSSH and other third party software vulnerabilities affect NSM Appliance OS. ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10774&actp=RSS
*** Kill it with fire: US-CERT warns admins to dump Server Message Block ***
---------------------------------------------
Shadow Brokers may have loosed a zero-day, so youre better safe than sorry The US computer emergency readiness team ..
---------------------------------------------
www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shad…
*** Do web injections exist for Android? ***
---------------------------------------------
Man-in-the-Browser (MITB) attacks can be implemented using various means, including malicious DLLs, rogue ..
---------------------------------------------
http://securelist.com/blog/research/77118/do-web-injections-exist-for-andro…
*** In Review: 2016’s Mobile Threat Landscape Brings Diversity, Scale, and Scope ***
---------------------------------------------
65 million: the number of times we’ve blocked mobile threats in 2016. By December 2016, the total number of unique samples of malicious Android apps we’ve collected and ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/2016-mobile-thre…
*** Last call to replace SHA-1 certificates ***
---------------------------------------------
http://blog.sec-consult.com/2017/01/last-call-to-replace-sha-1-certificates…
*** The Carbanak gang is with a new modus operandi, Google services as C&C ***
---------------------------------------------
The infamous Carbanak cybercrime gang is back and is leveraging Google services for command-and-control of its malicious codes. The dreaded Carbanak cybercrime gang is back ..
---------------------------------------------
http://securityaffairs.co/wordpress/55427/cyber-crime/carbanak-google-servi…
*** Spora Ransomware Offers Victims Unique Payment Options ***
---------------------------------------------
Researchers are keeping close tabs on a new ransomware strain called Spora that offers victims unique payment options.
---------------------------------------------
http://threatpost.com/spora-ransomware-offers-victims-unique-payment-option…
*** Kritische Lücken in Java & Co: Oracle wirft Riesen-Patchpaket ab ***
---------------------------------------------
Das neueste Critical Patch Update von Oracle enthält unter anderem Sicherheitsupdates für Java, MySQL und VirtualBox. Wie immer gibt es Patches für fast alle Produkte des Herstellers.
---------------------------------------------
https://heise.de/-3601613
*** Ancient Mac backdoor discovered that targets medical research firms ***
---------------------------------------------
More secure than PC? Ha! Security researchers at Malwarebytes have discovered a Mac backdoor using antiquated code that targets biomedical research facilities.…
---------------------------------------------
ww.theregister.co.uk/2017/01/18/mac_malware/
*** Uncovering the Inner Workings of EyePyramid ***
---------------------------------------------
Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 16-01-2017 18:00 − Dienstag 17-01-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Who's winning the cyber war? The squirrels, of course ***
---------------------------------------------
CyberSquirrel1 project shows fuzzy-tailed intruders cause more damage than "cyber" can.
---------------------------------------------
http://arstechnica.com/information-technology/2017/01/whos-winning-the-cybe…
*** Dodgy Dutch developer built backdoors into thousands of sites ***
---------------------------------------------
Then hoovered out users personal data, stole identities galore and spent up big Dutch police are this week warning 20,000 users that their email accounts were hacked after ..
---------------------------------------------
www.theregister.co.uk/2017/01/17/police_warn_of_dutch_developer_who_built_b…
*** [2017-01-17] Cross site scripting in TYPO3 CMS extension "Recommend page" ***
---------------------------------------------
The "Recommend page" extension (pb_recommend_page) for the TYPO3 CMS does not sanitize input properly. Hence an attacker can inject malicious HTML/JavaScript content which can cause harm to the users.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** Erpressung ist (immer noch) in! ***
---------------------------------------------
Das neue Jahr bringt sicherlich wieder viele technische Neuerungen und (potentiell unsägliche) Trends mit sich. Eines bleibt leider unverändert: Erpressung ist in.Neben DDoS-Drohungen und Ransomware in ..
---------------------------------------------
http://www.cert.at/services/blog/20170117104444-1861.html
*** CryptoSearch: Tool findet und sammelt von Ransomware verschlüsselte Dateien zur Verwahrung ein ***
---------------------------------------------
Wenn ein Erpressungs-Trojaner Daten in seine Gewalt gebracht hat, hoffen Opfer auf ein kostenloses Entschlüsselungstool - wann und ob überhaupt eins kommt, ist aber oft unklar. Ein Windows-Tool sammelt und archiviert bis dahin betroffene Dateien.
---------------------------------------------
https://heise.de/-3597757
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
Security vulnerabilities have been identified in Citrix XenServer that may allow malicious code running within a guest VM to read a small part of ...
---------------------------------------------
https://support.citrix.com/article/CTX219378
*** Free-to-Play: Forum von Clash-of-Clans-Betreiber gehackt ***
---------------------------------------------
Erneut ist ein vBulletin-Forum gehackt worden. Betroffen sind vermutlich 1,1 Millionen Nutzer von Supercell-Foren. Der Spielehersteller vertreibt populäre Titel wie Clash of Clans und Clash Royale.
---------------------------------------------
http://www.golem.de/news/free2play-forum-von-clash-of-clans-betreiber-gehac…
*** The Line of Death ***
---------------------------------------------
When building applications that display untrusted content, security designers have a major problems if an attacker has full control of a block of pixels, he can make those pixels look ..
---------------------------------------------
https://textslashplain.com/2017/01/14/the-line-of-death/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 13-01-2017 18:00 − Montag 16-01-2017 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Hardening Windows 10 with zero-day exploit mitigations ***
---------------------------------------------
Cyber attacks involving zero-day exploits happen from time to time, affecting different platforms and applications. Over the years, Microsoft security teams have been working extremely ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-wi…
*** WordPress 4.7.1 released, patches eight vulnerabilities and 62 bugs ***
---------------------------------------------
According to the release notes the latest version of WordPress 4.7.1 addresses eight security vulnerabilities and other 62 bugs. Wednesday the latest version of WordPress 4.7.1 was released by the WordPress Team, it is classified as a security release for ..
---------------------------------------------
http://securityaffairs.co/wordpress/55308/breaking-news/wordpress-4-7-1-rel…
*** DSA-3764 pdns - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in pdns, an authoritativeDNS server. The Common Vulnerabilities and Exposures project identifiesthe following ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3764
*** DSA-3763 pdns-recursor - security update ***
---------------------------------------------
Florian Heinz and Martin Kluge reported that pdns-recursor, a recursiveDNS server, parses all records present in a query regardless of whetherthey are ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3763
*** Backup Files Are Good but Can Be Evil ***
---------------------------------------------
Since we started to work with computers, we always heard the following advice: Make backups!. Everytime you have to change something in a file or an application, first make a backup of the existing resources (code, configuration files, data). But, ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21935
*** Compliance: Deutsche Bank verbannt Whatsapp und SMS von Diensthandys ***
---------------------------------------------
Mitarbeiter der Deutschen Bank können künftig nicht mehr untereinander per Whatsapp oder SMS kommunizieren. Die Apps sollen von den Geräten der Mitarbeiter entfernt werden - weil es die Behörden so wollen.
---------------------------------------------
http://www.golem.de/news/compliance-deutsche-bank-verbannt-whatsapp-und-sms…
*** DSA-3765 icoutils - security update ***
---------------------------------------------
Several programming errors in the wrestool tool of icoutils, a suiteof tools to create and extract MS Windows icons and ..
---------------------------------------------
https://www.debian.org/security/2017/dsa-3765
*** Rätselraten um NSA-Waffenhändler "Shadow Brokers" ***
---------------------------------------------
Hacker- Gruppe kündigte Rückzug an – lauter werdende Gerüchte um Verbindungen nach Russland
---------------------------------------------
http://derstandard.at/2000050751646
*** Datendiebstahl bei den iPhone-Hackern Cellebrite ***
---------------------------------------------
Die Firma, die die Verschlüsselung des iPhones für das FBI geknackt haben soll, wurde Opfer eines Datendiebstahls. 900 GB an Daten sind gestohlen worden.
---------------------------------------------
https://futurezone.at/digital-life/datendiebstahl-bei-den-iphone-hackern-ce…
*** Cyberangriffe zu deutschem Wahlkampf befürchtet: Abwehrzentrum geplant ***
---------------------------------------------
Bundestagspräsident: "Was technisch möglich ist, findet auch statt"
---------------------------------------------
http://derstandard.at/2000050779644
*** Google reveals its servers all contain custom security silicon ***
---------------------------------------------
Even the servers it colocates (!) says new docu revealing Alphabet subs security secrets Google has published a Infrastructure Security Design Overview that explains how it secures ..
---------------------------------------------
www.theregister.co.uk/2017/01/16/google_reveals_its_servers_all_contain_cus…
*** Blackberry DTEK60 im (Sicherheits-)Test: Sicher, weil isso! ***
---------------------------------------------
Blackberry will die Quadratur des Kreises schaffen: ein sicheres Android-Smartphone. Leider stellt der Hersteller wenig Informationen bereit und verwirrt Nutzer teils unnötig.
---------------------------------------------
http://www.golem.de/news/blackberry-60-im-sicherheits-test-sicher-weil-isso…
*** New Gmail phishing technique fools even tech-savvy users ***
---------------------------------------------
An effective new phishing attack is hitting Gmail users and tricking many into inputing their Gmail credentials into a fake login page. How the attack unfolds The phishers start by compromising a Gmail account, then they rifle through the emails ..
---------------------------------------------
https://www.helpnetsecurity.com/2017/01/16/new-gmail-phishing-attack-fools-…
*** 35 Jahre C64: Die Geburtsstunde der "Cracker" und Kopierer ***
---------------------------------------------
In den 1980er-Jahren war es in Österreich vergleichsweise schwer, überhaupt Software zu kaufen
---------------------------------------------
http://derstandard.at/2000049895466
*** Cartapping: Autos werden seit 15 Jahren digital verwanzt ***
---------------------------------------------
Um den Standort eines Autos zu überwachen, muss längst keine GPS-Wanze mehr angebracht werden. In den USA wird das offenbar schon lange mithilfe der intelligenten Navigations- und Bordsysteme praktiziert.
---------------------------------------------
http://www.golem.de/news/cartapping-autos-werden-seit-15-jahren-digital-ver…
*** We reverse engineered 16k apps, here’s what we found ***
---------------------------------------------
In Nov’16, we created an online tool to reverse engineer any android app to look for secrets. This tool was built because of an internal need — we were constantly required to reverse ..
---------------------------------------------
https://medium.com/@mkagenius/afdccb592b81
*** Mailserver Dovecot: erfolgreiches Sicherheits-Audit ***
---------------------------------------------
Als weitestgehend sicher stuft das Berliner IT-Sicherheitsunternehmen Cure53 den Mailserver Dovecot ein. In Auftrag gegeben hatte diese Untersuchung die Mozilla Foundation.
---------------------------------------------
https://heise.de/-3596977
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 12-01-2017 18:00 − Freitag 13-01-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Critical Patch Update - January 2017 - Pre-Release Announcement ***
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
*** EMET 5.52 update is now available ***
---------------------------------------------
EMET 5.52 is the latest version of the Enhanced Mitigation Experience Toolkit (EMET) and is now available for download. EMET 5.52 is a minor update from EMET 5.51 to address the following: An issue with the EAF mitigation that causes some applications to hang on Windows 7 SP1. A fix to the MSI installer to...
---------------------------------------------
https://blogs.technet.microsoft.com/srd/2017/01/12/emet-5-52-update-is-now-…
*** Marlboro Ransomware Defeated in One Day ***
---------------------------------------------
A new ransomware family was snuffed in its crib today after security researchers tracked it down, analyzed its source code for weaknesses, and released a decrypter in less than 24 hours. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated…
*** Angriffe auf VoIP-Gateways von beroNet, Patch sorgt für Sicherheit ***
---------------------------------------------
Angreifer entdeckten eine Schwachstelle in den VoIP-Gateways des Berliner Herstellers beroNet und nutzen diese seit kurzem aus, um die Rechnungen ihrer Opfer in die Höhe zu treiben. Ein Patch des Herstellers stopft das Sicherheitsloch.
---------------------------------------------
https://heise.de/-3594737
*** November-December 2016 ***
---------------------------------------------
The NCCIC/ICS-CERT Monitor for November/December 2016 is a summary of ICS-CERT activities for the previous two months
---------------------------------------------
https://ics-cert.us-cert.gov/monitors/ICS-MM201612
*** Wie sich Banken vor Cyberangriffen schützen ***
---------------------------------------------
Olaf Schwarz, Information Security Officer bei der Direktbank ING DiBa Austria über Cyberangriffe auf Banken, Ransomware und Sicherheitsschulungen für Mitarbeiter.
---------------------------------------------
https://futurezone.at/digital-life/wie-sich-banken-vor-cyberangriffen-schue…
*** Whos Attacking Me?, (Fri, Jan 13th) ***
---------------------------------------------
I started to play with a nice reconnaissance tool that could be helpful in many cases - offensive as well as defensive. IVRE [1] (DRUNK in French) is a tool developed by the CEA, the Alternative Energies and Atomic Energy Commission in France. Its a network reconnaissance framework that includes: Passive recon features (via flow analysis coming from Bro or Nfdump Fingerprinting analysis Active recon (via Nmapor Zmap) Import tools (from Nmap or Masscan) I deployed this tool and feed it with...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21933&rss
*** MongoDB Hijackers Move on to ElasticSearch Servers ***
---------------------------------------------
After days of wreaking havoc among MongoDB servers, a group of crooks has moved on to hijacking ElasticSearch servers and asking for similar ransoms. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mongodb-hijackers-move-on-to…
*** Schlüsselaustausch: Aufregung um angebliche Whatsapp-Backdoor ***
---------------------------------------------
Hat Whatsapp eine Backdoor? Das behaupten zumindest ein Sicherheitsforscher und der Guardian. Tatsächlich könnte es auch eine weniger spektakuläre Erklärung geben.
---------------------------------------------
http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsa…
*** Ploutus ATM Malware: Press F3 for Money ***
---------------------------------------------
Security researchers from FireEye have identified a new variant of the Ploutus ATM malware, used for the past few years to make ATMs spew out cash on command. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ploutus-atm-malware-press-f3…
*** Security Alert: RIG EK Exploits Outdated Popular Apps, Spreads Cerber Ransomware ***
---------------------------------------------
Cybersecurity experts obsessively repeat two types of advice: Use stronger passwords. Update your software. Today's security alert is all about the importance of applying software updates as soon as they're released. At the moment, cybercriminals are using a swarm of malicious domains to launch drive-by attacks against unsuspecting users. The campaign works by injecting malicious scripts into insecure...
---------------------------------------------
https://heimdalsecurity.com/blog/rig-exploit-kit-cerber-ransomware-outdated…
*** DSA-3761 rabbitmq-server - security update ***
---------------------------------------------
It was discovered that RabbitMQ, an implementation of the AMQPprotocol, didnt correctly validate MQTT (MQ Telemetry Transport)connection authentication. This allowed anyone to login to an existinguser account without having to provide a password.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3761
*** Vuln: Splunk Enterprise CVE-2016-10126 Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95412
*** Vuln: Lenovo XClarity Administrator CVE-2016-8221 Privilege Escalation Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95417
*** HPSBGN03694 rev.1 - HPE SiteScope, Remote Disclosure of Information ***
---------------------------------------------
A security vulnerability in DES/3DES block ciphers used in the TLS protocol, could potentially impact HPE SiteScope resulting in remote disclosure of information, also known as the SWEET32 attack.
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05369403
*** Vuln: Zabbix CVE-2016-10134 SQL Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95423
*** Security Advisory: BIND vulnerability CVE-2016-9147 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/02/sol02138183.html?…
*** Security Advisory: BIND vulnerability CVE-2016-9131 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/86/sol86272821.html?…
*** Security Advisory: BIND vulnerability CVE-2016-9444 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40181790.html?…
*** PowerDNS Security Fixes ***
---------------------------------------------
PowerDNS Recursor 4.0.4 released
https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001051.ht…
---------------------------------------------
PowerDNS Recursor 3.7.4 released
https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001052.ht…
---------------------------------------------
PowerDNS Authoritative Server 4.0.2 released
https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001053.ht…
---------------------------------------------
PowerDNS Authoritative Server 3.4.11
released https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001054.ht…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affects multiple IBM Rational products based on IBM's Jazz technology ***
https://www.ibm.com/support/docview.wss?uid=swg21997084
---------------------------------------------
*** IBM Security Bulletin: Unauthenticated User Could Gain Remote Access to TS3100/TS3200 (CVE-2016-9005) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009656
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Image Construction and Composition Tool. (CVE-2016-5573, CVE-2016-5542, and CVE-2016-5597) ***
http://www.ibm.com/support/docview.wss?uid=swg21997055
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM PureApplication System. ***
http://www.ibm.com/support/docview.wss?uid=swg21994499
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Image Construction and Composition Tool. ***
http://www.ibm.com/support/docview.wss?uid=swg21997063
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty affects IBM SPSS Analytic Server (CVE-2016-5986) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21996950
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Advanced Management Module (AMM) for BladeCenter systems ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099527
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM SPSS Analytic Server (CVE-2016-0378) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21996968
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Tivoli Monitoring (CVE-2015-1788) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21997156
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 11-01-2017 18:00 − Donnerstag 12-01-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Personalisierte card complete-Phishingmail ***
---------------------------------------------
Eine personalisierte cardcomplete-Phishingmail, die EmpfÄnger/innen direkt beim Namen benennt, ist im Umlauf. In dieser behaupten Kriminelle, dass es zu verdÄchtigen Transaktionen gekommen sei, weshalb Kund/innen sich auf einer Website legitimieren sollen. Es handelt sich um einen Versuch, mit dem Kriminelle an fremde Kreditkartendaten gelangen wollen.
---------------------------------------------
https://www.watchlist-internet.at/phishing/personalisierte-card-complete-ph…
*** The Most Dangerous User Right You (Probably) Have Never Heard Of ***
---------------------------------------------
One user right I overlooked, until Ben Campbell's post on constrained delegation, was SeEnableDelegationPrivilege. This right governs whether a user account can "Enable computer and user accounts to be trusted for delegation." Part of the reason I overlooked it is stated right in the documentation:...
---------------------------------------------
http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-y…
*** Sicherheitsloch im Herzschrittmacher ***
---------------------------------------------
Ein Firmware-Update soll Patienten mit Herzschrittmachern oder implantierten Defibrillatoren davor schützen, dass Hacker die Kontrolle über die Geräte übernehmen. Es gibt jedoch Zweifel daran, dass die Geräte nach dem Update sicher sind.
---------------------------------------------
https://heise.de/-3593932
*** Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension ***
---------------------------------------------
An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the users Chrome browser. There is no mention of this "special package" on Acrobats changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page theyre on as a PDF file and share...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/s_zCwl6BNOY/latest-adobe-ac…
*** Some tools updates, (Thu, Jan 12th) ***
---------------------------------------------
A coupleof tools were updated and release today. Network Miner was updated. Version 2.1 is not available for download. Network Miner is packet sniffer/analyzer focused on extracting application layer forensic artifacts. The update adds new protocols and enhances email reassembly options. http://www.netresec.com/?page=Blogmonth=2017-01post=NetworkMiner-2-1-Releas… BlackhillsInformation Security released a Powershellversion of theDNSCAT2client. DNSCAT2 is a popular command and control tool...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21925&rss
*** System Resource Utilization Monitor, (Thu, Jan 12th) ***
---------------------------------------------
The attackers have come and gone and youare left behind to clean up the mess. You arrive on site to figure out how the bad guysgot in, what they took and how badly it will affect the customer. But, the customer doesnt syslog the firewall logs, so youare limited to the three days of logs that are held in thefirewalls memory. The Windows Event logs on most of the systems roll over every 5 minutes, and there is no centralized long term logging. There is no IDS. There is no full packet capture.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21927&rss
*** Hintergrund: Open Bug Bounty: Sicherheitslücken gegen Prämie ***
---------------------------------------------
heise Security machte nicht ganz freiwillig Bekanntschaft mit einer bisher weitgehend unbekannten Plattform, auf der Hacker und andere Forscher Sicherheitslücken melden können.
---------------------------------------------
https://heise.de/-3593886
*** Ansible: Update soll kritischen Fehler in den 2.x-Versionen beheben ***
---------------------------------------------
Da die Schwachstelle als hohes Risiko eingestuft wird, haben die Macher Release Candidates der Versionen 2.1.4 und 2.2.1 veröffentlicht, die den Fehler beheben.
---------------------------------------------
https://heise.de/-3594254
*** Rent an IP, Own a Domain ***
---------------------------------------------
The other day I was on a mission to locate a contact of mine that lived nearby. I had an address, but no phone, or email address. So I got the GPS out, programmed in the address, and away I went. Arriving at the location, I turned into the driveway, and it was an apartment...
---------------------------------------------
https://blog.domaintools.com/2017/01/rent-an-ip-own-a-domain/
*** WordPress 4.7.1 Security and Maintenance Release ***
---------------------------------------------
This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
---------------------------------------------
https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance…
*** Bugtraq: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540011
*** Vuln: libgit2 badssl.c Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95354
*** Bugtraq: IKEv1 cipher suite configuration mismatch in Siemens SIMATIC CP 343-1 Advanced ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540003
*** Vuln: Zimbra CVE-2016-3403 Multiple Cross Site Request Forgery Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/95383
*** NetIQ Privileged Account Manager 3.0.1 HF3 (3.0.1-3) ***
---------------------------------------------
Abstract: NetIQ Privileged Account Manager 3.0.1 Hot Fix 3 (3.0.1.3). The purpose of the patch is to provide an upgrade of OpenSSL to eliminate potential security vulnerabilities. This release addresses does not contain new features.Document ID: 5267862Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:netiq-npam-packages-3.0.1-3.tar.gz (175.63 MB)Products:Privileged Account Manager 3.0.1Superceded Patches:NetIQ Privileged Account Manager 3.0.1 HF 1NetIQ Privileged
---------------------------------------------
https://download.novell.com/Download?buildid=Ciuap7psZuo~
*** DFN-CERT-2017-0054: ISC BIND: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0054/
*** Vuln: SAP NetWeaver XML External Entity Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95373
*** Vuln: SAP ERP Defence Forces and Public Security Remote Authorization Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95367
*** Juniper Security Advisories ***
---------------------------------------------
*** JSA10772 - 2017-01 Security Bulletin: Junos: RPD crash while processing RIP advertisements (CVE-2017-2303) ***
http://kb.juniper.net/index?page=content&id=JSA10772&actp=RSS
---------------------------------------------
*** JSA10774 - 2017-01 Security Bulletin: Network and Security Manager (NSM): Multiple OpenSSH vulnerabilities affect NSM Appliance OS. ***
http://kb.juniper.net/index?page=content&id=JSA10774&actp=RSS
---------------------------------------------
*** JSA10773 - 2017-01 Security Bulletin: QFX3500, QFX3600, QFX5100, QFX5200, EX4300 and EX4600: Etherleak memory disclosure in Ethernet padding data (CVE-2017-2304) ***
http://kb.juniper.net/index?page=content&id=JSA10773&actp=RSS
---------------------------------------------
*** JSA10771 - 2017-01 Security Bulletin: Junos: Denial of Service vulnerability in RPD (CVE-2017-2302) ***
http://kb.juniper.net/index?page=content&id=JSA10771&actp=RSS
---------------------------------------------
*** JSA10770 - 2017-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 16.1R1 release. ***
http://kb.juniper.net/index?page=content&id=JSA10770&actp=RSS
---------------------------------------------
*** JSA10769 - 2017-01 Security Bulletin: Junos: Denial of service vulnerability in jdhcpd due to crafted DHCPv6 packets (CVE-2017-2301) ***
http://kb.juniper.net/index?page=content&id=JSA10769&actp=RSS
---------------------------------------------
*** JSA10768 - 2017-01 Security Bulletin: Junos: SRX Series denial of service vulnerability in flowd due to crafted multicast packets (CVE-2017-2300) ***
http://kb.juniper.net/index?page=content&id=JSA10768&actp=RSS
---------------------------------------------
*** IBM Security Bulletin ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) IBM Java SDK updates October 2016 ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995972
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities in OpenSSL affect IBM Netezza Analytics ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995049
---------------------------------------------
*** IBM Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2016-5953) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994521
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities have been addressed in LMS 6.0 on Cloud ***
http://www.ibm.com/support/docview.wss?uid=swg21992072
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 10-01-2017 18:00 − Mittwoch 11-01-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** How to secure MongoDB - because it isnt by default and thousands of DBs are being hacked ***
---------------------------------------------
Stop right now and make sure youve configured it correctly The rise in ransomware attacks on MongoDB installations prompted the database maker last week to issue advice on how to avoid being victimized.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/01/11/mongodb_ran…
*** Phishing per Autofill: Chrome, Safari, Opera und Erweiterungen wie LastPass angreifbar ***
---------------------------------------------
Chromium-basierte Browser, Safari und beliebte Erweiterungen wie der Passwortmanager LastPass lassen sich austricksen, um mehr über den Nutzer preiszugeben, als dieser ahnt.
---------------------------------------------
https://heise.de/-3593811
*** Injection of Unwanted Google AdSense Ads ***
---------------------------------------------
During the last couple of years, it has become quite prevalent for hackers to monetize compromised sites by injecting unwanted ads. They can be pop-up ads triggered when a visitor spends a certain amount of time on an infected page, or automatic redirection of mobile traffic to URLs that belong to ad networks. It's not uncommon to see adult ads since networks that work with the porn industry usually allow a higher level of anonymity and have less strict guidelines (if any) on the quality...
---------------------------------------------
https://blog.sucuri.net/2017/01/injection-unwanted-google-adsense-ads.html
*** Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet ***
---------------------------------------------
A new ransomware family made its presence felt today, named Spora, the Russian word for "spore." This new ransomwares most notable features are its solid encryption routine, ability to work offline, and a very well put together ransom payment site, the most sophisticated weve seen from ransomware authors as of yet. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offli…
*** Juniper warns: Borked upgrade opens root on firewalls ***
---------------------------------------------
Turn it off and turn it back on again. No, really Juniper is warning users of its SRX firewalls that a borked upgrade leaves a root-level account open to the world.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/01/11/juniper_war…
*** Hancitor/Pony/Vawtrak malspam, (Wed, Jan 11th) ***
---------------------------------------------
Introduction Until recently, I hadnt personally seen much malicious spam (malspam) using Microsoft office documents with Hancitor-based Visual Basic (VB) macros to send Pony and Vawtrak. It still happens, though. Occasionally, Ill find a report like this one from 2016-12-19, where Hancitor/Pony/Vawtrak malspam was disguised as a LogMeIn account notification, but I rarely come across an example on my own. At least until yesterday. This diary describes a recent wave of Hancitor/Pony/Vawtrak...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21919&rss
*** MS17-JAN - Microsoft Security Bulletin Summary for January 2017 - Version: 1.1 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS17-JAN
*** Bugtraq: ESA-2016-096: EMC Celerra, VNX1, VNX2 and VNXe SMB NTLM Authentication Weak Nonce Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539992http://www.securityfocus.com/archive/1/539993http://www.securityfocus.com/archive/1/539995
*** Vuln: Ansible CVE-2016-9587 Arbitrary Command Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95352
*** VU#767208: ThreatMetrix SDK for iOS fails to validate SSL certificates ***
---------------------------------------------
Vulnerability Note VU#767208 ThreatMetrix SDK for iOS fails to validate SSL certificates Original Release date: 10 Jan 2017 | Last revised: 10 Jan 2017 Overview On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack. Description ThreatMetrix is a security library for mobile applications, which aims to provide fraud prevention and device identity...
---------------------------------------------
http://www.kb.cert.org/vuls/id/767208
*** DFN-CERT-2017-0041: BlackBerry Enterprise Server: Zwei Schwachstellen ermöglichen u.a. das Erlangen von Benutzerrechten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0041/
*** BSRT-2017-003 Vulnerability in WatchDox Server components impacts WatchDox by BlackBerry ***
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?articleNumber=000038915
*** DFN-CERT-2017-0045: WebKitGTK+: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0045/
*** GnuTLS Lets Remote Users Execute Arbitrary Code on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1037576
*** DFN-CERT-2017-0047: GnuTLS: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0047/
*** Vuln: PHP CVE-2017-5340 Remote Code Execution Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95371
*** Bugtraq: Bit Defender #39 - Auth Token Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539999
*** Vuln: Computer Associates Service Desk Manager CVE-2016-10086 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95366
*** Security Advisory - DoS Vulnerability in Multiple Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170111-…
*** Security Advisory - Camera DOS Vulnerability in ION Memory Management Module of Huawei Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170111-…
*** Security Notice - Statement on SaifAllah BenMassaoud Revealing CSRF Security Vulnerability in Huawei B660 Routers ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170111-01-…
*** Vuln: SAP Products ***
---------------------------------------------
*** Vuln: SAP Single Sign On Denial of Service Vulnerability ***
http://www.securityfocus.com/bid/95363
---------------------------------------------
*** Vuln: SAP ERP Defence Forces and Public Security Remote Authorization Bypass Vulnerability ***
http://www.securityfocus.com/bid/95362http://www.securityfocus.com/bid/95365
---------------------------------------------
*** Vuln: SAP NetWeaver AS JAVA getUserUddiElements SQL Injection Vulnerability ***
http://www.securityfocus.com/bid/95364
---------------------------------------------
*** Vuln: SAP NetWeaver Application Server Java Portal App Component Cross Site Scripting Vulnerability ***
http://www.securityfocus.com/bid/95368
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Hard-coded credentials used in IBM dashDB Local (CVE-2016-8954) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994471
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2016-5597) ***
http://www.ibm.com/support/docview.wss?uid=swg21995685
---------------------------------------------
*** IBM Security Bulletin: Fix Available for IBM iNotes Cross-site Scripting Vulnerability (CVE-2016-5881) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995122
---------------------------------------------
*** IBM Security Bulletin: January 2015 OpenSSL security vulnerabilities in Multiple IBM N Series Products ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009328
---------------------------------------------
*** IBM Security Bulletin: October 2014 Java Runtime Environment (JRE) Vulnerabilities in Multiple N series Products ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009593
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 09-01-2017 18:00 − Dienstag 10-01-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Adobe Security Bulletins posted ***
---------------------------------------------
Adobe has published security bulletins for Adobe Acrobat and Reader (APSB17-01) and Adobe Flash Player (APSB17-02). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1438https://helpx.adobe.com/security/products/acrobat/apsb17-01.htmlhttps://helpx.adobe.com/security/products/flash-player/apsb17-02.html
*** Rätselhafte Netzwerk-Aktivitäten mit GRE-Paketen ***
---------------------------------------------
Aufmerksame Admins verzeichnen aktuell auf ihren VPN-Gateways und Firewalls eine Zunahme von scheinbar sinnlosen GRE-Paketen. Die Ursache ist bislang unklar.
---------------------------------------------
https://heise.de/-3592231
*** Krebs's Immutable Truths About Data Breaches ***
---------------------------------------------
Ive had several requests for a fresh blog post to excerpt something that got crammed into the corner of a lengthy story published here Sunday: A list of immutable truths about data breaches, cybersecurity and the consequences of inaction.
---------------------------------------------
https://krebsonsecurity.com/2017/01/krebss-immutable-truths-about-data-brea…
*** Terror Exploit Kit? More like Error Exploit Kit ***
---------------------------------------------
Q: What does it take to create a simple, yet fully functioning exploit kit? A: Just a little bit of determination. A few weeks ago a website popped up on our radar: www[.]***empowernetwork[.]com This web site, like many others in...
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-lik…
*** Über 1000 deutsche Online-Shops infiziert und angezapft ***
---------------------------------------------
Bei über tausend deutschen Online-Shops ziehen Kriminelle jetzt gerade Kundendaten und Zahlungsinformationen ab - und das zum Teil schon seit Monaten. Laut BSI ignorieren viele Shop-Betreiber das Problem.
---------------------------------------------
https://heise.de/-3592281
*** Datenklau an Geldautomaten steigt an, Schaden sinkt ***
---------------------------------------------
Datendiebe haben an Geldautomaten in Deutschland wieder häufiger zugeschlagen. Trotz moderner Technik verursacht Skimming nach wie vor Millionenschäden. An anderer Stelle allerdings sind Bankkunden noch mehr gefährdet.
---------------------------------------------
https://heise.de/-3592571
*** A Review of Cryptography - Part 1 ***
---------------------------------------------
Overview of Last Articles Our last few articles have dealt with the science and technology of Biometrics. To review, it is merely the Verification and/or Identification of an individual based on their unique physiological traits or even behavioral mannerisms. This is probably one of the best forms of Security technology to use because it is...
---------------------------------------------
http://resources.infosecinstitute.com/a-review-of-cryptography-part-1/
*** Two New Edge Exploits Integrated into Sundown Exploit Kit ***
---------------------------------------------
Two recently published proof-of-concept exploits targeted Microsoft Edge were recently integrated into the Sundown Exploit Kit.
---------------------------------------------
http://threatpost.com/two-new-edge-exploits-integrated-into-sundown-exploit…
*** Port 37777 "MapTable" Requests, (Tue, Jan 10th) ***
---------------------------------------------
Thanks to Born for noticing an increase in %%port:37777%% TCP traffic. He wrote a blog with some of the payloads he found, and after he notified us, I was able to confirm his observations in our honeypot [1]. First 32 bytes of the payload: c1 00 00 00 00 14 00 00 63 6f 6e 66 69 67 00 00 c. o. n. f. i. g 31 00 00 00 00 00 00 00 ">{ Enable : 1, MapTable : [ { Enable : 1, InnerPort : 85, OuterPort : 85, Protocol : TCP, ServiceName : HTTP }, { Enable : 1, InnerPort : 37777, OuterPort :...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21913&rss
*** Vuln: DLink DGS-1100 Switch CVE-2016-10125 Local Hardcoded SSL Certificate Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/95329
*** St. Jude Merlin@home Transmitter Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a channel accessible by non-endpoint vulnerability in St. Jude Medical's Merlin@home transmitter.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01
*** Intel Ethernet Controller X710/XL710 NVM Security Vulnerability ***
---------------------------------------------
A security vulnerability in the Intel Ethernet Controller X710 and Intel Ethernet Controller XL710 family of products (Fortville) has been found in the Non-Volatile Flash Memory (NVM) image. Under certain use conditions the Ethernet controller will stop sending and receiving data until the controller is reset. All NVM versions 5.04 and earlier contain this vulnerability which is fully mitigated in NVM version 5.05.
---------------------------------------------
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00063&lang…
*** DFN-CERT-2017-0034: Foxit Reader, Foxit PhantomPDF, Foxit PDF Toolkit: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0034/
*** Moodle 3.2.1 release notes ***
---------------------------------------------
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
---------------------------------------------
https://docs.moodle.org/dev/Moodle_3.2.1_release_notes
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cognos Metrics Manager (CVE-2016-6302 CVE-2016-6304 CVE-2016-6303 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-6306 CVE-2016-2181 CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21993856
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Netcool Impact affected by Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986) ***
http://www.ibm.com/support/docview.wss?uid=swg21996503
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Metrics Manager (CVE-2016-3485) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995206
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect IBM Cognos Metrics Manager (CVE-2016-3705, CVE-2016-4447, CVE-2016-4448) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995198
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Netcool Impact affected by Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378) ***
http://www.ibm.com/support/docview.wss?uid=swg21996502
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in SnapDrive for Windows may Result in Disclosure of Sensitive Information (CVE-2015-8544) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009256
---------------------------------------------