=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 21-09-2016 18:00 − Donnerstag 22-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Fake-Abmahnung von RA Jörg Schmidt im Umlauf ***
---------------------------------------------
Haushalte erhalten eine Abmahnung der Rechtsanwaltskanzlei Jörg Schmidt. Darin heißt es, dass es zu einer Verletzung von Urheberrechten der abbywinters.com BV gekommen sei, weil Empfänger/innen den Erotikfilm "Girl & Girl Pee Marigold & Christiana" verwertet haben. Aus diesem Grund sollen sie 950.00 Euro zahlen. Es handelt sich um einen Betrugsversuch.
---------------------------------------------
https://www.watchlist-internet.at/sonstiges/fake-abmahnung-von-ra-joerg-sch…
*** More than 840,000 Cisco devices are vulnerable to NSA-related exploit ***
---------------------------------------------
More than 840,000 Cisco networking devices from around the world are exposed to a vulnerability thats similar to one exploited by a hacking group believed to be linked to the U.S. National Security Agency.The vulnerability was announced by Cisco last week and it affects the IOS, IOS XE, and IOS XR software that powers many of its networking devices. The flaw allows hackers to remotely extract the contents of a devices memory, which can lead to the exposure of sensitive information.
---------------------------------------------
http://www.cio.com/article/3122868/more-than-840000-cisco-devices-are-vulne…
*** Bug that hit Firefox and Tor browsers was hard to spot - now we know why ***
---------------------------------------------
The curious case of Firefoxs (now fixed) certificate pinning failure.
---------------------------------------------
http://arstechnica.com/security/2016/09/bug-that-hit-firefox-and-tor-browse…
*** Hacked Website Report - 2016/Q2 ***
---------------------------------------------
Today we're releasing our quarterly Hacked Website Report for 2016/Q2. The data in this report is based on compromised websites we worked on, with insights and analysis performed by our Incident Response Team (IRT) and Malware Research Team (MRT). CMS Analysis Our analysis consisted of over 9,000 infected websites. The graphs below show a side-by-side...
---------------------------------------------
https://blog.sucuri.net/2016/09/hacked-website-report-2016q2.html
*** KrebsOnSecurity Hit With Record DDoS ***
---------------------------------------------
On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack theyve seen previously, and was among the biggest assaults the Internet has ever witnessed.
---------------------------------------------
http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
*** Controlling Kerio Control - When your firewall turns against you. ***
---------------------------------------------
IntroductionThis blog post describes two different attacks which can be used to compromise companies which use Kerio Control in their network. Kerio Control is a hardware appliance which can be used as network firewall, router and VPN gateway. Both attacks spawn a reverse shell on Kerio Control. Since both attack payloads are delivered via CSRF (cross site request forgery) or XSS (cross site scripting) no ports must be open from the Internet.
---------------------------------------------
http://blog.sec-consult.com/2016/09/controlling-kerio-control-when-your.html
*** Future attack scenarios against ATM authentication systems ***
---------------------------------------------
The report comprises two papers in which we analyze all existing methods of authentication used in ATMs and those expected to be used in the near future, including: contactless authentication through NFC, one-time password authentication and biometric authentication systems, as well as potential vectors of attacks using malware, through to network attacks and attacks on hardware components.
---------------------------------------------
http://securelist.com/analysis/publications/76099/future-attack-scenarios-a…
*** Cisco plugs two Cloud Services Platform system compromise flaws ***
---------------------------------------------
Cisco has patched two serious vulnerabilities in Cisco Cloud Services Platform 2100, both of which could allow a remote attacker to execute arbitrary code on a targeted system. Both vulnerabilities affect version 2.0 of the platform and there are no workarounds to address them, so administrators are advised to update to release 2.1.0 and later to plug the holes. What's the problem? Cisco Cloud Services Platform 2100 is a popular Linux Kernel-based Virtual Machine software...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/22/cisco-plugs-cloud-services-platf…
*** Fixing the mixed content problem with Automatic HTTPS Rewrites ***
---------------------------------------------
CloudFlare aims to put an end to the unencrypted Internet. But the web has a chicken and egg problem moving to HTTPS. Long ago it was difficult, expensive, and slow to set up an HTTPS capable web site. Then along came services like CloudFlare's Universal SSL that made switching...
---------------------------------------------
https://blog.cloudflare.com/fixing-the-mixed-content-problem-with-automatic…
*** OpenSSL Update Released, (Thu, Sep 22nd) ***
---------------------------------------------
As announced earlier this week,OpenSSLreleased an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0). The update fixes 14 different vulnerabilities. Only one vulnerability is rated High. This vulnerability,CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple largeOCSP">OCSP">">">SWEET32">">OOB write in">">MalformedSHA512">">">">Pointer...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21509&rss
*** OpenSSL Security Advisory [22 Sep 2016] ***
---------------------------------------------
OCSP Status Request extension unbounded memory growth (CVE-2016-6304) SSL_peek() hang on empty record (CVE-2016-6305) SWEET32 Mitigation (CVE-2016-2183) OOB write in MDC2_Update() (CVE-2016-6303) Malformed SHA512 ticket DoS (CVE-2016-6302) OOB write in BN_bn2dec() (CVE-2016-2182) OOB read in TS_OBJ_print_bio() (CVE-2016-2180) Pointer arithmetic undefined behaviour (CVE-2016-2177) Constant time flag not preserved in DSA signing (CVE-2016-2178) DTLS buffered message DoS (CVE-2016-2179) DTLS...
---------------------------------------------
https://www.openssl.org/news/secadv/20160922.txt
*** Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004 ***
---------------------------------------------
Description Users who have rights to edit a node, can set the visibility on comments for that node. Advisory ID: DRUPAL-SA-CORE-2016-004Project: Drupal core Version:li 8.xDate: 2016-September-21Security risk: 18/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: DescriptionUsers without "Administer comments" can set comment visibility on nodes they can edit. (Less critical) Users who have rights to edit a node, can set the visibility on comments for that
---------------------------------------------
https://www.drupal.org/SA-CORE-2016-004
*** ZDI-16-526: (0Day) Google Chrome Protocol Handler Logic Error Restrictions Bypass Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to bypass restrictions on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-526/
*** ZDI-16-525: (0Day) Fatek Automation PM Designer Heap Memory Corruption Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Fatek Automation PM Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-525/
*** [2016-09-22] Potential backdoor access through multiple vulnerabilities in in Kerio Control Unified Threat Management ***
---------------------------------------------
Kerio Control contains multiple vulnerabilities which can be used by an attacker to obtain a reverse root shell to the internal firewall system of a network. An attacker can use this reverse root shell to further compromise the victims local network, sniff VPN traffic (including VPN credentials) or just backdoor the firewall/VPN gateway.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** HPSBGN03649 rev.1 - HPE Network Automation using Java Deserialization, Remote Code Execution ***
---------------------------------------------
A vulnerability in Apache Commons-Collections and Commons-BeanUtils library used for handling Java object deserialization was addressed by HPE Network Automation. The vulnerability could be exploited remotely to allow remote code execution.
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05279098
*** SSA-342135 (Last Update 2016-09-22): Web Vulnerability in SCALANCE M-800 / S615 ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-342135…
*** SSA-301706 (Last Update 2016-09-22): GNU C Library Vulnerability in Industrial Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706…
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Application Policy Infrastructure Controller Binary Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS and IOS XE iox Command Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Firepower Management Center and FireSIGHT System Software SSLIinspection Bypass Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS and IOS XE Software Data in Motion Component Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Cloud Services Platform 2100 Remote Command Execution Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Cloud Services Platform 2100 Command Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Prime Home Web-Based User Interface XML External Entity Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco Application-Hosting Framework HTTP Header Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
*** Cisco IOS and IOS XE Software Application-Hosting Framework Unauthorized File Access Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 20-09-2016 18:00 − Mittwoch 21-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Spear Phishing: Deutsche Politiker mit Malware-Mails angegriffen ***
---------------------------------------------
Politiker aller Parteien waren im August Ziel von Spear-Phishing-Angriffen. Angebliche Nato-Informationen zum Putsch in der Türkei und zum Erdbeben in Italien sollten zum Klicken auf Malware verleiten.
---------------------------------------------
http://www.golem.de/news/spear-phishing-deutsche-politiker-mit-malware-mail…
*** Windows Events log for IR/Forensics ,Part 2, (Tue, Sep 20th) ***
---------------------------------------------
In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events Get-WinEvent The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21501&rss
*** ISAKMP Scanning and Potential Vulnerabilities ***
---------------------------------------------
Introduction As many of you are aware, we scan the Internet on a daily basis for many different protocols. We have added several new ones over time mostly depending on our own time available to engineer a scan for that protocol. Occasionally, we add one that is more topical and addresses a recent vulnerability or...
---------------------------------------------
http://blog.shadowserver.org/2016/09/20/isakmp-scanning-and-potential-vulne…
*** Mamba Ransomware Encrypts Hard Drives Rather Than Files ***
---------------------------------------------
A new ransomware strain called Mamba opts to encrypts hard drives rather than individual files and folders stored on the local disk.
---------------------------------------------
http://threatpost.com/mamba-ransomware-encrypts-hard-drives-rather-than-fil…
*** Should you trust your security software? ***
---------------------------------------------
The complaint that security is broken isn't new and even industry insiders are joining the chorus. Companies spent an estimated $75 billion last year on security products and yet cyber attacks and data breaches are still a common occurrence. Now, we're finding that security tools themselves have vulnerabilities that are putting organizations at risk. Given that vulnerabilities in software are the root cause of most attacks and security tools are inherently intrusive in order to...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/21/security-software/
*** macOS Sierra beseitigt fast 70 Sicherheitslücken ***
---------------------------------------------
Mit der neuen Version 10.12 hat Apple 68 Schwachstellen in macOS respektive OS X behoben, darunter kritische. Für ältere OS-X-Versionen liegt derzeit kein Sicherheits-Update vor.
---------------------------------------------
http://heise.de/-3328701
*** Considerations on the Traffic Light Protocol ***
---------------------------------------------
The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs). The TLP can be used in all forms of communication, whether written or oral. This Glossary Entry presents the TLP and its possible variants, and proposes some considerations on its use and its limitations.
---------------------------------------------
https://www.enisa.europa.eu/topics/national-csirt-network/glossary/consider…
*** Did You Really Lock that Door? ***
---------------------------------------------
One of my favorite books about information security is Ghost in the Wires, by Kevin Mitnick. Kevin, of course is one of the notorious early hackers whose exploits are brilliant and quite entertaining. If you have not already done so, add that book to your reading list. This post however is not a book review. I was reminded of Kevin's book the other evening when my son went dashing to the door in the middle of the night to make sure that he locked it. Normally, like all teenagers, he just...
---------------------------------------------
https://feeds.feedblitz.com/~/200516044/0/alienvault-blogs~Did-You-Really-L…
*** InfoArmor Uncovers Malicious Torrent Distribution Network ***
---------------------------------------------
InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet. The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code.
---------------------------------------------
https://www.infoarmor.com/infoarmor-uncovers-malicious-torrent-distribution…
*** Opportunistic Encryption: Bringing HTTP/2 to the unencrypted web ***
---------------------------------------------
Encrypting the web is not an easy task. Various complexities prevent websites from migrating from HTTP to HTTPS, including mixed content, which can prevent sites from functioning with HTTPS. Opportunistic Encryption provides an additional level of security to websites that have not yet moved to HTTPS and the performance benefits...
---------------------------------------------
https://blog.cloudflare.com/opportunistic-encryption-bringing-http-2-to-the…
*** Bugtraq: ESA-2016-093: RSA Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539432
*** DSA-3671 wireshark - security update ***
---------------------------------------------
Multiple vulnerabilities were discovered in the dissectors for H.225,Catapult DCT2000, UMTS FP and IPMI, which could result in denial ofservice or the execution of arbitrary code.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3671
*** Filr 2.0 - Hot Patch 3 ***
---------------------------------------------
Abstract: This patch provides a number of general bug fixes and security updates for Novell Filr, Search and MySQL 2.0.0 appliances including an updated Filr 2.0 Desktop client.Document ID: 5255170Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:preinstall-Search-20HP3.zip (24.95 MB)preinstall-MySQL-20HP3.zip (24.18 MB)preinstall-Filr-20HP3.zip (34.59 MB)Filr-2.0.0.474.HP.zip (155.89 MB)Search-2.0.0.417.HP.zip (10.67 MB)MySQL-2.0.0.197.HP.zip (1.44 kB)Products:Filr...
---------------------------------------------
https://download.novell.com/Download?buildid=LMP8JAI5Lrc~
*** Security Advisory - DoS Vulnerability in Multiple Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-…
*** Security Advisory - DoS Vulnerability in Multiple Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-…
*** Security Advisory - DOS Vulnerability in Video Driver of Huawei Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-…
*** Apple Security Updates ***
---------------------------------------------
*** Safari 10 ***
https://support.apple.com/kb/HT207157
---------------------------------------------
*** macOS Sierra 10.12 ***
https://support.apple.com/kb/HT207170
---------------------------------------------
*** tvOS 10 ***
https://support.apple.com/kb/HT207142
---------------------------------------------
*** iTunes 12.5.1 for Windows ***
https://support.apple.com/kb/HT207158
---------------------------------------------
*** macOS Server 5.2 ***
https://support.apple.com/kb/HT207171
---------------------------------------------
*** iCloud for Windows 6.0 ***
https://support.apple.com/kb/HT207147
---------------------------------------------
*** Vuln: OpenStack Nova Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93068
*** ShoreTel Connect ONSITE Blind SQL Injection Vulnerability ***
---------------------------------------------
Topic: ShoreTel Connect ONSITE Blind SQL Injection Vulnerability Risk: Medium Text:ShoreTel Connect ONSITE Blind SQL Injection Vulnerability == vulnerability type: Unauthenticated Blin...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090154
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime Edition ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990374
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2119) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009255
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990046
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix ***
http://www.ibm.com/support/docview.wss?uid=swg21990236
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere MQ Invalid client protocol flows could cause denial of service (CVE-2016-0379) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21984565
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability CVE-2015-5174 ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988742
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 19-09-2016 18:00 − Dienstag 20-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** European Cyber Security Month - NIS Quiz ***
---------------------------------------------
This tool is designed to help you update your internet security knowledge, begin whenever you feel ready. It will take max 10 minutes and we hope youll enjoy the quiz and learn something useful!
---------------------------------------------
https://cybersecuritymonth.eu/references/quiz-demonstration/intro
*** The banker that can steal anything ***
---------------------------------------------
The use of root privileges is not typical for banking malware attacks, because money can be stolen in numerous other ways that dont require exclusive rights. However, in early February 2016, Kaspersky Lab discovered Trojan-Banker.AndroidOS.Tordow.a, whose creators decided that root privileges would come in handy.
---------------------------------------------
http://securelist.com/blog/mobile/76101/the-banker-that-can-steal-anything/
*** Erpressungs-Trojaner HDDCryptor soll Computer von Opfern abriegeln ***
---------------------------------------------
HDDCryptor verschlüsselt nicht nur Daten, sondern überschreibt offensichtlich auch den MBR von Windows-Computern und gibt infizierte Rechner erst nach einer Lösegeld-Zahlung wieder frei, warnen Sicherheitsforscher.
---------------------------------------------
http://heise.de/-3327880
*** Encryption Week ***
---------------------------------------------
Since CloudFlare's inception, we have worked tirelessly to make encryption as simple and as accessible as possible. Over the last two years, we've made CloudFlare the easiest way to enable encryption for web properties and internet services. From the launch of Universal SSL, which gives HTTPS to millions
---------------------------------------------
https://blog.cloudflare.com/encryption-week/
*** Mozilla und Tor schließen Certificate-Pinning-Lücke ***
---------------------------------------------
Durch einen Fehler beim Bau neuer Versionen von Firefox und des Tor Browsers waren diese anfällig gegen Man-in-the-Middle-Angriffe, über die Schadcode eingeschleust werden konnte.
---------------------------------------------
http://heise.de/-3328039
*** Hacking WordPress Sites on Shared Servers ***
---------------------------------------------
A website is only as safe as the weakest link on its shared server. Once a hacker gains access to one site on the server, they can easily infect other sites that share the same server permissions. This is called cross-site contamination. When it comes to WordPress websites, the core structure is well known by...
---------------------------------------------
https://blog.sucuri.net/2016/09/hacking-wordpress-sites-shared-servers.html
*** Steganography... what is that? ***
---------------------------------------------
When people think about Information Security the first word that generally comes mind is "Hacking", but there are many disciplines in security and one of them is called "Steganography", an offshoot of encryption and "data hiding". The word "steganography" can...
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Steganography----what-i…
*** Vulnerability Patched in WordPress Theme That Allows Unrestricted Uploads ***
---------------------------------------------
A vulnerability has been patched in a popular WordPress theme called Neosense that allows an attacker to upload code without authentication.
---------------------------------------------
http://threatpost.com/vulnerability-patched-in-wordpress-theme-that-allows-…
*** High-Tech Bridge releases a new version of its free SSL testing service ***
---------------------------------------------
The new version of the service enables companies to easily test any SSL/TLS-based services for compliance with PCI DSS, HIPAA and NIST, while the new API provides much more flexibility for software developers.
---------------------------------------------
https://www.htbridge.com/news/ssl-testing-service-api-hipaa-compliance.html
*** Bugtraq: ESA-2016-096: EMC Celerra, VNX1, VNX2 and VNXe SMB NTLM Authentication Weak Nonce Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539424
*** Bugtraq: ESA-2016-065: EMC Avamar Data Store and Avamar Virtual Edition Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539423
*** VMSA-2016-0014 ***
---------------------------------------------
VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0014.html
*** VMSA-2016-0010.1 ***
---------------------------------------------
VMware product updates address multiple important security issues
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0010.html
*** ZDI-16-517: AlienVault Unified Security Management Remote Authentication Bypass Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to bypass authentication requirements on vulnerable installations of AlienVault Unified Security Manager. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-517/
*** ZDI-16-518: Rockwell Automation RSLogix Micro Starter Lite Project File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Rockwell Automation RSLogix Micro Starter Lite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-518/
*** Vuln: QEMU hw/usb/hcd-xhci.c Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93029
*** Security Advisories Relating to Symantec Products - Symantec Decomposer Engine Security Update ***
---------------------------------------------
Symantec has released an update to address two issues in the RAR file parser component of the antivirus decomposer engine used by multiple Symantec products. Parsing of maliciously formatted RAR container files may cause an application-level denial of service condition.
---------------------------------------------
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s…
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Cross-Site Scripting attack (CVE-2016-5955) ***
http://www.ibm.com/support/docview.wss?uid=swg21990054
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libtiff affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024132
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024088
---------------------------------------------
*** IBM Security Bulletin: Rational Asset Analyzer (CVE-2016-5967) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990215
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in node.js processing affect IBM DataPower Gateways ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990050
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-1181 and CVE-2016-1182) ***
http://www.ibm.com/support/docview.wss?uid=swg21989496
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Security Update for Multiple Vulnerabilities ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989067
---------------------------------------------
*** IBM Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21981529
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 16-09-2016 18:00 − Montag 19-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** The Week in Ransomware - September 16 2016 - Stampado, Locky, Atom, and More ***
---------------------------------------------
Thankfully, it was a slow week this week when it comes to ransomware. For this week we had 3 new variants of existing ransomware, 2 new ransomware infections, and an updated decryptor. [...]
---------------------------------------------
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-septem…
*** Windows Events log for IR/Forensics ,Part 1, (Sun, Sep 18th) ***
---------------------------------------------
In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them . Here is of the most useful events for Forensics/Incident response: Event ID Description Log Name 4624 Successful Logon Security 4625 Failed Login...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21493&rss
*** Mozilla will patch zero-day Firefox bug to fiddle man-in-the-middle diddle ***
---------------------------------------------
Researcher revealed Tor flaw after initially being ignored Mozilla will patch a flaw in its Firefox browser that could allow well-resourced attackers to launch man-in-the-middle impersonation attacks that also affects the Tor anonymity network.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/09/18/mozilla_tor…
*** Untangling the Ripper ATM Malware ***
---------------------------------------------
Last August , security researchers released a blog discussing a new ATM malware family called Ripper which they believe was involved in the recent ATM attacks in Thailand. Large numbers of ATMs were also temporarily shut down as a precautionary measure.During our analysis we noticed some additional details that where not called out, or which appear to contradict this earlier analysis. We highlight these differences in this blog post. We have also included technical indicators such as code...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ddt8SN3uzhs/
*** Periscope ATM Skimmers ***
---------------------------------------------
"Periscope skimmers" are the most sophisticated kind of ATM skimmers. They are entirely inside the ATM, meaning theyre impossible to notice.Theyre been found in the US.
---------------------------------------------
https://www.schneier.com/blog/archives/2016/09/periscope_atm_s.html
*** 324,000 payment cards breached, CVVs included, source still unknown! ***
---------------------------------------------
When you decide to add debugging logs to your payment application, the PCI DSS rules about what you are allowed to store DO NOT CHANGE!
---------------------------------------------
http://feedproxy.google.com/~r/nakedsecurity/~3/NpR-rDlVOj0/
*** Does it Matter If You Cover Your Webcam?, (Mon, Sep 19th) ***
---------------------------------------------
During security conferences, laptops with tape covering the webcam has certainly been a common sight. But recently, covering webcams has become somewhat of a main-stream phenomenon, after Mark Zuckerberg was sighted with a covered webcam [1], and even the FBI director suggests people covering their cameras [2]. Laptops are often used in private spaces, and an attacker, with access to the camera, is expected to be able to spy on the user of the laptop. Attacks like this have happened, and even...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21497&rss
*** Reverse Engineering Cisco ASA for EXTRABACON Offsets ***
---------------------------------------------
[...] One of the zero-day vulnerabilities released was a remote code execution in the Cisco Adaptive Security Appliance (ASA) device. The Equation Groups exploit for this was named EXTRABACON. [...] At RiskSense we had spare ASAs lying around in our red team lab, and my colleague Zachary Harding was extremely interested in exploiting this vulnerability. I told him if he got the ASAs properly configured for remote debugging I would help in the exploitation process.
---------------------------------------------
https://zerosum0x0.blogspot.cz/2016/09/reverse-engineering-cisco-asa-for.ht…
*** BENIGNCERTAIN-like flaw affects various Cisco networking devices ***
---------------------------------------------
The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products - and they found one. CVE-2016-6415 arises from insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. The IKE protocol is used in the Internet Protocol Security (IPsec) protocol suite to negotiate cryptographic...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/19/beningcertain-cisco-networking-d…
*** IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products ***
---------------------------------------------
A vulnerability in IKEv1 packet processing code in Cisco IOS, Cisco IOS XE and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept...
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** iPrint Appliance 2.1 Hot Patch 2 ***
---------------------------------------------
Abstract: iPrint Appliance 2.1 Hot Patch 2 is the first patch set for the iPrint Appliance version 2.1. Document ID: 5254950Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.1.0.68.HP.zip (755.2 MB)Products:iPrint Appliance 2.1Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=AJTQmn_Q1yk~
*** iPrint Appliance 2.0 Hot Patch 2 ***
---------------------------------------------
Abstract: Hot Patch 2 includes bug fixes, security fixes and a consolidation of previously released patches, including iPrint Appliance 2.0 Patch 2. Document ID: 5254970Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.533.HP.zip (881.14 MB)Products:iPrint Appliance 2Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=C1Xh-X9MGcc~
*** Forthcoming OpenSSL releases ***
---------------------------------------------
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0a, 1.0.2i, 1.0.1u. These releases will be made available on 22nd September 2016 at approximately 0800 UTC. They will fix several security defects: one classfied as severity "high", one as "moderate", and the rest "low".
---------------------------------------------
https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.ht…
*** IBM Security Bulletin: Spice-server vulnerabilities affect IBM SmartCloud Entry (CVE-2016-0749 CVE-2016-2150 ) ***
---------------------------------------------
SmartCloud Entry is vulerable to Spice-server vulnerabilities. Attackers could exploit them to cause improper bounds checking by smartcard interaction or bypass security restrictions CVE(s): CVE-2016-0749, CVE-2016-2150 Affected product(s) and affected version(s): IBM SmartCloud Entry 3.2 through Appliance fix pack 21 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=isg3T1024006X-Force...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1024006
*** IBM Security Bulletin: Vulnerability in openssl affects IBM System Networking Switch products (CVE-2016-2108) ***
---------------------------------------------
IBM System Networking Switch products have addressed the following vulnerability in openssl. CVE(s): CVE-2016-2108 Affected product(s) and affected version(s): Product Affected Version IBM Flex System Fabric EN4093R 10Gb Scalable Switch 7.8.14.0 IBM Flex System Fabric CN4093 10Gb Converged Scalable Switch 7.8.14.0 IBM Flex System Fabric SI4093 System Interconnect Module 7.8.14.0 IBM Flex System EN2092 1Gb...
---------------------------------------------
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099464
*** BINOM3 Electric Power Quality Meter Vulnerabilities ***
---------------------------------------------
Topic: BINOM3 Electric Power Quality Meter Vulnerabilities Risk: Medium Text:*Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple Vulnerabilities* *About* The meters are designed...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090122
*** MyBB 1.8.6 Improper validation of data passed to eval ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090124
*** MyBB 1.8.6 CSRF Weak Hashing, Plaintext Passwords ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090126
*** MyBB 1.8.6 SQL Injection ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090125
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 15-09-2016 18:00 − Freitag 16-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3668 mailman - security update ***
---------------------------------------------
It was discovered that there was a CSRF vulnerability in mailman, aweb-based mailing list manager, which could allow an attacker to obtaina users password.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3668
*** Yokogawa STARDOM Authentication Bypass Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an authentication bypass vulnerability in the Yokogawa STARDOM controller.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-259-01
*** ABB DataManagerPro Credential Management Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a credential management vulnerability in ABB’s DataManagerPro application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-259-02
*** Trane Tracer SC Sensitive Information Exposure Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an information exposure vulnerability in Trane U.S. Inc.’s Tracer SC field panel.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-259-03
*** Attack Leverages Windows Safe Mode ***
---------------------------------------------
Researchers say a proof-of-concept attack using Windows Safe Mode can lead to credential theft and allow hackers to move laterally within a corporate network.
---------------------------------------------
http://threatpost.com/attack-leverages-windows-safe-mode/120622/
*** Ransomware Getting More Targeted, Expensive ***
---------------------------------------------
I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his ..
---------------------------------------------
http://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensi…
*** DSA-3670 tomcat8 - security update ***
---------------------------------------------
Dawid Golunski of LegalHackers discovered that the Tomcat init scriptperformed unsafe file handling, which could result in local privilegeescalation.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3670
*** DSA-3669 tomcat7 - security update ***
---------------------------------------------
Dawid Golunski of LegalHackers discovered that the Tomcat init scriptperformed unsafe file handling, which could result in local privilegeescalation.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3669
*** Necurs – the Heavyweight Malware Spammer ***
---------------------------------------------
Today we want to dwell upon a pesky botnet that goes by the name of Necurs, and in particular its spamming activities. The botnet has been responsible for a massive ..
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/Necurs-%e2%80%93-the-Heavywe…
*** Trend Micro Internet Security vulnerability where files may be excluded as scan targets ***
---------------------------------------------
Trend Micro Internet Security provided by Trend Micro Incorporated contains a vulnerability where arbitrary files or folders may be excluded as scan targets.
---------------------------------------------
http://jvn.jp/en/jp/JVN98126322/
*** Splunk Enterprise and Splunk Lite vulnerable to cross-site scripting ***
---------------------------------------------
Splunk Enterprise and Splunk Lite contain a cross-site scripting vulnerability.Note that this vulnerability is different from JVN#74244518.
---------------------------------------------
http://jvn.jp/en/jp/JVN71462075/
*** Gefährliche Inhalte effektiver erkennen: Google baut Webseiten-Scan aus ***
---------------------------------------------
Webmaster können ihre Seiten nun noch tiefgehender nach unter anderem Malware-Verweisen und gefährlichen Downloads durchsuchen lassen.
---------------------------------------------
http://heise.de/-3325042
*** Erste Sicherheitslücken im Krypto-Messenger Signal entdeckt ***
---------------------------------------------
Ein Programmierfehler in Signal erlaubt die Manipulation von Dateianhängen. Über einen zweiten hätten Angreifer Schadcode aus der Ferne einschleusen können, hätte ein dritter Bug diesen Angriff nicht verhindert.
---------------------------------------------
http://heise.de/-3325242
*** Erpressungstrojaner: Stampado verschlüsselt von Ransomware verschlüsselte Dateien ***
---------------------------------------------
Ein neuer Erpressungstrojaner hat eine besonders gemeine Taktik: Verschlüsselt werden Dateien, die bereits von anderer Ransomware verschlüsselt wurden. Zum Glück gibt es Abhilfe.
---------------------------------------------
http://www.golem.de/news/erpressungstrojaner-stampado-verschluesselt-von-ra…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 14-09-2016 18:00 − Donnerstag 15-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco IOS and IOS XE Software IOx Local Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework code of the Cisco Local Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco WebEx Meetings Server Remote Command Execution Vulnerability ***
---------------------------------------------
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to bypass security restrictions on a host located in a DMZ and inject arbitrary commands on a targeted system.The vulnerability is due ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Unified Computing System Command Line Interface Privilege Escalation Vulnerability ***
---------------------------------------------
A vulnerability in the command-line interface (CLI) of the Cisco Unified Computing System (UCS) Manager and UCS 6200 Series Fabric Interconnects could allow an authenticated, local attacker to access the underlying operating system ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Fog Director for IOx Arbitrary File Write Vulnerability ***
---------------------------------------------
A vulnerability in the Cisco Fog Director for IOx could allow an authenticated, remote attacker to write a file to arbitrary locations. The vulnerability is due to insufficient input validation. An attacker could exploit this ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** iOS 10 schließt Sicherheitslücken in Tastatur und Sandbox ***
---------------------------------------------
Das Update auf iOS 10.0.1 räumt sieben Schwachpunkte aus, darunter eine mögliche Preisgabe 'sensibler Informationen' durch die Autokorrektur des Keyboards. watchOS 3 stopft eine Lücke.
---------------------------------------------
http://heise.de/-3323066
*** DSA-3666 mysql-5.5 - security update ***
---------------------------------------------
Dawid Golunski discovered that the mysqld_safe wrapper provided by theMySQL database server insufficiently restricted the load path for custommalloc implementations, which could result in privilege escalation.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3666
*** Science press site hacked; hackers release .. random crap ***
---------------------------------------------
http://arstechnica.com/science/2016/09/science-press-site-hacked-hackers-re…
*** Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation ***
---------------------------------------------
All cryptocurrencies are a target for cybercriminals. Anywhere there is value, criminals, fraudsters, and charlatans will soon follow. Call it the Willie Sutton principle. Sutton, a famous bank robber in the 1920s–30s, was asked why he ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/cryptocurrencies-a-target-for-cybercri…
*** Russian Hackers Get Bolder in Anti-Doping Agency Attack ***
---------------------------------------------
The attack on the World Anti-Doping Agency, following the DNC hack, signals Russian hackers emerging from the shadows to brazenly flaunt their work.
---------------------------------------------
https://www.wired.com/2016/09/anti-doping-agency-attack-shows-russian-hacke…
*** Virtueller Schiffsdiebstahl bei Star Citizen ***
---------------------------------------------
Im bisher noch unfertigen Weltraumepos Star Citizen kann man für hunderte Euros virtuelle Raumschiffe kaufen. Nun häufen sich anscheinend Angriffe auf die Konten der Spieler, mit dem Ziel, diese Schiffe zu klauen.
---------------------------------------------
http://heise.de/-3323060
*** DSA-3667 chromium-browser - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3667
*** Erpressungs-Trojaner Locky nun mit Autopilot ***
---------------------------------------------
Sicherheitsforschern zufolge kann Locky sein Schadenswerk jetzt auch offline ohne Kontakt zum Command-and-Control-Server der Kriminellen verrichten.
---------------------------------------------
http://heise.de/-3324553
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 13-09-2016 18:00 − Mittwoch 14-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** MS16-SEP - Microsoft Security Bulletin Summary for September 2016 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for September 2016.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-SEP
*** Announcing the Project Zero Prize ***
---------------------------------------------
Posted by Natalie Silvanovich, Exploit EnthusiastDespite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests. Hoping to continue the stream of great bugs, we've decided to start our own contest: The Project Zero Prize.The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the...
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/09/announcing-project-zero-prize…
*** MSRT September 2016 release feature: Prifou ***
---------------------------------------------
As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this September includes detections for: BrowserModifier:Win32/Prifou TrojanClicker:Win32/NightClick Trojan:Win32/Suweezy Trojan:Win32/Xadupi This blog discusses BrowserModifier:Win32/Prifou (Prifou). Windows Defender detects this threat because it limits your choice and control over your browser and operating system. The unwanted behaviors...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/09/13/msrt-september-2016-rel…
*** Angst vor Spam: Swisscom deaktiviert mehrere Tausend Mailaccounts ***
---------------------------------------------
Weil die Kunden zu einfache E-Mail-Passwörter gewählt hatten, sperrte die Swisscom Tausende Accounts. Das Unternehmen fürchtet offenbar, sonst auf Spam-Blacklists von Google oder anderen Providern zu landen. Die Kunden müssen nun aktiv werden.
---------------------------------------------
http://www.golem.de/news/angst-vor-spam-swisscom-deaktiviert-mehrere-tausen…
*** Letzter klassischer Microsoft-Patchday bringt sieben kritische Updates ***
---------------------------------------------
Heute können Windows-Admins zum letzten Mal auswählen, welche Windows-Updates sie am monatlichen Patchday installieren wollen. Ab nächsten Monat gibt es dann nur noch monolithische Rollup-Pakete.
---------------------------------------------
http://heise.de/-3321310
*** Adobe-Patchday: Flash jetzt patchen! ***
---------------------------------------------
Kritische Lücken im Flash Player erlauben das Kapern von Rechnern. Adobe hat Updates veröffentlicht, um diese zu stopfen. Ebenso erhalten die eBook-Software Digital Editions und die Entwicklungswerkzeuge von AIR Patches.
---------------------------------------------
http://heise.de/-3321895
*** Rio 2016: Fancybear veröffentlicht medizinische Daten von US-Sportlern ***
---------------------------------------------
Vertrauliche medizinische Daten von US-Sportlern stehen im Netz. Angeblich russische Hacker haben mehrere Datensätze veröffentlicht, die Unregelmäßigkeiten bei Dopingkontrollen beweisen sollen. Die Wada ist entsetzt - und spricht von legalen Ausnahmegenehmigungen.
---------------------------------------------
http://www.golem.de/news/rio-2016-fancybear-veroeffentlicht-medizinische-da…
*** Exploit Attempts for Drupal RESTWS .x Module Vulnerability, (Wed, Sep 14th) ***
---------------------------------------------
Attackers usually dont have to worry much about Drupal administrators applying patches. The majority of exploit attempts I see in our honeypots use pretty ancient vulnerabilities. So I was happy to see a script kiddie go the extra mile and use a vulnerabilityreleased in July of this year [1] [2]. The vulnerability itself is very straight forward. The attacker can send arbitrary php code that will be executed on the server. No special encoding beyond URL encoding appears to be required. Here is...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21481&rss
*** Geldautomaten: Hintermann von Skimmingbande muss fünf Jahre in Haft ***
---------------------------------------------
Eine Skimmingbande hat in Sachsen fast 270.000 Euro mit gefälschten Bankkarten erbeutet. Die Tat fand bereits im Jahr 2011 statt, nun wurde ein Hintermann der Gruppe zu einer Freiheitsstrafe verurteilt.
---------------------------------------------
http://www.golem.de/news/geldautomaten-hintermann-von-skimmingbande-muss-fu…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 12-09-2016 18:00 − Dienstag 13-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** FortiClient Unencrypted Password Vulnerability ***
---------------------------------------------
FOne of the processes in FortiClient stores VPN credentials unencrypted in memory. A malicious attacker who compromised the workstation could dump the credentials.
---------------------------------------------
http://fortiguard.com/advisory/FG-IR-16-021
*** FortiClient DLL Hijacking vulnerability ***
---------------------------------------------
When executed, the FortiClient installer (FortiClientOnlineInstaller.exe), if downloaded before August 11th, 2016 (build 0842), would attempt to load DLLs from the directory where it resides.
---------------------------------------------
http://fortiguard.com/advisory/FG-IR-16-046
*** Türkische Hacker griffen offenbar österreichische Nationalbank an ***
---------------------------------------------
Es handelt sich laut Kurier um dieselbe Gruppe, die schon den Flughafen Wien-Schwechat angegriffen hat
---------------------------------------------
http://derstandard.at/2000044275176
*** Gefälschte A1 Online Rechnung im Postfach ***
---------------------------------------------
Mit vermeintlichen papierlosen A1 Rechnungen wollen Kriminelle, dass Empfänger/innen eine Website aufrufen und dort die Datei „A1_rechnung.zip“ öffnen. Sie verbirgt Schadsoftware. Wer diese ausführt, installiert Programme, die den Computer unbrauchbar machen oder Bankdaten stehlen. Am sichersten ist es, wenn Sie die Nachrichten löschen.
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-onl…
*** Cache Flooding in TYPO3 Frontend ***
---------------------------------------------
It has been discovered, that TYPO3 is vulnerable to Cache Flooding
---------------------------------------------
https://typo3.org/news/article/cache-flooding-in-typo3-frontend/
*** DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices ***
---------------------------------------------
Over the past two years, we’ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices. This attack vector is increasingly ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-troj…
*** Sicherheits-Updates für Xen-Hypervisor ***
---------------------------------------------
Insgesamt vier Sicherheitslücken erfordern Updates. Für Debian, Oracle VM und Fedora gibt es aktualisierte Pakete.
---------------------------------------------
http://heise.de/-3319523
*** "Pokémon Go": Fake-App spioniert Millionen Smartphones aus ***
---------------------------------------------
Spionieren Internet-Daten der User aus und installieren Adware auf dem Smartphone
---------------------------------------------
http://derstandard.at/2000044305667
*** Antivirenentwickler: John McAfee soll Morde und Vergewaltigung begangen haben ***
---------------------------------------------
Ein Dokumentarfilm erhebt schwere Anschuldigungen gegen John McAfee. Während seiner Zeit in Belize soll er zwei Männer getötet und eine Frau vergewaltigt haben. McAfee bestreitet alle Vorwürfe und unterstellt dem Filmteam Bestechung von Quellen.
---------------------------------------------
http://www.golem.de/news/antiviren-entwickler-john-mcafee-soll-morde-und-ve…
*** Neutrino EK’s Afraidgate pushed in malvertising attack ***
---------------------------------------------
With a rise in malvertising attacks lately, we take a look at an ad server pushing the Afraidgate, traditionally found on compromised sites.
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/exploits/2016/09/neutrino-eks-afra…
*** Security Bulletins Posted ***
---------------------------------------------
Adobe has published security bulletins for Adobe Digital Editions (APSB16-28), Adobe Flash Player (APSB16-29) and Adobe AIR SDK & Compiler (APSB16-31). Adobe recommends users update their product installations to the latest versions using ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1399
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 09-09-2016 18:00 − Montag 12-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3664 pdns - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in pdns, an authoritativeDNS server. The Common Vulnerabilities and Exposures project identifies ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3664
*** WordPress 4.6.1 stopft zwei Lücken ***
---------------------------------------------
Die Hersteller des CMS WordPress empfehlen, das Update auf WordPress 4.6.1 schnellstmöglich einzuspielen, da es zwei gefährliche Sicherheitslücken schließt. Installationen mit Auto-Update haben die neue Version automatisch in den vorigen Tagen bekommen.
---------------------------------------------
http://heise.de/-3317796
*** OSX.Mokes: Mächtige Mac-Malware entdeckt ***
---------------------------------------------
Ermöglicht Angreifern weitreichende Überwachung – sucht zudem System nach Daten ab
---------------------------------------------
http://derstandard.at/2000044172706
*** Android: Google-Sicherheitspatch vom September stopft erneute Stagefright-Lücke ***
---------------------------------------------
Google behebt im Security Bulletin vom September mehrere Fehler in Android, darunter eine vom eigenen Team Zero gefundene Erweiterung des Stagefright-Bugs. Der Patch ist an die Hersteller ausgeliefert, einige haben schon Updates bereitgestellt.
---------------------------------------------
http://heise.de/-3317825
*** Sicherheitsexperten finden IoT-Botnet ***
---------------------------------------------
Eine Linux-Malware greift aktuell IoT-Geräte wie IP-Kameras mit veralteter Firmware an. Das Besondere an diesem Schädling: Nach der Infektion verwischt er seine Spuren und bleibt nur im Arbeitsspeicher der Geräte präsent. Das erschwert die Analyse.
---------------------------------------------
http://heise.de/-3317830
*** WooCommerce <= 2.6.3 - Stored Cross Site Scripting (XSS) via REST API ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8619
*** l+f: Anti-ROP Mainframe-Style ***
---------------------------------------------
Nach Intel, Microsoft, OpenBSD und diversen anderen stellt nun auch IBM seine eigene Anti-ROP-Technik vor.
---------------------------------------------
http://heise.de/-3317746
*** USB Killer: 50-Dollar-Stick zerstört Computer beim Anstecken ***
---------------------------------------------
Version 2.0 des Sticks veröffentlicht – Hochspannungsimpuls führt zu irreparablem Schaden
---------------------------------------------
http://derstandard.at/2000044216572
*** Gugi: from an SMS Trojan to a Mobile-Banking Trojan ***
---------------------------------------------
In the previous article, we described the mechanisms used by Trojan-Banker.AndroidOS.Gugi.c to bypass a number of new Android 6 security features. In this article, we review the entire Gugi mobile-banking Trojan family in more detail.
---------------------------------------------
http://securelist.com/blog/mobile/76023/gugi-from-an-sms-trojan-to-a-mobile…
*** Vdos: Betreiber des größten DDoS-Anbieters in Israel verhaftet ***
---------------------------------------------
Der Hack eines DDoS-Anbieters zeigt: Die Vermietung von Angriffskapazitäten ist ein einträgliches Geschäft. Ironischerweise versuchen die Anbieter, sich hinter dem DDoS-Schutz Cloudflare zu verstecken. Die Betreiber wurden mittlerweile in Israel festgenommen.
---------------------------------------------
http://www.golem.de/news/vdos-betreiber-des-groessten-ddos-anbieters-in-isr…
*** Remote Root Code Execution / Privilege Escalation (0day) ***
---------------------------------------------
An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.
---------------------------------------------
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution…
*** DSA-3665 openjpeg2 - security update ***
---------------------------------------------
Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression /decompression library, may result in denial of service or the executionof arbitrary code if a malformed JPEG 2000 file is processed.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3665
*** Linux Malware: Novelties in the Threat Landscape ***
---------------------------------------------
In the last couple of years, security firms have observed an increasing number of malware specifically designed to target Linux-based systems. Linux, like ..
---------------------------------------------
http://resources.infosecinstitute.com/linux-malware-novelties-threat-landsc…
*** Payment Card Industry Council: Kreditkartenterminals bald mit Firmware-Update ***
---------------------------------------------
Skimming, Kreditkartenbetrug und manipulierte Bezahlterminals: Der Sicherheitstandard für EC- und Kreditkartenterminals wird überarbeitet. Künftig sollen die Geräte signierte Updates erhalten und gegen Laser resistent werden.
---------------------------------------------
http://www.golem.de/news/payment-card-industry-council-kreditkartenterminal…
*** LuaBot: Malware targeting cable modems ***
---------------------------------------------
CERT/CC released the Vulnerability Note VU#419568 and it got lots of media coverage. I did not provide any POCs during that time because I was pretty sure that those vulnerabilities were easily wormable... And guess what? Someone is actively exploiting those devices since May/2016.
---------------------------------------------
https://w00tsec.blogspot.co.at/2016/09/luabot-malware-targeting-cable-modem…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 08-09-2016 18:00 − Freitag 09-09-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Cisco ACE30 Application Control Engine Module and Cisco ACE 4710 Application Control Engine Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the SSL/TLS functions of the Cisco ACE30 Application Control Engine Module and the Cisco ACE 4700 Series Application Control Engine Appliances could allow an unauthenticated, remote attacker to cause a denial of ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** DSA-3662 inspircd - security update ***
---------------------------------------------
It was discovered that incorrect SASL authentication in the InspircdIRC server may lead to users impersonating other users.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3662
*** ZDI-16-505: AlienVault Unified Security Management get_directive_kdb directive_id SQL Injection Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-505/
*** ZDI-16-504: AlienVault Unified Security Management Multiple PHP Scripts Remote Code Execution Vulnerabilities ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-504/
*** Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware ***
---------------------------------------------
A number of security vulnerabilities have been identified in firmware used in the Lights Out Management (LOM) component across all NetScaler ..
---------------------------------------------
http://support.citrix.com/article/CTX216642
*** iPrint Appliance 2.0 Hot Patch 1 ***
---------------------------------------------
https://download.novell.com/Download?buildid=S7GK9olwBDk~
*** iPrint Appliance 2.1 Hot Patch 1 ***
---------------------------------------------
https://download.novell.com/Download?buildid=lVbNSynhgHU~
*** Asterisk RTP Session Management Bug Lets Remote Authenticated Users Consume Excessive Resources on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036750
*** Asterisk Error in Processing Unknown Endpoints Lets Remote Users Cause the Target Service to Crash ***
---------------------------------------------
http://www.securitytracker.com/id/1036749
*** Collecting Users Credentials from Locked Devices, (Fri, Sep 9th) ***
---------------------------------------------
Its a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, its just a matter of time. The best ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21461
*** Samsung Android Security Updates ***
---------------------------------------------
SMR-SEP-2016 - Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
---------------------------------------------
http://security.samsungmobile.com/smrupdate.html
*** Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files ***
---------------------------------------------
Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/picture-perfect-…
*** Your Seagate Central NAS could be hosting mining malware ***
---------------------------------------------
If you have discovered cryptocurrency mining malware on your system, have removed it, and got compromised again without an idea about how it happened, it could be that the ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/09/seagate-central-nas-hosting-malw…
*** Chrome soll vor nicht verschlüsselnden Webseiten warnen ***
---------------------------------------------
Zunächst brandmarkt der Browser nur Seiten, die Passwörter oder Kreditkarteninformationen enthalten. Nach und nach soll die Warnung dann ausgeweitet werden.
---------------------------------------------
http://heise.de/-3317393
*** Red Hat JBoss Enterprise Application Platform Input Validation Flaw Lets Remote Users Conduct HTTP Response Splitting and Content Injection Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1036758
*** HTTPS: Google Chrome will vor unverschlüsselten Webseiten warnen ***
---------------------------------------------
Wie umgehen mit unverschlüsselten Webseiten? Google will in Chrome künftig warnen, wenn unverschlüsselte Webseiten Passwörter und Kreditkartendaten abfragen. Doch das ist nur der Beginn der Planungen.
---------------------------------------------
http://www.golem.de/news/https-google-chrome-will-vor-unverschluesselten-we…
*** Asterisk RTP Session Management Bug Lets Remote Authenticated Users Consume Excessive Resources on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036750
*** Asterisk Error in Processing Unknown Endpoints Lets Remote Users Cause the Target Service to Crash ***
---------------------------------------------
http://www.securitytracker.com/id/1036749
*** Collecting Users Credentials from Locked Devices, (Fri, Sep 9th) ***
---------------------------------------------
Its a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, its just a matter of time. The best ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21461
*** Samsung Android Security Updates ***
---------------------------------------------
SMR-SEP-2016 - Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
---------------------------------------------
http://security.samsungmobile.com/smrupdate.html
*** Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files ***
---------------------------------------------
Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/picture-perfect-…
*** Your Seagate Central NAS could be hosting mining malware ***
---------------------------------------------
If you have discovered cryptocurrency mining malware on your system, have removed it, and got compromised again without an idea about how it happened, it could be that the ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/09/seagate-central-nas-hosting-malw…
*** Chrome soll vor nicht verschlüsselnden Webseiten warnen ***
---------------------------------------------
Zunächst brandmarkt der Browser nur Seiten, die Passwörter oder Kreditkarteninformationen enthalten. Nach und nach soll die Warnung dann ausgeweitet werden.
---------------------------------------------
http://heise.de/-3317393
*** Red Hat JBoss Enterprise Application Platform Input Validation Flaw Lets Remote Users Conduct HTTP Response Splitting and Content Injection Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1036758