=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 03-02-2016 18:00 − Donnerstag 04-02-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Weiterhin etliche IP-Kameras von Aldi unzureichend geschützt ***
---------------------------------------------
Nach wie vor ist mindestens eine dreistellige Zahl der bei Aldi verkauften Maginon-Kameras ohne Passwort über das Internet steuerbar. Unterdessen hat sich herausgestellt, dass der Hersteller bereits im Juni 2015 informiert wurde.
---------------------------------------------
http://heise.de/-3092642
*** Cisco Unified Communications Manager SQL Injection Vulnerability ***
---------------------------------------------
A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** CERT: Poor password policy leaves OpenELEC operating system vulnerable to hackers ***
---------------------------------------------
The CERT Division at Carnegie Mellon University yesterday issued an alert detailing a password vulnerability in the Open Embedded Linux Entertainment Center operating system.
---------------------------------------------
http://www.scmagazine.com/cert-poor-password-policy-leaves-openelec-operati…
*** Macro Redux: the Premium Package ***
---------------------------------------------
Earlier this week we came across an interesting spam email. It was targeted at one of our customers in the retail industry. It contained a Microsoft Word document (MD5 = b74604d0081e68e91d64b361601d79c4) with a rather small macro in it. All that macro did was save a copy of the document as RTF, open it and then ..
---------------------------------------------
http://labs.bromium.com/2016/02/03/macro-redux-the-premium-package/
*** Cisco Jabber Guest Server HTTP Web-Based Management Interface Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the HTTP web-based management interface of the Cisco Jabber Guest application could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Fake Adobe Flash Update OS X Malware ***
---------------------------------------------
Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20693
*** No More Deceptive Download Buttons ***
---------------------------------------------
In November, we announced that Safe Browsing would protect you from social engineering attacks - deceptive tactics that try to trick you into doing something dangerous, like installing unwanted software or revealing your personal information (for example, passwords, phone numbers, or credit cards). You may ..
---------------------------------------------
https://googleonlinesecurity.blogspot.co.uk/2016/02/no-more-deceptive-downl…
*** l+f: Web-Dienst prüft Präsenz sicherheitsrelevanter HTTP-Header ***
---------------------------------------------
Mit securityheaders.io kann man herausfinden, welche Schutzfunktionen ein Server über die HTTP-Header scharf schaltet.
---------------------------------------------
http://heise.de/-3095001
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 02-02-2016 18:00 − Mittwoch 03-02-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** WordPress 4.4.2 Security and Maintenance Release ***
---------------------------------------------
https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance…
*** Cisco WebEx Meetings Server Multiple Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
A vulnerability in the web framework code of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Sauter moduWeb Vision Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for three vulnerabilities in Sauter's moduWeb Vision application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01
*** GE SNMP/Web Interface Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for two vulnerabilities in the GE SNMP/Web Interface adapter.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-033-02
*** DMA Locker: New Ransomware, But No Reason To Panic ***
---------------------------------------------
A new piece of ransomware which looks a little clumsy.
---------------------------------------------
https://blog.malwarebytes.org/news/2016/02/draft-dma-locker-a-new-ransomwar…
*** Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available ***
---------------------------------------------
The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, ..
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2016/02/02/enhanced-mitigation-exper…
*** DSA-3465 openjdk-6 - security update ***
---------------------------------------------
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, information disclosure, denial of service and insecure cryptography.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3465
*** Bypassing Bitrix WAF via tiny regexp error ***
---------------------------------------------
Bitrix24 is one of the first and most secure cross-platform corporate software with integrated WAF and RASP. Lets see how we can bypass them.
---------------------------------------------
https://www.htbridge.com/blog/bypassing-bitrix-web-application-firewall-via…
*** Smartphone-Security: Root-Backdoor macht Mediatek-Smartphones angreifbar ***
---------------------------------------------
Eine Debug-Funktion für Vergleichstests im chinesischen Markt führt dazu, dass zahlreiche Smartphones mit Mediatek-Chipsatz verwundbar sind. Angreifer können eine lokale Root-Shell aktivieren. Auch Geräte auf dem deutschen Markt könnten betroffen sein.
---------------------------------------------
http://www.golem.de/news/smartphone-security-root-backdoor-macht-mediatek-s…
*** l+f: Neuland, USA ***
---------------------------------------------
Das Milliardenprojekt F-35 verzögert sich um mindestens ein Jahr, weil Techniker aus Sicherheitsgründen nicht auf eine Datenbank zugreifen können.
---------------------------------------------
http://heise.de/-3092005
*** MMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock part 2) ***
---------------------------------------------
In September 2014 during the shellshock exploitation was in the rush I analyzed a case (MMD-0027-2014) of an ELF dropped payload via shellshock attack, with the details can be read in-->[here] Today I found an interesting ELF x32 sample that was reported several hours back, the infection vector is also ShellShock, the ..
---------------------------------------------
http://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.ht…
*** Comodo: "Sicherer" Browser mit groben Sicherheitsdefiziten ***
---------------------------------------------
Google warnt vor der Verwendung - Hebelt Same Origin Policy des Browsers
---------------------------------------------
http://derstandard.at/2000030313692
*** Thunderstrike 2: Sicherheitsforscher arbeiten inzwischen für Apple ***
---------------------------------------------
Der Mac-Hersteller hat eine Sicherheitsfirma übernommen, die an der Entwicklung von "Thunderstrike 2" beteiligt war. Die Forscher zeigten Schwachstellen, die das Einschleusen eines Schädlings auf Firmware-Ebene ermöglichen – nicht nur auf Macs.
---------------------------------------------
http://heise.de/-3092644
*** Phishing-Angriff: Nutzer sollen Amazon-Zertifikat installieren ***
---------------------------------------------
Phishing-Angriffe gehören zu den nervigen Alltäglichkeiten von Internetnutzern. Eine spezielle Masche versucht jetzt, Android-Nutzer zur Installation eines angeblichen Sicherheitszertifikates zu bewegen. Komisch, dass das Zertifikat die Endung .apk aufweist.
---------------------------------------------
http://www.golem.de/news/phishing-angriff-nutzer-sollen-amazon-zertifikat-i…
*** Cisco Nexus 9000 Series ACI Mode Switch ICMP Record Route Vulnerability ***
---------------------------------------------
A vulnerability in the ICMP implementation in the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch could allow an unauthenticated, remote attacker to cause the switch to reload, resulting in a denial of service (DoS) condition.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Application Policy Infrastructure Controller Access Control Vulnerability ***
---------------------------------------------
A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated remote user to make configuration changes outside of their configured access privileges.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco ASA-CX and Cisco Prime Security Manager Privilege Escalation Vulnerability ***
---------------------------------------------
A vulnerability in the role-based access control of Cisco ASA-CX and Cisco Prime Security Manager (PRSM) could allow an authenticated, remote attacker to change the password of any user on the system.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Bypass Windows AppLocker ***
---------------------------------------------
AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running.
---------------------------------------------
http://en.wooyun.io/2016/01/28/Bypass-Windows-AppLocker.html
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 01-02-2016 18:00 − Dienstag 02-02-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cyberangriff auf A1 verursacht Ausfall des mobilen Netzes ***
---------------------------------------------
Attacken seit Samstag - Zeitpunkt der Fehlerbehebung noch nicht in Sicht
---------------------------------------------
http://derstandard.at/2000030190051
*** red|blue: A Soft-ish Introduction to Malware Analysis for Incident Responders ***
---------------------------------------------
One of my resolutions for the New Year is to spend more time conducting behavioral and static analysis of malicious PE files. I recently spent time watching some of the Cybrary Malware Reverse Engineering material and wanted to document my efforts here and share my notes and additional thoughts with you.
---------------------------------------------
http://www.redblue.team/2016/02/a-soft-introduction-to-malware-analysis.html
*** Malwarebytes Anti-Malware Vulnerability Disclosure ***
---------------------------------------------
In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware. Within days, we were able to fix several of the vulnerabilities server-side and are now internally ..
---------------------------------------------
https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulner…
*** Massive Admedia/Adverting iFrame Infection ***
---------------------------------------------
This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files. The distinguishing features of this malware are: 32 hex digit comments at the beginning and end of the malicious ..
---------------------------------------------
https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection…
*** Google plugs Android vulns ***
---------------------------------------------
Happy days if you own a Nexus Five "critical," four "high" severity and one merely "moderate" bug make up the menu of Android security patches, which are now available for Nexus devices and ..
---------------------------------------------
www.theregister.co.uk/2016/02/02/google_plugs_android_vulns/
*** Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution ***
---------------------------------------------
The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .DQP project file with a large array of bytes inserted in the Description element. Successful exploitation could allow execution of arbitrary code on the affected machine.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php
*** Austrian Mobile Phone Signature is vulnerable against phishing and MitM attacks ***
---------------------------------------------
Talking with various people about the Two Factor Authentication (2FA) which is used in Austria to access public services led to my impression that most people think that the system is really secure. While it is more secure than a simple user/password combination its by far not that secure. In this ..
---------------------------------------------
http://robert.penz.name/1224/austrian-mobile-phone-signature-is-vulnerable-…
*** Aktuelle Spamwelle (Dridex) ***
---------------------------------------------
In den letzten Tagen gibt es vermehrt Berichte darüber, dass die Malware Dridex nach einer kurzen Winterpause wieder verstärkt aktiv ist.
---------------------------------------------
http://www.cert.at/services/blog/20160202110607-1661.html
*** Cyberbetrug bei FACC: Aktionäre fordern Konsequenzen ***
---------------------------------------------
Rasinger: "Das schließt auch personelle Konsequenzen mit ein" – Zeitung: Ablöse von Finanzchefin zu erwarten
---------------------------------------------
http://derstandard.at/2000030230502-375
*** Apache verpetzt möglicherweise Tor Hidden Services ***
---------------------------------------------
In seiner Standard-Konfiguration liefert der beliebte Web-Server-Dienst Informationen, die die Anonymitäts-Versprechen eines Tor Hidden Services gefährden. Diese anonymen Tor-Dienste sind der Kern des oft zitierten "Dark Net".
---------------------------------------------
http://heise.de/-3090218
*** Crash Safari Follow-Up ***
---------------------------------------------
It's been a week since short links to crashsafari.com went viral, and Google has finally killed the most prevalent link (goo.gl/78uQHK). More than three-quarters of a million clicks were made before the short link was disabled for violating ..
---------------------------------------------
https://labsblog.f-secure.com/2016/02/02/crash-safari-follow-up/
*** A1 kämpft seit Samstag gegen Hackerangriffe ***
---------------------------------------------
Ausfälle nach DDoS-Attacken zuerst im mobilen Netz, danach im Festnetz-Internet
---------------------------------------------
http://derstandard.at/2000030190051
*** Targeted IPv6 Scans Using pool.ntp.org ***
---------------------------------------------
IPv6 poses a problem for systems like Shodan, who try to enumerate vulnerabilities Internet-wide. Tools like zmap can scan the IPv4 internet in minutes (or maybe hours), but for IPv6, the same approach will still fail. The smallest IPv6 subnet is a /64, or 18.4 Quintillion addresses. A tool like zmap would ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20681
*** Socat Warns Weak Prime Number Could Mean It's Backdoored ***
---------------------------------------------
Socat published a security advisory warning users that a hard-coded 1024 Diffie-Hellman prime number was not prime, and that an attacker could listen and recover secrets from a key exchange.
---------------------------------------------
http://threatpost.com/socat-warns-weak-prime-number-could-mean-its-backdoor…
*** VU#719736: Fisher-Price Smart Toy platform allows some unauthenticated web API commands ***
---------------------------------------------
The Fisher-Price Smart Toy bear is a new WiFi-connected Internet of Things (IoT) toy. The device utilizes network connectivity to provide more interactivity with children.
---------------------------------------------
http://www.kb.cert.org/vuls/id/719736
*** Top Exploit Kits Round Up January Edition ***
---------------------------------------------
A look at the top exploit kits.Categories: ExploitKits(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/exploitkits/2016/02/top-exploit-kits-round-up…
*** MailPoet Newsletters <= 2.6.19 - Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8373
*** Hacker wollen bei Nasa eingebrochen sein, um Chemtrails zu beweisen ***
---------------------------------------------
Gruppierung "Anonsec" will 250 GB an Daten erbeutet und Kontrolle über eine Drohne übernommen haben
---------------------------------------------
http://derstandard.at/2000030242744
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 29-01-2016 18:00 − Montag 01-02-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** FreeBSD Linux Support issetugid(2) Error Lets Local Users Gain Elevated Privileges ***
---------------------------------------------
The Linux compatibility layer issetugid(2) system call may return incorrect information. A local user may be able to exploit an application that uses this system call to gain elevated privileges.
---------------------------------------------
http://www.securitytracker.com/id/1034872
*** QEMU Firmware Configuration Processing Access Flaw Lets Local Users on a Guest System Gain Elevated Privileges on the Host System ***
---------------------------------------------
A privileged local user with CAP_SYS_RAWIO capabilities on the guest system can trigger an out-of-bounds read/write access error when processing firmware configurations and cause denial of service conditions or gain elevated privileges on the host system.
---------------------------------------------
http://www.securitytracker.com/id/1034858
*** HP integrated Lights Out (iLO) TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections ***
---------------------------------------------
A remote user that can conduct a man-in-the-middle attack can cause the target system to downgrade the Diffie-Hellman algorithm to 512-bit export-grade cryptography. The remote user may then be able to decrypt the connection.
---------------------------------------------
http://www.securitytracker.com/id/1034884
*** Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability ***
---------------------------------------------
XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php
*** Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability ***
---------------------------------------------
Hippo CMS suffers from a stored XSS vulnerability. Input passed thru the POST parameters groupname and description is not sanitized allowing the attacker to execute HTML code into users browser session on the affected site.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5300.php
*** HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability ***
---------------------------------------------
HP Client Security Manager is prone to XSS attacks because of lacking sanitization of data from HTML forms. It makes any site vulnerable even without XSS presence on the site.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5299.php
*** Now VirusTotal can scan your firmware image for bad executables ***
---------------------------------------------
VirusTotal presented a new malware scanning engine that allows users to analyze their firmware images searching for malicious codes. VirusTotal has recently announced the launch of a new malware scanning service for firmware ..
---------------------------------------------
http://securityaffairs.co/wordpress/44097/malware/virustotal-firmware-scan.…
*** 6 Millionen US-Dollar für Sicherheitslücken in Google-Produkten ***
---------------------------------------------
Google zeigt sicher weiterhin spendabel, wenn Sicherheitsforscher neue Lücken in Chrome, Android & Co. an den Konzern melden.
---------------------------------------------
http://heise.de/-3088182
*** DSA-3460 privoxy - security update ***
---------------------------------------------
It was discovered that privoxy, a web proxy with advanced filteringcapabilities, contained invalid reads that could enable a remoteattacker to crash the application, thus causing a Denial of Service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3460
*** Is security outfit Norse Corp dead or just temporarily TITSUP? ***
---------------------------------------------
Imploding says Brian Krebs Security startup Norse Corp has gone ominously dark.
---------------------------------------------
www.theregister.co.uk/2016/02/01/is_norse_corp_dead_or_just_temporarily_tit…
*** LibreSSL emits new versions, says not vulnerable to OpenSSL bug ***
---------------------------------------------
Ciscos pedalling hard to prepare patches too Corrected LibreSSL sysadmins should keep an eye on their mirrors for a soon-to-land update.
---------------------------------------------
www.theregister.co.uk/2016/02/01/openbsd_rolls_in_libressl_bug_fixes/
*** DSA-3463 prosody - security update ***
---------------------------------------------
It was discovered that insecure handling of dialback keys may allowa malicious XMPP server to impersonate another server.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3463
*** Schluss mit "123456": 1. Februar ist "Change your password"-Tag ***
---------------------------------------------
Zahlreiche Nutzer verwenden noch immer haarsträubend unsichere Passwörter
---------------------------------------------
http://derstandard.at/2000030144886
*** Aktuell im Umlauf: Trojaner-Mail im Namen des Kopierers verschickt ***
---------------------------------------------
Kriminelle versenden dieser Tage gehäuft E-Mails mit Schadcode im Anhang über gefälschte Absenderadressen von Netzwerk-Kopierern.
---------------------------------------------
http://heise.de/-3088536
*** GAME OVER: HOW A COLOURFUL GAME TURNED INTO A SUBSCRIPTION TRAP - App from the Google Play store automatically set up two subscriptions in the Netherlands ***
---------------------------------------------
Premium SMS messages were the first attacks on Android users - almost six years ago, malware with this functionality was the primary risk. Since then of course, the malware landscape for mobile devices has moved on significantly. For this very ..
---------------------------------------------
https://blog.gdatasoftware.com/blog/article/game-over-how-a-colourful-game-…
*** Theres a lot of vulnerable OS X applications out there. ***
---------------------------------------------
Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM).
---------------------------------------------
https://vulnsec.com/2016/osx-apps-vulnerabilities/
*** Illegaler Bezahldienst Liberty Reserve: Gründer bekennt sich der Geldwäsche schuldig ***
---------------------------------------------
US-Behörden bezeichnen den 2013 abgestellten Onlinedienst Liberty Reserve als "die Bank der Wahl für die kriminelle Unterwelt". Der Gründer hat sich nun schuldig bekannt, über 250 Millionen US-Dollar gewaschen zu haben.
---------------------------------------------
http://heise.de/-3088621
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 28-01-2016 18:00 − Freitag 29-01-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Elaborate iCloud Phish Used To Activate Stolen iPhones ***
---------------------------------------------
Lost your iphone? Beware of messages claiming it was found.Categories: Phishing(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/phishing/2016/01/elaborate-icloud-phish-used-…
*** New Attacks Linked to C0d0so0 Group ***
---------------------------------------------
While recently researching unknown malware and attack campaigns using the AutoFocus threat intelligence platform, Unit 42 discovered new activity that appears related to an adversary group previously called "C0d0so0" or "Codoso". This group is well...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0…
*** Ein Schlüssel fürs ungesicherte Smart Home ***
---------------------------------------------
Experten warnen vor unsicheren Eigenheim-Lösungen, die mit dem Internet verbunden sind. Konsumenten sollten von den Herstellern mehr Sicherheit einfordern.
---------------------------------------------
http://futurezone.at/digital-life/ein-schluessel-fuers-ungesicherte-smart-h…
*** Trojan targeted dozens of games on Google Play ***
---------------------------------------------
January 28, 2016 Doctor Web security researchers detected the Android.Xiny.19.origin Trojan that targeted dozens of games published on the Google Play store. The Trojan is designed to download, install, and run programs upon receiving a command from cybercriminals. Besides, it can display annoying advertisements. The Trojan was incorporated into more than 60 games that were then distributed via Google Play in the names of more than 30 game developers, including Conexagon Studio, Fun Color...
---------------------------------------------
http://news.drweb.com/show/?i=9803&lng=en&c=9
*** OpenSSL-Lücke: Die Sache mit den sicheren Primzahlen ***
---------------------------------------------
OpenSSL hat mit einem Sicherheitsupdate eine Sicherheitslücke im Diffie-Hellman-Schlüsselaustausch behoben, deren Risiko als "hoch" eingestuft wird. Allerdings dürfte kaum jemand von der Lücke praktisch betroffen sein.
---------------------------------------------
http://www.golem.de/news/openssl-luecke-die-sache-mit-den-sicheren-primzahl…
*** Auto mit bösartigem Lied gekapert ***
---------------------------------------------
Ein Sicherheitsforscher, der bereits 2010 eine kritische Lücke in einem Automobil-System entdeckte, hat nun erklärt, wie sie funktioniert: mit Schadcode, der in einem Song versteckt wurde. Auch heute sind ähnliche Angriffe noch immer denkbar.
---------------------------------------------
http://heise.de/-3087160
*** 27% of all malware variants in history were created in 2015 ***
---------------------------------------------
Last year was a record year for malware, according to a new report from Panda Security, with more than 84 million new malware samples collected over the course of the year.That averages out to around 230,000 new malware samples a day, said Luis Corrons, technical director of Pandas PandaLabs unit. Or 27 percent of all malware ever created.Trojans continued to account for the main bulk of malware, at 51.45 percent, followed by viruses at 22.79 percent, worms at 13.22 percent, potentially...
---------------------------------------------
http://www.cio.com/article/3027621/cyber-attacks-espionage/27-of-all-malwar…
*** From Linux to Windows - New Family of Cross-Platform Desktop Backdoors Discovered ***
---------------------------------------------
Background Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only...
---------------------------------------------
http://securelist.com/blog/research/73503/from-linux-to-windows-new-family-…
*** Guest talk: "Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces" ***
---------------------------------------------
February 02, 2016 - 11:00 am - 12:00 pm SBA Research Favoritenstraße 16 1040 Wien
---------------------------------------------
https://www.sba-research.org/events/guest-talk-hidden-gems-automated-discov…
*** Security Advisory: Linux kernel vulnerability CVE-2015-7509 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/73/sol73189318.html?…
*** DSA-3459 mysql-5.5 - security update ***
---------------------------------------------
Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.47. Please see the MySQL 5.5 Release Notes and OraclesCritical Patch Update advisory for further details:
---------------------------------------------
https://www.debian.org/security/2016/dsa-3459
*** Westermo Industrial Switch Hard-coded Certificate Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a hard-coded certificate vulnerability in Westermo's industrial switches.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-028-01
*** JBoss Data Virtualization Object Deserialization FlawLets Remote Users Execute Arbitrary Code on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034815
*** Cisco Small Business 500 Series Switches Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Unity Connection User Search Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** nginx DNS Processing Flaws Let Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1034869
*** Bugtraq: ProjectSend multiple vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537402
*** Telegram (API) Cross Site Request Forgery ***
---------------------------------------------
Topic: Telegram (API) Cross Site Request Forgery Risk: Medium Text:Document Title: Telegram (API) - Cross Site Request Forgery Vulnerabilities References (Source): == http:/...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016010208
*** HP Security Bulletins ***
---------------------------------------------
*** HPSBGN03542 rev.1 - HPE Operations Manager for Windows using Java Deserialization, Remote Arbitrary Code Execution ***
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04953244
---------------------------------------------
*** HPSBHF03539 rev.1 - HPE VCX running OpenSSH or BIND, Remote Denial of Service (DoS) ***
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04952480
---------------------------------------------
*** HPSBOV03540 rev.1 - HPE OpenVMS TCPIP Bind Services and OpenVMS TCPIP IPC Services for OpenVMS, Remote Disclosure of Information, Execution of Code, Denial of Service (DoS) ***
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04952488
---------------------------------------------
*** HPSBHF03510 rev.1 - HP Integrated Lights-Out 2/3/4, Remote Unauthorized Modification ***
https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04949778
---------------------------------------------
*** Bugtraq: [security bulletin] HPSBHF03538 rev.1 - HPE iMC Service Health Manager (SHM) and iMC PLAT running Adobe Flash, Remote Code Execution, Denial of Service (DoS) ***
http://www.securityfocus.com/archive/1/537401
---------------------------------------------
*** Bugtraq: [security bulletin] HPSBHF03535 rev.3 - HPE iMC Service Health Manager (SHM) and iMC PLAT running Adobe Flash, Multiple Remote Vulnerabilities ***
http://www.securityfocus.com/archive/1/537400
---------------------------------------------
*** Novell Patches ***
---------------------------------------------
*** IDM 4.5 Engine & Remote Loader Service Pack 3 4.5.3 ***
https://download.novell.com/Download?buildid=Rjs_0SapjGg~
---------------------------------------------
*** IDM 4.5 Identity Applications 4.5.3 ***
https://download.novell.com/Download?buildid=N63wVOwZf_s~
---------------------------------------------
*** NetIQ Identity Manager Service Pack 3 - Designer 4.5.3 ***
https://download.novell.com/Download?buildid=QgHXVOxv310~
---------------------------------------------
*** iManager 2.7 Support Pack 7 - Patch 6 for Windows ***
https://download.novell.com/Download?buildid=RYH_EkORvU4~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 7 for Linux ***
https://download.novell.com/Download?buildid=l6ulyqWxDv8~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 7 for Windows ***
https://download.novell.com/Download?buildid=HTund35qCFk~
---------------------------------------------
*** eDirectory 8.8 SP8 Patch 7 (non-root) for Linux ***
https://download.novell.com/Download?buildid=Drw3BqUXIo4~
---------------------------------------------
*** iManager 2.7 Support Pack 7 - Patch 6 for Linux ***
https://download.novell.com/Download?buildid=E9m024HXLHw~
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 27-01-2016 18:00 − Donnerstag 28-01-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Googles VirusTotal now picks out suspicious firmware ***
---------------------------------------------
Googles VirusTotal service has added a new tool that analyzes firmware, the low-level code that bridges a computers hardware and operating system at startup.Advanced attackers, including the U.S. National Security Agency, have targeted firmware as a place to embed malware since its a great place to hide. Since antivirus programs "are not scanning this layer, the compromise can fly under the radar," wrote Francisco Santos, an IT security engineer with VirusTotal, in a blog post on...
---------------------------------------------
http://www.cio.com/article/3027050/googles-virustotal-now-picks-out-suspici…
*** Critical Israel power grid attack was just boring ransomware ***
---------------------------------------------
Minister puts nation on alert, SANS Institute says move along, nothing to see here ... The SANS Institute has moved to quell reports that Israels energy grid has been hit by malware, revealing instead that the attacks were ransomware infecting the nations utility regulatory authority.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/28/israel_powe…
*** ENISA Threat Landscape 2015, a must reading ***
---------------------------------------------
ENISA has issued the annual ENISA Threat Landscape 2015 a document that synthesizes the emerging trends in cyber security I'm very happy to announce the publication of the annual ENISA Threat Landscape 2015 (ETL 2015), this is the fifth report issued by the European Agency. The ENISA Threat Landscape 2015 summarizes top cyber threats, experts have identified...
---------------------------------------------
http://securityaffairs.co/wordpress/43998/cyber-crime/enisa-threat-landscap…
*** Techie on the ground disputes BlackEnergy Ukraine power outage story ***
---------------------------------------------
And Russia? Thats too convenient A Ukrainian telecoms engineer has raised doubts about the widely reported link between BlackEnergy attacks and power outages in his country.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/27/ukraine_bla…
*** BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents ***
---------------------------------------------
Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document.
---------------------------------------------
http://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukrain…
*** Java Serialization Bug Crops Up At PayPal ***
---------------------------------------------
PayPal has rewarded two researchers with bug bounties for the discovery of a Java serialization vulnerability in manager.paypal.com
---------------------------------------------
http://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/
*** LG closes data-theft hole affecting millions of G3 smartphones ***
---------------------------------------------
Bug allows attackers to embed malicious code in data fed to phone.
---------------------------------------------
http://arstechnica.com/security/2016/01/lg-closes-data-theft-hole-affecting…
*** Oracle announces Java plugin deprecation, death ***
---------------------------------------------
With a short post by a member of the Java strategy team, Oracle has announced the approaching death of the hated Java plugin. "Oracle plans to deprecate the Java browser plugin in JDK 9. This techn...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19385
*** DFN-CERT-2016-0166: OpenSSL: Zwei Schwachstellen ermöglichen das Umgehen von Sicherheitsmechanismen und das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0166/
*** Bugtraq: Netgear GS105Ev2 - Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537389
*** Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products - January 2016 ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Security Advisory: IPSec vulnerability CVE-2015-4047 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05013313.html?…
*** Filr 1.2 - Security Update 1 ***
---------------------------------------------
Abstract: Security Updates for openSSH on the Filr, Search and MySQL 1.2.0 appliances.Document ID: 5233830Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-1.2.0.412.HP.zip (763.81 kB)Filr-1.2.0.857.HP.zip (763.86 kB)Search-1.2.0.996.HP.zip (763.83 kB)Products:Filr 1.2Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=Sww_cAfKic0~
*** Filr 1.1 - Security Update 5 ***
---------------------------------------------
Abstract: Security Updates for openSSH on the Filr, Search and MySQL 1.1.0 appliances.Document ID: 5233810Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-1.1.0.386.HP.zip (763.82 kB)Search-1.1.0.823.HP.zip (763.83 kB)Filr-1.1.0.677.HP.zip (763.91 kB)Products:Filr 1.1Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=GGjGx_IhcY4~
*** phpMyAdmin 4.5.4, 4.4.15.3, and 4.0.10.13 are released ***
---------------------------------------------
Welcome to phpMyAdmin 4.5.4, which contains regular bug fixes and a number of security fixes. The phpMyAdmin project also announces the release of versions 4.4.15.3 (a security release compatible with PHP versions as old as 5.3.7 and MySQL 5.5), and 4.0.10.13 (a security release compatible with PHP versions as old as 5.2 and MySQL 5). The security incidents will be documented in the upcoming PMASA-2016-1 through PMASA-2016-9, which will be available shortly at
---------------------------------------------
https://www.phpmyadmin.net/news/2016/1/28/phpmyadmin-454-44153-and-401013-a…
*** Bugtraq: HCA0005 - Liberty Global - Horizon HD STB - predictable WiFi passphrase ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537395
*** Bugtraq: Trend Micro Direct Pass - Filter Bypass & Persistent Web Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537396
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 26-01-2016 18:00 − Mittwoch 27-01-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** BGP Route Hijacking - An Overview ***
---------------------------------------------
BGP is the mechanism by which autonomous networks exchange "reachability" information between each other. A network with an assigned or allocated prefix of addresses "advertises" the block of addresses to a neighboring BGP speaking router, this is known as BGP peering. There is little hiding what BGP peering networks announce between each other. When two networks are reasonably small, and their assigned prefixes are limited and well known, enforcement of announcements...
---------------------------------------------
https://blog.team-cymru.org/2016/01/bgp-route-hijacking-an-overview/
*** More Fake Facebook "Security System Page" Scams ***
---------------------------------------------
We take a look at some variations on the same kind of Facebook scam currently doing the rounds.Categories: Fraud/Scam AlertTags: facebookphishphishingscam(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/fraud-scam/2016/01/more-fake-facebook-securit…
*** If youre one of millions using Magento - stop whatever youre doing and patch now ***
---------------------------------------------
Ecommerce websites can be hijacked via critical flaw A huge security hole has been found in popular ecommerce platform Magento, requiring an immediate update.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/01/26/urgent_mage…
*** New Magic ransomware abuses open-source educational code ***
---------------------------------------------
Malware based on open-source code, created for educational purposes only, has been spotted in the wild by Bleeping Computers Lawrence Abrams.
---------------------------------------------
http://www.scmagazine.com/new-magic-ransomware-abuses-open-source-education…
*** Verschlüsselung: IETF standardisiert zwei weitere elliptische Kurven ***
---------------------------------------------
Die IETF hat die beiden elliptischen Kurven Curve25519 und Curve448 als RFC für Krypto-Funktionen offiziell abgesegnet. Eine Standardisierung der Kurven für den Schlüsselaustausch bei TLS wird ebenfalls erwartet.
---------------------------------------------
http://heise.de/-3084830
*** Security: Wenn der Drucker zum anonymen Fileserver wird ***
---------------------------------------------
Sicherheitsprobleme liegen oft bei den Anwendern von IT-Produkten. In einem aktuellen Fall zeigt ein Sicherheitsforscher, dass Angreifer auf ungeschützten Netzwerkdruckern von Hewlett-Packard anonym Dateien ablegen können.
---------------------------------------------
http://www.golem.de/news/security-wenn-der-drucker-zum-anonymen-fileserver-…
*** The Rising Sophistication of Network Scanning ***
---------------------------------------------
In this article I would like to show you a hidden system that is hard at work scanning thousands, maybe millions, of unsuspecting devices. And Ill show how this system efficiently harvests each devices personal IP address and hands it off to a scanner, which proceeds to run a port/security scan against each unsuspecting victim for vulnerabilities.
---------------------------------------------
http://netpatterns.blogspot.co.uk/2016/01/the-rising-sophistication-of-netw…
*** SQL Injection Analysis ***
---------------------------------------------
It is one thing to be able to execute a simple SQL injection attack; it is another to do a proper investigation of such an attack. Unfortunately, there is not much information on SQL Injection analysis. This article will assist in providing some tools for basic Incident Response. It can be fairly easily translated to...
---------------------------------------------
http://resources.infosecinstitute.com/sql-injection-analysis/
*** RuhrSec 2016 - supported by SBA Research ***
---------------------------------------------
April 28, 2016 - April 29, 2016 - All Day Veranstaltungszentrum, Ruhr-Universität Bochum Universitätsstraße 150 Bochum
---------------------------------------------
https://www.sba-research.org/events/ruhrsec-2016/
*** TP-Link-Router mit vorhersehbarem Standard-WLAN-Passwort ***
---------------------------------------------
Angreifer können das werkseitige WLAN-Passwort von einer TP-Link-Router-Serie vergleichsweise einfach herausfinden und sich so Zugang zum Netzwerk verschaffen. Weitere Serien könnten ebenfalls betroffen sein.
---------------------------------------------
http://heise.de/-3085482
*** Apple can read your iMessages despite them being encrypted ***
---------------------------------------------
Despite Apple taking a pro-encryption stance, with its CEO Tim Cook insisting that iMessages are safely encrypted, it turns out that if users backup data using iCloud Backup, they need to be aware that although Apple stores the backup in encrypted form, it uses its own key.
---------------------------------------------
http://www.scmagazine.com/apple-can-read-your-imessages-despite-them-being-…
*** Bugtraq: [security bulletin] HPSBGN03537 rev.1 - HPE IceWall Federation Agent and IceWall File Manager running libXML2, Remote or Local Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537368
*** Bugtraq: [security bulletin] HPSBGN03536 rev.1 - HP IceWall Products running OpenSSL, Remote and Local Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537367
*** pfSense Firewall 2.2.5 Cross Site Request Forgery ***
---------------------------------------------
Topic: pfSense Firewall 2.2.5 Cross Site Request Forgery Risk: Low Text:<!-- # Exploit Title: pfSense Firewall 2.2.5 Cross-Site Request Forgery # Date: 23-01-2016 # Software Link: http://mirror.a...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016010178
*** Cisco Small Business SG300 Managed Switch Web Framework GUI Function Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco RV220W Management Authentication Bypass Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Wide Area Application Service CIFS Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** MICROSYS PROMOTIC Memory Corruption Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a memory corruption vulnerability in the MICROSYS, spol. s r.o. PROMOTIC application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-026-01
*** Rockwell Automation MicroLogix 1100 PLC Overflow Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Rockwell Automation's Allen-Bradley MicroLogix 1100 programmable logic controller systems.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM MQ Appliance (CVE-2016-0777) ***
http://www.ibm.com/support/docview.wss?uid=swg21975158
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of Communications Server for Data Center Deployment, AIX, Linux, System z, and Windows (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974589
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of Content Manager Enterprise Edition (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974700
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Content Collector for SAP Applications (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974333
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Sterling Connect:Direct for Microsoft Windows (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974407
---------------------------------------------
*** IBM Security Bulletin: A vulnerability has been addressed in the GSKit component of IBM Security Directory Server (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21975404
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Personal Communications (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974947
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in openssl affect Power Hardware Management Console (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021091
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Kenexa LMS along with IBM Kenexa Participate, IBM Kenexa LCMS on Cloud (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=swg21972995
---------------------------------------------
*** IBM Security Bulletin: Security Bulletin: Vulnerabilities in Java affect Power Hardware Management Console (CVE-2015-4843 CVE-2015-4868 CVE-2015-4806 CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4842 CVE-2015-4803) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021090
---------------------------------------------
*** IBM Security Bulletin: Two vulnerabilities exist in IBM Case Foundation and FileNet Business Process Manager (CVE-2012-5784 and CVE-2014-3596) ***
http://www.ibm.com/support/docview.wss?uid=swg21965451
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM MQ Appliance (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21974599
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects RIT and RTCP in Rational Test Workbench, RTCP and RIT Agent in Rational Test Virtualization Server, and RIT Agent in Rational Performance Test Server (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21974922
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM i (CVE-2015-7575). ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021096
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM MQ Appliance (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974598
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Security SiteProtector System (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974980
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of Content Manager OnDemand for Multiplatforms (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974698
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Sterling Connect:Direct for UNIX (CVE-2016-0201) ***
http://www.ibm.com/support/docview.wss?uid=swg21974884
---------------------------------------------
*** IBM Security Bulletin: IBM Platform Application Center Standard Edition is affected by a security vulnerability (CVE-2015-7450) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023269
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in the GSKit component of Transformation Extender (CVE-2016-0201, CVE-2015-7421, CVE-2015-7420) ***
http://www.ibm.com/support/docview.wss?uid=swg21972246
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ***
http://www.ibm.com/support/docview.wss?uid=swg21973723
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 25-01-2016 18:00 − Dienstag 26-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco Unified Contact Center Express Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the HTTP web-based management interface of the Cisco Unified Contact Center Express could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system. This vulnerability applies to all Permanent Web Links ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Application Policy Infrastructure Controller Enterprise Module SNMP Hostname Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the Simple Network Management Protocol (SNMP) query process of the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** DSA-3453 mariadb-10.0 - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3453
*** Symantec partner caught running tech support scam ***
---------------------------------------------
Tech support scammers are known for their cheek -- making unfounded claims that PCs are infected to scare consumers into parting with their money -- but a Symantec partner took nerve to a new level, a security company claimed last week.According to San Jose, Calif.-based Malwarebytes, Silurian ..
---------------------------------------------
http://www.cio.com/article/3026356/security/symantec-partner-caught-running…
*** Pentest Time Machine: NMAP + Powershell + whatever tool is next ***
---------------------------------------------
Early on in many penetration test or security assessment, you will often find yourself wading through what seems like hundreds or thousands of text files, each seemingly hundreds or thousands of pages long (likely because they are). One ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20653&
*** Appointment Booking Calendar <= 1.1.23 - Unauthenticated SQL Injection ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8366
*** PDF-Reader Foxit Reader für Schadcode anfällig ***
---------------------------------------------
Neue Versionen sichern Foxit PhantomPDF und Foxit Reader ab. Beide Anwendungen lassen sich aus der Ferne attackieren und Angreifer können eigenen Code auf Computer schleusen.
---------------------------------------------
http://heise.de/-3084161
*** Carsharing-Anbieter: Phishing-Angriff auf Car2go-Nutzer ***
---------------------------------------------
Wer von einem Onlinedienst zur 'Verifizierung' von Daten aufgerufen wird, sollte immer vorsichtig sein. Aktuell läuft eine Phishing-Kampagne gegen Nutzer des Carsharing-Angebots von Daimler.
---------------------------------------------
http://www.golem.de/news/carsharing-anbieter-phishing-angriff-auf-car2go-nu…
*** Sicherheitsupdate für OpenSSL steht an ***
---------------------------------------------
Neue OpenSSL-Versionen sollen zwei Sicherheitslücken schließen. Den Schweregrad einer Schwachstelle stuft das OpenSSL-Team mit hoch ein.
---------------------------------------------
http://heise.de/-3084227
*** WP Easy Gallery <= 4.1.4 - Reflected Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8367
*** Curve25519/Curve447: Neue elliptische Kurven von der IETF ***
---------------------------------------------
Die Krypto-Arbeitsgruppe der IETF hat RFC 7748 veröffentlicht. Darin spezifiziert sind die zwei elliptischen Kurven Curve25519 und Curve447. Die Einigung ist das Ergebnis einer langen Diskussion.
---------------------------------------------
http://www.golem.de/news/curve25519-curve447-neue-elliptische-kurven-von-de…
*** Battling Business Email Compromise Fraud: How Do You Start? ***
---------------------------------------------
In May 2014, an accountant to a Texas manufacturing firm received an email from a familiar correspondent, his company's CEO. The email instructed him to wait for a call from a partner company and warned against sharing the email to anyone ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/battling-busines…
*** Oracle Pushes Java Fix: Patch It or Pitch It ***
---------------------------------------------
Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if youre not sure why you have Java installed, its high time to remove the program once and for all.
---------------------------------------------
http://krebsonsecurity.com/2016/01/oracle-pushes-java-fix-patch-it-or-pitch…
*** Symantec detects 3,500 servers infected with a malicious script ***
---------------------------------------------
Symantec reported the worldwide infection of 3,500 public servers with a malicious script that redirects its victims to other compromised websites and said it believes could be part of a recon effort for future attacks.
---------------------------------------------
http://www.scmagazine.com/symantec-detects-3500-servers-infected-with-a-mal…
*** Nach dem Hack: Vtech geht wieder ein bisschen online ***
---------------------------------------------
Der Spielzeughersteller Vtech wurde Ende vergangenen Jahres wegen großer Sicherheitsmängel kritisiert und nahm daraufhin viele seiner Dienste vom Netz. Jetzt gehen einige Produkte wieder online - bei der Security will das Unternehmen dazugelernt haben.
---------------------------------------------
http://www.golem.de/news/nach-dem-hack-vtech-geht-wieder-ein-bisschen-onlin…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 22-01-2016 18:00 − Montag 25-01-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** ZDI-16-023: Oracle GoldenGate Veridata File Upload Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle GoldenGate. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-023/
*** Hospira Multiple Products Buffer Overflow Vulnerability ***
---------------------------------------------
Jeremy Richards of SAINT Corporation has identified a buffer overflow vulnerability in Hospira's LifeCare PCA Infusion System. Hospira has determined that LifeCare PCA Infusion Systems released prior to July 2009 that are running Communication Engine (CE) Version 1.0 or earlier are vulnerable. In response to Jeremy ..
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-337-02
*** Security Advisory: Stored XSS in Magento ***
---------------------------------------------
During our regular research audits for our Cloud-based WAF, we discovered a Stored XSS vulnerability affecting the Magento platform that can be easily exploited remotely. We notified the Magento team and worked with them to get it fixed.
---------------------------------------------
https://blog.sucuri.net/2016/01/security-advisory-stored-xss-in-magento.html
*** 'Deliberate' Backdoor Removed From Secure Conferencing Gear ***
---------------------------------------------
AMX, a provider of audio-visual conferencing gear used in sensitive government and military locations, has removed a 'deliberate' backdoor in one of its central controller system products.
---------------------------------------------
http://threatpost.com/deliberate-backdoor-removed-from-secure-conferencing-…
*** Rsync Symlink Path Validation Flaw Lets Remote Users Write Files on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1034786
*** JavaScript Backdoor ***
---------------------------------------------
Casey Smith recently shared his research on twitter, which is to reverse HTTP Shell by using JavaScript. I found it rather interesting and further analyzed this technique.
---------------------------------------------
http://en.wooyun.io/2016/01/18/JavaScript-Backdoor.html
*** Snowden enttarnt falsche "Krypto-Mail" in IS-Video ***
---------------------------------------------
Terrororganisation hatte in Botschaft mit weiteren Angriffen gedroht
---------------------------------------------
http://derstandard.at/2000029688150
*** Fortinet: Mehr Hintertüren, mehr Patches ***
---------------------------------------------
Erst in der vergangenen Woche war bekanntgeworden, dass einige Fortinet-Firewall-Produkte einen Zugang mit Standardpasswörtern ermöglichen. Jetzt hat das Unternehmen seine eigenen Produkte analysiert - und weitere verwundbare Geräte gefunden.
---------------------------------------------
http://www.golem.de/news/fortinet-mehr-hintertueren-mehr-patches-1601-11872…
*** CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits ***
---------------------------------------------
http://malware.dontneedcoffee.com/2016/01/cve-2015-8651.html
*** Multi-Faktor-Authentifizierung: Neue vPro-Generation bringt Intel Authenticate ***
---------------------------------------------
Mit der sechsten Generation des Core i (Skylake) und dem Start der entsprechenden Geschäftskundenplattform will Intel nun verstärkt auch Sicherheitslösungen in vPro anbieten. Eine betriebssystemunabhängige Firmware und direktes Ansprechen der Grafikkarte sollen Keylogger chancenlos lassen.
---------------------------------------------
http://www.golem.de/news/multi-faktor-authentifizierung-neue-vpro-generatio…
*** RSA Conference disables Twitter password-collecting form ***
---------------------------------------------
After a storm of criticism and shaming over the blurb-tweeting feature, the organizers said that they had used OAuth and hadnt collected passwords.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/01/25/rsa-conference-disables-twitter…
*** Linux kernel : Denial of service with specially crafted key file. ***
---------------------------------------------
An issue with ASN1.1 DER decoder was reported that a specially created key can lead to a kernel panic via x509 certificate DER signature parsing.
---------------------------------------------
http://www.openwall.com/lists/oss-security/2016/01/25/2
*** Sicherheitspatches: Angreifer können Webseiten mit Magento-Shop kapern ***
---------------------------------------------
Magento sichert sein Shop-System ab. Dabei schließt der Anbieter zwei als kritisch eingestufte Lücken, über die Angreifer Admin-Sessions übernehmen können.
---------------------------------------------
http://heise.de/-3083645
*** Hard-Coded Password Found in Lenovo File-Sharing App ***
---------------------------------------------
Lenovos SHAREit file-sharing app for Windows and Android has been patched against vulnerabilities that put private data at risk.
---------------------------------------------
http://threatpost.com/hard-coded-password-found-in-lenovo-file-sharing-app/…
*** Hack Brief: Don't Be Trolled by This iPhone-Crashing Link Meme ***
---------------------------------------------
Pranksters are passing a link to "crashsafari.com" around social media, which immediately crashes iPhones and iPads.
---------------------------------------------
http://www.wired.com/2016/01/hack-brief-dont-be-trolled-by-this-iphone-cras…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 21-01-2016 18:00 − Freitag 22-01-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Scanning for Fortinet ssh backdoor, (Thu, Jan 21st) ***
---------------------------------------------
On 11 Jan, a Python script was posted on the full-disclosure mailing list that took advantage of a hardcoded ssh password in some older versions of various products from Fortinet (see complete list in Ref [1] below). Looking at our collected ssh data, weve seen an increase in scanning for those devices in the days since the revelation of the vulnerability. Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20635&rss
*** Unknown attackers are infecting home routers via dating sites ***
---------------------------------------------
Damballa researchers have spotted an active campaign aimed at infecting as many home routers possible with a worm. A variant of the TheMoon worm, it works by taking advantage of a weakness in the H...
---------------------------------------------
http://www.net-security.org/malware_news.php?id=3192
*** Security: Auch Kreditkarten mit Chip und PIN können kopiert werden ***
---------------------------------------------
Bislang war bekannt, dass Kreditkarten mit Magnetstreifen mit trivialen Mitteln kopierbar sind. Aktuelle Recherchen zeigen, dass auch Karten mit dem besser gesicherten Chip-und-PIN-Verfahren kopiert werden können - weil einige Banken schlampen.
---------------------------------------------
http://www.golem.de/news/security-auch-kreditkarten-mit-chip-und-pin-koenne…
*** Fraunhofer ESK: Skype ist Sicherheitsrisiko für Firmen ***
---------------------------------------------
Wissenschaftler des Fraunhofer-ESK-Instituts haben Microsofts Instant-Messaging-Dienst Skype untersucht und raten Firmen vom Einsatz ab. Vor allem wegen der Netzarchitektur und der Verschlüsselung haben sie Sicherheitsbedenken.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Fraunhofer-ESK-Skype-ist-Sicherheits…
*** Extracting pcap from memory , (Fri, Jan 22nd) ***
---------------------------------------------
I have talked many times about memory forensics and how useful its. In this diary I am going to talk about how to extract a pcap file from a memory image using bulk_extractor. Of course when we are extracting a pcap file from a memory image we are going to not have everything but there will be some remanence that can help in our investigation bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20639&rss
*** Trojan.DNSChanger circumvents Powershell restrictions ***
---------------------------------------------
We take a close look at the functionality of a new variant of the DNS-changer adware family. Especially the use of encoded scripts as a way to bypass the Powershell execution protection.Categories: Security ThreatTags: adwarechangerdnsPieter Arntzpowershellrestrictedrestrictionstrojan(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/security-threat/2016/01/trojan-dnschanger-cir…
*** Citrix XenServer Security Update for CVE-2016-1571 ***
---------------------------------------------
A security vulnerability has been identified in Citrix XenServer that could, if exploited, allow a malicious administrator of a guest VM to crash the host in certain deployments. This vulnerability affects all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.5 Service Pack 1.
---------------------------------------------
https://support.citrix.com/article/CTX205496
*** Multiple Buffalo network devices vulnerable to cross-site scripting ***
---------------------------------------------
Multiple network devices provided by BUFFALO INC. contain a cross-site scripting vulnerability.
---------------------------------------------
http://jvn.jp/en/jp/JVN49225722/
*** Multiple Buffalo network devices vulnerable to cross-site request forgery ***
---------------------------------------------
Multiple network devices provided by BUFFALO INC. contain a cross-site request forgery vulnerability.
---------------------------------------------
http://jvn.jp/en/jp/JVN09268287/
*** DSA-3451 fuse - security update ***
---------------------------------------------
Jann Horn discovered a vulnerability in the fuse (Filesystem inUserspace) package in Debian. The fuse package ships an udev ruleadjusting permissions on the related /dev/cuse character device, makingit world writable.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3451
*** DFN-CERT-2016-0129: NTP: Eine Schwachstelle ermöglicht das Erlangen von Administratorrechten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0129/
*** DFN-CERT-2016-0125: Red Hat JBoss Web Server: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe und das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0125/
*** USN-2879-1: rsync vulnerability ***
---------------------------------------------
Ubuntu Security Notice USN-2879-121st January, 2016rsync vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryrsync could be made to write files outside of the expected directory.Software description rsync - fast, versatile, remote (and local) file-copying tool DetailsIt was discovered that rsync incorrectly handled invalid filenames. Amalicious server could use this issue to write files outside of...
---------------------------------------------
http://www.ubuntu.com/usn/usn-2879-1/
*** CAREL PlantVisor Enhanced Authentication Bypass Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an authorization bypass vulnerability in CAREL's PlantVisor application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-021-01
*** Security Advisory: NTP vulnerabilities CVE-2015-5194 and CVE-2015-5195 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/02/sol02360853.html?…
*** Bugtraq: January 2016 - Bamboo - Critical Security Advisory ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537347