=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 02-06-2016 18:00 − Freitag 03-06-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Trillium Exploit Kit Update Offers 'Security Tips' ***
---------------------------------------------
McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums. We have analyzed the new version of the tool ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/trillium-exploit-kit-update-offers-sec…
*** DSA-3593 libxml2 - security update ***
---------------------------------------------
Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3593
*** GE MultiLink Series Hard-coded Credential Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a hard-coded credential vulnerability in GE's MultiLink series managed switches.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-154-01
*** WP Mobile Detector <= 3.5 - Arbitrary File Upload ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8505
*** Understanding Angler Exploit Kit - Part 1: Exploit Kit Fundamentals ***
---------------------------------------------
Generally speaking, criminal groups use two methods for widespread distribution of malware. The most common method is malicious spam (malspam). This is a fairly direct mechanism, usually through an email attachment or ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-ang…
*** MySQL is YourSQL ***
---------------------------------------------
Its The End of the World and We Know It If you listen to the press - those purveyors of doom, those nattering nabobs of negativism - you arrive at a single, undeniable conclusion: The worldis going to hell in a hand-basket. They ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21117
*** Nach Kontroversen: Teamviewer führte neue Accountsicherungen ein ***
---------------------------------------------
Wenige Tage nach zahlreichen Nutzerbeschwerden über gehackte Accounts reagiert Teamviewer mit einem vorgezogenen Sicherheitsupdate. Wir haben mit dem Unternehmen darüber gesprochen.
---------------------------------------------
http://www.golem.de/news/nach-kontroversen-teamviewer-fuehrte-neue-accounts…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 01-06-2016 18:00 − Donnerstag 02-06-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3591 imagemagick - security update ***
---------------------------------------------
Bob Friesenhahn from the GraphicsMagick project discovered a commandinjection vulnerability in ImageMagick, a program suite for imagemanipulation. An attacker with control on input image or the inputfilename can execute arbitrary commands with the privileges of the userrunning the application.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3591
*** Lenovo advises users to remove a vulnerable support tool preinstalled on their systems ***
---------------------------------------------
PC maker Lenovo is recommending that users remove an application preloaded on their computers because it contains a high-severity flaw that could allow attackers to take over their systems.The vulnerable tool is called ..
---------------------------------------------
http://www.csoonline.com/article/3077935/security/lenovo-advises-users-to-r…
*** Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031 ***
---------------------------------------------
https://www.drupal.org/node/2738707
*** DSA-3592 nginx - security update ***
---------------------------------------------
It was discovered that a NULL pointer dereference in the Nginx coderesponsible for saving client request bodies to a temporary file mightresult in denial of service: Malformed requests could crash workerprocesses.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3592
*** Researchers spot 35-fold increase in newly observed ransomware domains ***
---------------------------------------------
A record 35-fold increase in newly observed ransomware domains compared to the fourth quarter of 2015 have been spotted by Infoblox researchers.
---------------------------------------------
http://www.scmagazine.com/infoblox-researchers-spotted-a-huge-uptick-in-dns…
*** Yahoo Publishes National Security Letters After FBI Drops Gag Orders ***
---------------------------------------------
Yahoo just became the first company to disclose that it has received NSLs without having to go to court to do so.
---------------------------------------------
http://www.wired.com/2016/06/yahoo-publishes-national-security-letters-fbi-…
*** Docker Containers Logging ***
---------------------------------------------
In a previous diary, Jim talked about forensic operations against Docker containers. To be able to perform investigations after an incident, we must have some ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21121
*** Die meisten Android-Virenscanner sind unsicher ***
---------------------------------------------
Eigentlich sollte AV-Software das Smartphone vor Schadcode schützen. Wie Forscher nun festgestellt haben, weisen viele Virenjäger für Android allerdings selbst eklatante Sicherheitsmängel auf.
---------------------------------------------
http://heise.de/-3225169
*** Trend Micro enterprise products multiple vulnerabilities ***
---------------------------------------------
Multiple enterprise products provided by Trend Micro Incorporated contain multiple vulnerabilities.
---------------------------------------------
http://jvn.jp/en/jp/JVN48847535/
*** Trend Micro Internet Security multiple vulnerabilities ***
---------------------------------------------
Trend Micro Internet Security provided by Trend Micro Incorporated contains multiple vulnerabilities.
---------------------------------------------
http://jvn.jp/en/jp/JVN48789425/
*** Mitnick Attack Reappears at GeekPwn Macau Contest ***
---------------------------------------------
Cao Yue, a Ph.D. student from University of California, Riverside, delivered a stunning show at the GeekPwn 2016 Macau Contest on May 12 attended by top-caliber white hat hackers worldwide. Cao succeeded in remotely hijacking TCP connections at his random choice.
---------------------------------------------
http://www.prnewswire.com/news-releases/mitnick-attack-reappears-at-geekpwn…
*** Hacker Lexicon: What Is Fuzzing? ***
---------------------------------------------
Sometimes hacking isnt about taking a program apart: Its about throwing random objects at it to see what breaks.
---------------------------------------------
http://www.wired.com/2016/06/hacker-lexicon-fuzzing/
*** [2016-06-02] Multiple critical vulnerabilities in Ubee EVW3226 Advanced wireless voice gateway ***
---------------------------------------------
The firmware for the cable modem Ubee EVW3226 contains multiple critical vulnerabilities, which can be exploited to gain full system-level access to the device. This allows for inspection, modification and redirection of traffic.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activityon SCADA Systems ***
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.h…
*** TeamViewer users claim accounts hacked ***
---------------------------------------------
TeamViewer is a remote desktop connection software that allows users to share screens and allow remote access from anywhere in the world. In the past 24 hours, many customers ..
---------------------------------------------
http://www.inquisitr.com/3156809/teamviewer-accounts-hacked-users-claim/
*** Erpresser-Mails drohen mit Rufschädigung über Social Media ***
---------------------------------------------
Erpresser machen sich die Berichterstattung über aktuelle Hackerangriffe zunutze, um Droh-Mails zu verschicken, in denen sie den Opfern damit drohen, sensible Informationen auf deren Online-Konten zu veröffentlichen.
---------------------------------------------
http://heise.de/-3225619
*** 93% Of Phishing Emails Are Now Ransomware ***
---------------------------------------------
According to the latest data from security firm PhishMe, 93% of all phishing emails as of the end of March contained encryption ransomware. The numbers ..
---------------------------------------------
https://tech.slashdot.org/story/16/06/02/1356241/93-of-phishing-emails-are-…
*** How Russian cybercrime bosses crafted a ransomware empire out of an economic crisis ***
---------------------------------------------
Amid a crashing ruble and shaken markets due to global sanctions over Russian president Vladimir Putins ..
---------------------------------------------
http://www.neowin.net/news/how-russian-cybercrime-bosses-crafted-a-ransomwa…
*** XSA-178 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-178.html
*** XSA-175 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-175.html
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 31-05-2016 18:00 − Mittwoch 01-06-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Tor Browser 6.0: Ditches SHA-1 Support, Uses DuckDuckGo For Default Search Results ***
---------------------------------------------
The version 6.0 of Tor Browser, a free software for enabling anonymous communication, is now available to download. The new version introduces several changes, including disabling SHA-1 support, and removing ..
---------------------------------------------
https://tech.slashdot.org/story/16/05/31/1643234/tor-browser-60-ditches-sha…
*** Drupal SQLi (Drupalgeddon) Attack Trend CVE-2014-3704 / SA-CORE-2014-005 ***
---------------------------------------------
It has been over 19 months since Drupalgeddon, which refers to Drupal's Security Advisory (SA) SA-CORE-2014-005. For those unfamiliar with it, it ..
---------------------------------------------
https://blog.sucuri.net/2016/05/drupal-sqli-drupalgeddon-attack-trend-cve-2…
*** Finding Conditional Drupal Database Spam ***
---------------------------------------------
Nobody likes spam. It's never fun (unless you're watching Monty Python). For us it comes with the territory; removing SEO spam has been at the core of what we deal with since our inception, giving us some pretty good ..
---------------------------------------------
https://blog.sucuri.net/2016/05/finding-conditional-drupal-database-spam.ht…
*** Cluster of 'megabreaches' compromises a whopping 642 million passwords ***
---------------------------------------------
MySpace, Tumblr, and Fling are the latest services to join discredited LinkedIn.
---------------------------------------------
http://arstechnica.com/security/2016/05/cluster-of-megabreaches-compromise-…
*** Moxa UC 7408-LX-Plus Firmware Overwrite Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a firmware overwrite vulnerability in Moxa's UC 7408-LX-Plus device.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-152-01
*** ABB PCM600 Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for one use of password hash with insufficient computational effort and three insufficiently protected credentials vulnerabilities in ABB's PCM600.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-152-02
*** Unfalsifiability of security claims ***
---------------------------------------------
There is an inherent asymmetry in computer security: things can be declared insecure by observation, but not the reverse. There is no observation that allows us to declare an arbitrary system or technique secure. We ..
---------------------------------------------
http://research.microsoft.com/pubs/256133/unfalsifiabilityOfSecurityClaims.…
*** Lücke in ImageMagick und GraphicsMagick ermöglicht erneute Angriffe ***
---------------------------------------------
Manipulierte Dateinamen können Schadcode über die popen()-Funktion des Betriebssystems zur Ausführung bringen. Patches stehen bereit.
---------------------------------------------
http://heise.de/-3223811
*** Scrum.org hacked, may have lost crypto keys and some user data ***
---------------------------------------------
Dont go dissing DevOps: a supplier has fessed up to a website vuln Scrum.org, the Scrum certification ..
---------------------------------------------
www.theregister.co.uk/2016/06/01/scrumorg_hacked_may_have_lost_crypto_keys_…
*** Heikle Sicherheitslücken in vorinstallierter Laptop-Software ***
---------------------------------------------
http://derstandard.at/2000038006783
*** Microsoft: Spamfilter für Hotmail und Outlook kaputt ***
---------------------------------------------
Unternehmen arbeitet mit Hochdruck an Lösung, manche Nutzer sollen "extreme Menge" an Spam-Mails erhalten
---------------------------------------------
http://derstandard.at/2000038023486
*** The impossible task of creating a 'Best VPNs' list today ***
---------------------------------------------
Our writer set out to make a list of reliable VPNs; turns out the task is complicated.
---------------------------------------------
http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-t…
*** VB2015 paper: Economic Sanctions on Malware ***
---------------------------------------------
Financial pressure can be a proactive and potentially very effective tool in making our computer ecosystems safer. By cleverly employing various trust metrics and technologies such as digital signing, watermarking, and ..
---------------------------------------------
https://www.virusbulletin.com/blog/2016/06/economic-sanctions-malware/
*** DRIDEX Poses as Fake Certificate in Latest Spam Run ***
---------------------------------------------
At a glance, it seems that DRIDEX has dwindled its activities or operation, appearing only for a few days this May. This is quite unusual given that in the past five months or so, this prevalent online banking threat ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-poses-as-…
*** Security: LG muss Android-Firmware reparieren ***
---------------------------------------------
Zwei Sicherheitslücken in LGs-Android Firmware ermöglichen eine Reihe von Angriffen, teilweise auch aus der Ferne. Nutzer sollten schnell reagieren, die Updates stehen bereit.
---------------------------------------------
http://www.golem.de/news/security-lg-muss-android-firmware-reparieren-1606-…
*** Kindernahrung: Mein Baby Club von Hipp wurde gehackt ***
---------------------------------------------
Kopierte Nutzerdaten sind immer ein Ärgernis - besonders, wenn die persönlichen Informationen von Kindern betroffen sind. Der Hersteller Hipp hat seine Kunden jetzt über einen Einbruch in die eigenen Serversysteme des Mein Baby Clubs informiert
---------------------------------------------
http://www.golem.de/news/kindernahrung-mein-baby-club-von-hipp-wurde-gehack…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 30-05-2016 18:00 − Dienstag 31-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Abgeschlossen: Wartungsarbeiten Dienstag, 31. 5. 2016 ***
---------------------------------------------
Abgeschlossen: Wartungsarbeiten Dienstag, 31. 5. 201625. Mai 2016Am Dienstag, 31. Mai 2016, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen, diese können jeweils ..
---------------------------------------------
http://www.cert.at/services/blog/20160525113745-1748.html
*** Österreichische Handy-Signatur anfällig für Phishing ***
---------------------------------------------
Mit einer sogenannten Handy-Signatur können Österreicher auch Dokumente für Kommunikation Behörden rechtsverbindlich unterschreiben. Doch die digitale Unterschrift lässt sich mit einem einfachen Phishing-Angriff fälschen.
---------------------------------------------
http://heise.de/-3222980
*** Vulnerability in Citrix Studio Could Result in Insecure Access Policy Configuration ***
---------------------------------------------
A vulnerability has been identified in Citrix Studio that could allow Access Policy rules to be set insecurely on the Citrix XenDesktop Delivery Controller.
---------------------------------------------
https://support.citrix.com/article/CTX213045
*** Nach Kritik: Pornhub überarbeitet sein Bounty-Programm ***
---------------------------------------------
Mit ihrem Bug-Bounty-Programm hat eine Pornoseite Schlagzeilen gemacht. Doch die Kommunikation mit den Hackern und die gezahlten Bountys sorgten für viel Kritik. Das Unternehmen verspricht jetzt Besserung.
---------------------------------------------
http://www.golem.de/news/nach-kritik-pornhub-ueberarbeitet-sein-bounty-prog…
*** Twitter paid out $322,420 in bug bounties ***
---------------------------------------------
Researchers have proven that bug bounties are a cheaper way for discovering vulnerabilities than hiring full-time bug hunters would be and, in the last few years, many Internet and tech companies have instituted such programs. The security community has praised those who have, and the ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/31/twitter-bug-bounty/
*** Neuer Tor Browser setzt bei der Suche auf DuckDuckGo ***
---------------------------------------------
Die bisherige Standardsuche Disconnect habe auf von Google auf Bing umgestellt, mit katastrophalem Ergebnis, begründen die Entwickler ihre Entscheidung. Weitere Änderungen betreffen Mac-Nutzer und die Anzeige von YouTube-Videos.
---------------------------------------------
http://heise.de/-3210346
*** Bloatware Insecurity Continues to Haunt Consumer, Business Laptops ***
---------------------------------------------
High-severity vulnerabilities were found in pre-installed software updaters present in consumer and business laptops from vendors such as Dell, HP, Lenovo, Asus and Acer.
---------------------------------------------
http://threatpost.com/bloatware-insecurity-continues-to-haunt-consumer-busi…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 27-05-2016 18:00 − Montag 30-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Security baseline for Windows Server 2016 Technical Preview 5 (TP5) ***
---------------------------------------------
Microsoft is pleased to announce the draft release of the security configuration baseline settings for Windows Server 2016, corresponding to Technical ..
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2016/05/27/security-baseline-f…
*** New Locky ransomware campaign sets sights on Amazon customers ***
---------------------------------------------
Amazon customers are the target of a wide-ranging phishing email scam intended to fool recipients into opening up a malicious attachment that results in the downloading of Locky ransomware.
---------------------------------------------
http://www.scmagazine.com/new-locky-ransomware-campaign-sets-sights-on-amaz…
*** How Attackers Use a Flash Exploit to Distribute Crimeware and Other Malware ***
---------------------------------------------
Background Adobe Flash is multimedia software that runs on more than 1 billion systems worldwide. Its long list of security vulnerabilities and huge market presence ..
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/how-attackers-use-a-fl…
*** VMSA-2016-0005.2 ***
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2016-0005.html
*** Security Advisory: Stored XSS in Jetpack ***
---------------------------------------------
During regular research audits for our Sucuri Firewall (Cloud-based WAF), we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin, currently installed on more than a million WordPress sites. The ..
---------------------------------------------
https://blog.sucuri.net/2016/05/security-advisory-stored-xss-jetpack-2.html
*** ZDI-16-361: (Pwn2Own) Apple OS X libATSServer Heap-based Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple OS X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-361/
*** ZDI-16-360: (Pwn2Own) Apple OS X fontd Sandbox Escape Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple OS X. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-360/
*** Microsoft stattet Windows 10 mit doppelten Virenschutz aus ***
---------------------------------------------
http://derstandard.at/2000037805637
*** Nach LinkedIn Datenleck auch bei MySpace ***
---------------------------------------------
Der LinkedIn-Hacker hat laut eigenen Angaben auch 360 Millionen E-Mail-Adressen von MySpace-Nutzern und ..
---------------------------------------------
http://futurezone.at/digital-life/nach-linkedin-datenleck-auch-bei-myspace/…
*** Duqu 2.0 kernel exploitation technique analysis (part 1 of 2) ***
---------------------------------------------
Out of the multiple components used in the sophisticated Duqu 2.0 cyberespionage attack, we had a chance to look into one of the kernel exploits used for its ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/05/29/%e2%80%8bduqu-2-0-kerne…
*** CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename ***
---------------------------------------------
All existing releases of GraphicsMagick and ImageMagick support a file open syntax where if the first character of the file specification is a |, then the remainder of the filename is passed to the shell for execution using the ..
---------------------------------------------
http://permalink.gmane.org/gmane.comp.security.oss.general/19669
*** breaking into a wordpress site without knowing wordpress/php or infosec at all ***
---------------------------------------------
This is a post about how I tried and broke into my colleges wordpress installation without having any prior knowledge of wordpress/php and without any experience with hacking web-servers. The attempts were spread out over a month, ..
---------------------------------------------
https://notehub.org/5zo2v
*** Saudi-Arabien soll Cyberangriffe gegen Iran gestartet haben ***
---------------------------------------------
http://derstandard.at/2000037865736
*** Microsoft geht gegen zu einfache Passwörter vor ***
---------------------------------------------
Künftig sollen Nutzer von Azure und anderen Diensten Warnungen erhalten, wenn ihr Kennwort ..
---------------------------------------------
http://derstandard.at/2000037866342
*** Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the IP Version 6 (IPv6) packet processing functions of Cisco IOS XR Software, Cisco IOS XE Software, and Cisco NX-OS Software could allow an ..
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Angreifer erbeuten Nutzerdaten von sz-magazin.de ***
---------------------------------------------
Ein Unbefugter habe sich Mitte Mai rechtswidrig Zugriff auf einen Datenbankserver des SZ-Magazins verschafft.
---------------------------------------------
http://heise.de/-3222586
*** Hintergrund: Zertifikate sperren - so gehts ***
---------------------------------------------
Verkehrte Welt -- um ein Zertifikat zu sperren, muss man es erst installieren. Mit der folgenden Anleitung ..
---------------------------------------------
http://heise.de/-3222308
*** Zum Weltnichtrauchertag: BSI warnt vor Malware in E-Zigaretten ***
---------------------------------------------
Wer E-Zigaretten raucht, erspart seiner Lunge Teer, setzt aber die Gesundheit seines Rechners aufs Spiel - zumindest, wenn die E-Zigarette per USB aufgeladen wird.
---------------------------------------------
http://www.golem.de/news/zum-weltnichtrauchertag-bsi-warnt-vor-malware-in-e…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 26-05-2016 18:00 − Freitag 27-05-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** VU#482135: MEDHOST Perioperative Information Management System contains hard-coded database credentials ***
---------------------------------------------
MEDHOST Perioperative Information Management System (PIMS) versions prior to 2015R1 contain hard-coded credentials that are used for customer database access.
---------------------------------------------
http://www.kb.cert.org/vuls/id/482135
*** Environmental Systems Corporation Data Controllers Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for data controller vulnerabilities in the Environmental Systems Corporation (ESC) 8832 Data Controller.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-147-01
*** Sixnet BT Series Hard-coded Credentials Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a hard-coded credential vulnerability in Sixnet's BT series routers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-147-02
*** Black Box AlertWerks ServSensor Credential Management Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a credential management vulnerability in Black Box's AlertWerks ServSensor devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-147-03
*** Bugtraq: ESA-2016-061: EMC Isilon OneFS SMB Signing Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538499
*** Up to a dozen banks are reportedly investigating potential SWIFT breaches ***
---------------------------------------------
More banks have reportedly launched investigations into potential security breaches on their networks after hackers stole US$81 million from the Bangladesh ..
---------------------------------------------
http://www.cio.com/article/3075448/up-to-a-dozen-banks-are-reportedly-inves…
*** Cisco WebEx Meeting Center Site Access Control User Account Enumeration Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Security Advisory: NTP vulnerability CVE-2016-2519 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/41/sol41613034.html
*** Security Advisory: NTP vulnerability CVE-2016-2517 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/61/sol61200338.html
*** Multiple Buffalo wireless LAN routers vulnerable to information disclosure ***
---------------------------------------------
http://jvn.jp/en/jp/JVN75813272/
*** Multiple Buffalo wireless LAN routers vulnerable to directory traversal ***
---------------------------------------------
http://jvn.jp/en/jp/JVN81698369/
*** Link (.lnk) to Ransom ***
---------------------------------------------
We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/
*** Spoofer ***
---------------------------------------------
Seeking to minimize Internets susceptibility to spoofed DDoS attacks, we are developing and supporting open-source software tools to assess and report on the deployment of source address validation (SAV) best anti-spoofing practices. This ..
---------------------------------------------
http://www.caida.org/projects/spoofer/
*** Security Advisory - Apache Struts2 Remote Code Execution Vulnerability in Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160527-…
*** Path Traversal in extension "Media management" (media) ***
---------------------------------------------
https://typo3.org/news/article/path-traversal-in-extension-media-management…
*** Cross-Site Scripting in extension "Formhandler" (formhandler) ***
---------------------------------------------
https://typo3.org/news/article/cross-site-scripting-in-extension-formhandle…
*** Global companies arent quick to patch 'high' severity flaw in OpenSSL ***
---------------------------------------------
Yet another Padding Oracle flaw (CVE-2016-2107), allowing decrypting TLS traffic in a MITM attack, remains exploitable on the most popular web and email servers.
---------------------------------------------
https://www.htbridge.com/blog/CVE-2016-2107-padding-oracle-exploit.html
*** TLS-Zertifikate: Google zieht Daumenschrauben der CAs weiter an ***
---------------------------------------------
Ab Juni müssen alle Symantec-CAs ihre Aktivitäten via Certificate Transparency registrieren. Sonst werden die Zertifikats-Inhaber abgestraft. Das könnte auch andere CAs treffen.
---------------------------------------------
http://heise.de/-3215053
*** Cisco Firepower Management Center Web Interface Code Injection Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Android Banking Trojan 'SpyLocker' Targets More Banks in Europe ***
---------------------------------------------
Since the discovery of the Android banking Trojan SpyLocker, Intel Security has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/android-banking-trojan-spylocker-targe…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 24-05-2016 18:00 − Mittwoch 25-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** New Botnets Used for Low and Slow Credential Testing (May 23, 2016) ***
---------------------------------------------
Botnets are being used to test account access credentials...
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/18/41/306
*** Many Ubiquiti Wireless Devices Still Vulnerable (May 20 and 23, 2016) ***
---------------------------------------------
Owners of Ubiquiti wireless devices are being urged to apply a patch that the company released last year; the flaw it fixes is being actively exploited...
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/18/41/308
*** Nulled WordPress Themes: Malvertising and Black Hat SEO ***
---------------------------------------------
If you have been following our blog for some time, you know that we regularly warn about risks associated with the use of third-party software on your site. A benign plugin may sneakingly inject ads into your site which cause malvertising problems for the site visitors (e.g. SweetCaptcha). Other plugins may be hijacked by hackers or... The post Nulled WordPress Themes: Malvertising and Black Hat SEO appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2016/05/nulled-wordpress-themes-malvertising-black-…
*** New Wekby Attacks Use DNS Requests As Command and Control Mechanism ***
---------------------------------------------
We have observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks. Wekby is a group that has been active for a number of years, targeting various industries such...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks…
*** SWIFT exec unveils info sharing plan, calls Bangladesh a watershed event ***
---------------------------------------------
SWIFT CEO Gottfried Leibbrandt issued details of the messaging service companys information-sharing strategy.
---------------------------------------------
http://www.scmagazine.com/swift-exec-unveils-info-sharing-plan-calls-bangla…
*** Stop Using "internal" Top Level Domain Names, (Wed, May 25th) ***
---------------------------------------------
Cert.org this week warned again that internal top level domain names can be used against you, if one of these domains happens to be registered as a new generic top level domain (gTLD). Currently, there are about 1200 approved gTLDs, and the number will only increase even though the initial gold rush seems to have leveled off somewhat [1] US-Cert just sent out a reminder again regarding the use of internal domain names for automatic proxy configuration via WPAD. If this internal, but not...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21095&rss
*** CVE-2015-2545: overview of current threats ***
---------------------------------------------
Cyberespionage attacks conducted by different groups across the Asia-Pacific (APAC) and Far East regions share one common feature: in order to infect their victims with malware, the attackers use an exploit for the CVE-2015-2545 vulnerability.
---------------------------------------------
http://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of…
*** Who's tracking you online, and how? ***
---------------------------------------------
Armed with a tool that mimics a consumer browser but is actually bent on discovering all the ways websites are tracking visitors, Princeton University researchers have discovered several device fingerprinting techniques never before seen in the wild. The web privacy measurement tool is called OpenWPM, and has been open sourced. Its creators are the very same researchers who performed this latest study. They crawled and analyzed measurements collected from 1 million of the most popular...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/25/whos-tracking-you-online/
*** The Answer is always the same: Layers of Security ***
---------------------------------------------
There is a common misperception that now that containers support seccomp we no longer need SELinux to help protect our systems. WRONG. The big weakness in containers is the container possesses the ability to interact with the host kernel and the host file systems. Securing the container processes is all about shrinking the attack surface on the host OS and more specifically on the host kernel.seccomp does a great job of shrinking the attack surface on the kernel. The idea is to limit the number...
---------------------------------------------
https://access.redhat.com/blogs/766093/posts/2334141
*** Skimmers Found at Walmart: A Closer Look ***
---------------------------------------------
Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals.
---------------------------------------------
http://krebsonsecurity.com/2016/05/skimmers-found-at-walmart-a-closer-look/
*** VMSA-2016-0006 ***
---------------------------------------------
VMware vCenter Server updates address an important cross-site scripting issue
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2016-0006.html
*** HPE Service Manager Unspecified Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1035954
*** Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities ***
---------------------------------------------
Multiple ETAP binaries are prone to a stack-based buffer overflow vulnerability because the application fails to handle malformed arguments. An attacker can exploit these issues to execute arbitrary code within the context of the application or to trigger a denial-of-service conditions.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5324.php
*** Operation Technology ETAP 14.1.0 Local Privilege Escalation ***
---------------------------------------------
ETAP suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the C flag (Change) for Authenticated Users group.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5323.php
*** ZDI-16-354: (0Day) ActivePDF Toolkit ImageToPDF IAT Overwrite Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ActivePDF Toolkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-354/
*** Moxa MiiNePort Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for weak credential management, sensitive information not protected, and cross-site request forgery vulnerabilities in Moxa's MiiNePort serial device server module series.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-145-01
*** Security Advisory: Java vulnerabilities CVE-2013-5802 and CVE-2013-5823 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53316849.html?…
*** Security Advisory: Multiple Java vulnerabilities ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/95/sol95313044.html?…
*** Wartungsarbeiten Dienstag, 31.5.2016 ***
---------------------------------------------
Wartungsarbeiten Dienstag, 31. 5. 2016 | 25. Mai 2016 | Am Dienstag, 31. Mai 2016, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen, diese können jeweils mehrere Minuten andauern. Es...
---------------------------------------------
http://www.cert.at/services/blog/20160525113745-1748.html
Next End-of-Shift report: 2016-05-27
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 23-05-2016 18:00 − Dienstag 24-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** DMA Locker 4.0 - Known Ransomware Preparing For A Massive Distribution ***
---------------------------------------------
We take a look at the step towards maturity of DMA Locker how this will be spreading on a bigger scale.Categories: Malware Threat analysisTags: DMA Lockerransomware(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/threat-analysis/2016/05/dma-locker-4-0-known-…
*** Beware of keystroke loggers disguised as USB phone chargers, FBI warns ***
---------------------------------------------
Private industry notification comes 15 months after debut of KeySweeper.
---------------------------------------------
http://arstechnica.com/security/2016/05/beware-of-keystroke-loggers-disguis…
*** SWIFT to unveil new security plan after hackers heists ***
---------------------------------------------
The SWIFT secure messaging service that underpins international banking said it plans to launch a new security program as it fights to rebuild its reputation in the wake of the Bangladesh Bank heist. [...] Users frequently do not inform SWIFT of breaches of their SWIFT systems and even now, the co-operative has not proposed any sanctions for clients who fail to pass on information, which SWIFT itself says is key to stopping future attacks.
---------------------------------------------
http://www.reuters.com/article/us-cyber-banks-swift-idUSKCN0YE2S6
*** Kommentar: Allo, Google? Gehts noch? ***
---------------------------------------------
Googles WhatsApp-Alternative Allo verschlüsselt nicht konsequent, sondern liest stattdessen aktiv mit. Was soll das?
---------------------------------------------
http://heise.de/-3215729
*** WPAD name collision bug opens door for MitM attackers ***
---------------------------------------------
A vulnerability in Web Proxy Auto-Discovery (WPAD), a protocol used to ensure all systems in an organization utilize the same web proxy configuration, can be exploited to mount MitM attacks from anywhere on the Internet, US-CERT warns. "With the New gTLD program, previously undelegated gTLD strings are now being delegated for public domain name registration. These strings may be used by private or enterprise networks, and in certain circumstances, such as when a work computer...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/24/wpad-name-collision-bug/
*** Hacker finds flaw in teleconference tool used by US Army, NASA and CERN ***
---------------------------------------------
Like we need another reason to hate videoconferences Sydney security tester Jamieson OReilly has reported a since-patched vulnerability in popular video platform Vidyo - used by the likes of the US Army, NASA and CERN - that could see videos leaked and systems compromised.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/05/19/popular_tel…
*** Pastejacking im Browser: Codeausführung per Copy and Paste ***
---------------------------------------------
Browser können den Inhalt der Zwischenablage selbstständig verändern. In einem Proof-of-Concept wird gezeigt, wie diese Funktion für Angriffe genutzt werden kann - und Nutzer sich recht einfach schützen können.
---------------------------------------------
http://www.golem.de/news/pastejacking-im-browser-codeausfuehrung-per-copy-a…
*** Bösartige Apps stellen heimlich teure Telefonverbindungen her ***
---------------------------------------------
Warnung der Regulierungsbehörde
---------------------------------------------
http://derstandard.at/2000037564561
*** Neben Erpressung nun auch DDoS: Verschlüsselungs-Trojaner Cerber lernt dazu ***
---------------------------------------------
Mit einer neuen Version von Cerber wollen die Drahtzieher hinter der Ransomware noch mehr Profit generieren: Der Schädling nimmt persönliche Daten als Geisel und die Kriminellen können infizierte Computer für DDoS-Attacken missbrauchen.
---------------------------------------------
http://heise.de/-3217254
*** The Anti-Ransomware Protection Plan You Need to Follow Today ***
---------------------------------------------
Technology has made our lives both easier and more complicated - there's no denying that. Fast Internet access opened up a world of wisdom and all the distractions we can image. But the door is also open for cyber criminals with little to no scruples and a big appetite for money. And there's no better...
---------------------------------------------
https://heimdalsecurity.com/blog/anti-ransomware-protection-plan/
*** Xen Security Advisory CVE-2014-3672 / XSA-180 ***
---------------------------------------------
When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large.
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-180.html
*** Pulse Connect Secure Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1035932
*** Missing Access Check in TYPO3 CMS ***
---------------------------------------------
It has been discovered, that TYPO3 CMS lacks an access check for Extbase actions.
---------------------------------------------
https://typo3.org/news/article/missing-access-check-in-typo3-cms/
*** Missing Access Check in extension "Frontend User Registration" (sf_register) ***
---------------------------------------------
It has been discovered that the extension "Frontend User Registration" (sf_register) lacks a proper access check.
---------------------------------------------
https://typo3.org/news/article/missing-access-check-in-extension-frontend-u…
*** Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager JSON Privilege Escalation Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco UCS Invicta Software Default GPG Key Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: GNU C Library (glibc) vulnerability CVE-2016-3075 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15439022.html?…
---------------------------------------------
*** Security Advisory: OpenSSH vulnerability CVE-2016-1907 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35424631.html?…
---------------------------------------------
*** Security Advisory: glibc vulnerability CVE-2016-3075 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15439022.html?…
---------------------------------------------
*** Security Advisory: Java vulnerabilities CVE-2013-5782 and CVE-2013-5803 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14340611.html?…
---------------------------------------------
*** Security Advisory: PHP Vulnerability CVE-2016-4539 ***
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35240323.html?…
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Host On-Demand (CVE-2016-0264 ,CVE-2016-3449) ***
http://www.ibm.com/support/docview.wss?uid=swg21983578
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005812
---------------------------------------------
*** IBM Security Bulletin: IBM Connections Security Update (CVE-2016-0322) ***
http://www.ibm.com/support/docview.wss?uid=swg21982611
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Tomcat may affect IBM WebSphere Application Server Community Edition (CVE-2015-5174) ***
http://www.ibm.com/support/docview.wss?uid=swg21983128
---------------------------------------------
*** IBM Applicable countries and regions ***
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099367
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities have been identified in the versions of IBM WebSphere Application Server Community Edition bundled with Web Experience Factory 7.0.x and 8.0.x (CVE-2015-5345) (CVE-2016-0706) (CVE-2016-0714) ***
http://www.ibm.com/support/docview.wss?uid=swg21981775
---------------------------------------------
*** IBM Security Bulletin: HTTP response splitting has been identified in IBM WebSphere Application Server Liberty Profile shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-2017) ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000121
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 20-05-2016 18:00 − Montag 23-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Backdoor in Fake Joomla! Core Files ***
---------------------------------------------
We usually write a lot about obfuscation methods on Sucuri Labs and here on the blog. Sometimes we write about free tools to obfuscate your code that aren't that free and we also have an online tool to help decoding the malware you find. But sometimes the malware is not clearly encoded using base64, gzinflate, hex concatenation,... The post Backdoor in Fake Joomla! Core Files appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2016/05/unexpected-backdoor-fake-core-files.html
*** 60 percent of enterprise Android phones prone to QSEE vulnerability ***
---------------------------------------------
Duo Labs researchers found that 60 percent of enterprise Android phones are affected by a critical QSEE vulnerability.
---------------------------------------------
http://www.scmagazine.com/majority-of-enterprise-android-phones-vulnerable-…
*** The strange case of WinZip MRU Registry key, (Sun, May 22nd) ***
---------------------------------------------
When we want to know if a document (.doc, .pdf, whatever) has been opened by the user, in a Windows environment our information goldmine place is the Registry and particularly its MRUs keys. However, it seems this is not always the case. During the analysis of the Retefe case I wrote about in my previous diary, I came across a Registry behavior I did not expect, or at least I was not aware of, about how to verify if the file contained within the zip archive had been opened or not. Regarding...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21087&rss
*** ENISA- Europol issue joint statement ***
---------------------------------------------
ENISA and Europol issue joint statement on lawful criminal investigation that respects 21st Century data protection.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/enisa-europol-issue-joint-state…
*** Geldautomaten: Kriminelle erbeuten Millionen in zwei Stunden ***
---------------------------------------------
Kriminelle Kartenfälscher agieren global: Mit Hilfe von Kreditkarteninformationen einer südafrikanischen Bank erbeutete eine Bande in Japan in nur 2,5 Stunden Bargeld im Wert von mehr als 12 Millionen Euro.
---------------------------------------------
http://www.golem.de/news/geldautomaten-kriminelle-erbeuten-millionen-in-zwe…
*** National coordinators meet to prepare for ECSM launch ***
---------------------------------------------
National coordinators from across Europe gathered in Brussels earlier this month in preparation for the launch of this year's European Cyber Security Month.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/national-coordinators-meet-to-p…
*** Organizations unprepared for employee-caused security incidents ***
---------------------------------------------
While employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior, according to a new Ponemon Institute study. The study, Managing Insider Risk Through Training & Culture, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/23/employee-caused-security-inciden…
*** When Hashing isn't Hashing ***
---------------------------------------------
Anyone working in application security has found themselves saying something like this a thousand times: "always hash passwords with a secure password hashing function." I've said this phrase at nearly all of the developer events I've spoken at, it's become a mantra of sorts for many of us that try to improve the security of applications. We tell developers to hash passwords, then we have to qualify it to explain that it isn't normal hashing.
---------------------------------------------
https://adamcaudill.com/2016/05/23/when-hashing-isnt-hashing/
*** Technical Report about the RUAG espionage case ***
---------------------------------------------
After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in...
---------------------------------------------
https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espion…
*** Hack von Rüstungskonzern: Schweizer Cert gibt Security-Tipps für Unternehmen ***
---------------------------------------------
Daran könnten sich andere Sicherheitsfirmen ein Beispiel nehmen: Das Schweizer Cert hat detailliert die Angriffsmethoden einer APT-Gruppe auf den Technikkonzern Ruag analysiert und gibt Unternehmen Tipps zum Schutz.
---------------------------------------------
http://www.golem.de/news/hack-von-ruestungskonzern-schweizer-cert-gibt-secu…
*** After trio of hacks, SWIFT addresses information sharing concerns ***
---------------------------------------------
Following reports of a cyberattack last year in which hackers stole $9 million from an Ecuadorean bank, SWIFT stated it is taking steps to create more information sharing practices.
---------------------------------------------
http://www.scmagazine.com/after-trio-of-hacks-swift-addresses-information-s…
*** Student convicted after finding encryption flaws in government network ***
---------------------------------------------
He found that the encrypted network often wasnt... but he lost patience when it looked as though nothing was being done about it.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/05/23/student-convicted-after-finding…
*** A recently patched Flash Player exploit is being used in widespread attacks ***
---------------------------------------------
It took hackers less than two weeks to integrate a recently patched Flash Player exploit into widely used Web-based attack tools that are being used to infect computers with malware.The vulnerability, known as CVE-2016-4117, was discovered earlier this month by security researchers FireEye. It was exploited in targeted attacks through malicious Flash content embedded in Microsoft Office documents.When the targeted exploit was discovered, the vulnerability was unpatched, which prompted a...
---------------------------------------------
http://www.cio.com/article/3073558/a-recently-patched-flash-player-exploit-…
*** Security Update Available for Adobe Connect (APSB16-17) ***
---------------------------------------------
A Security Bulletin (APSB16-17) has been published regarding a security update for Adobe Connect. Adobe recommends users update their product installations to the latest version using the instructions referenced in the security bulletin.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1355
*** TA16-144A: WPAD Name Collision Vulnerability ***
---------------------------------------------
Original release date: May 23, 2016 Systems Affected Windows, OS X, Linux systems, and web browsers with WPAD enabled Overview Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers [1]. In combination with the New generic Top Level Domain (gTLD) program's incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA16-144A
*** Bugzilla 4.4.11 and 5.0.2 Security Advisory ***
---------------------------------------------
A specially crafted bug summary could trigger XSS in dependency graphs.
---------------------------------------------
https://www.bugzilla.org/security/4.4.11/
*** DSA-3585 wireshark - security update ***
---------------------------------------------
Multiple vulnerabilities were discovered in the dissectors/parsers forPKTC, IAX2, GSM CBCH and NCP which could result in denial of service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3585
*** SECURITY BULLETIN: Trend Micro InterScan Web Security Virtual Appliance (IWSVA) Multiple Remote Code Execution Vulnerabilities ***
---------------------------------------------
Trend Micro has released new builds of the Trend Micro InterScan Web Security Virtual Appliance. These updates resolve vulnerabilities in the product that could potentially allow a remote attacker to execute arbitrary code on vulnerable installations.
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114185.aspx
*** SECURITY BULLETIN: Trend Micro OfficeScan Path Traversal Vulnerability ***
---------------------------------------------
Trend Micro has released an update for OfficeScan (OSCE) 11.0 Service Pack (SP) 1 which resolves a vulnerability in the product that when certain conditions are met could be exploited to access files and directories located outside of the core product web root folder.
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114097.aspx
*** ZDI-16-353: BitTorrent API Cross Site Scripting Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of BitTorrent and uTorrent. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-353/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-0283, CVE-2015-7417). ***
http://www.ibm.com/support/docview.wss?uid=swg21981914
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7484, CVE-2015-7474, CVE-2015-7485, CVE-2015-7486, CVE-2016-0219) ***
http://www.ibm.com/support/docview.wss?uid=swg21983720
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3193, CVE-2015-3195, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=swg21982608
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Marketing Platform (CVE-2016-0224, CVE-2016-0229, CVE-2016-0233) ***
http://www.ibm.com/support/docview.wss?uid=swg21980989
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways ***
http://www.ibm.com/support/docview.wss?uid=swg21982607
---------------------------------------------
*** IBM Security Bulletin: Vulnerability identified in IBM Domino Java Console (CVE-2016-0304) ***
http://www.ibm.com/support/docview.wss?uid=swg21983328
---------------------------------------------
*** IBM Security Bulletin: OpenSSL vulnerabilities in Node.js found on May 03, 2016 affect Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2016-2107, CVE-2016-2105) ***
http://www.ibm.com/support/docview.wss?uid=swg21983555
---------------------------------------------
*** IBM Security Bulletin: Multiple OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software ***
http://www.ibm.com/support/docview.wss?uid=swg21982949
---------------------------------------------
*** IBM Security Bulletin: One vulnerability in IBM Java SDK affect Application Delivery Intelligence 1.0.0 (CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023804
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: WebSphere Dashboard Framework (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21982528
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: Web Experience Factory (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21982527
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=swg21983002
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems, IBM OS Images for AIX, and Windows. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21983647
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Image Construction and Composition Tool. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21983644
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects Tivoli Provisioning Manager for OS Deployment, Tivoli Provisioning Manager for Images (CVE-2016-2842) ***
http://www.ibm.com/support/docview.wss?uid=swg21982159
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ***
http://www.ibm.com/support/docview.wss?uid=swg21981545
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in ApacheTomcat affect IBM Security SiteProtector System (CVE-2015-5174, CVE-2015-5345, CVE-2016-0706 and CVE-2016-0714) ***
http://www.ibm.com/support/docview.wss?uid=swg21983242
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3197 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21982697
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenStack affect IBM Spectrum Scale V4.2 and V4.1.1 (CVE-2015-8466 and CVE-2016-0738) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005833
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 19-05-2016 18:00 − Freitag 20-05-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3584 librsvg - security update ***
---------------------------------------------
Gustavo Grieco discovered several flaws in the way librsvg, a SAX-basedrenderer library for SVG files, parses SVG files with circulardefinitions. A remote attacker can take advantage of these flaws tocause an application using the librsvg library to crash.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3584
*** Petya and Mischa - Ransomware Duet (part 1) ***
---------------------------------------------
After being defeated about a month ago, Petya comes back with new tricks. Now, not as a single ransomware, but in a bundle with another malicious payload - Mischa. Both are named after the satellites from the GoldenEye movie. They deploy attacks on ..
---------------------------------------------
https://blog.malwarebytes.org/threat-analysis/2016/05/petya-and-mischa-rans…
*** EITest campaign still going strong, (Fri, May 20th) ***
---------------------------------------------
Originally reported by Malwarebytes in October 2014 [1], the EITest campaign has been going strong ever since. Earlier this year, I documented how the campaign has evolved over time [2]. During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21081
*** TLS/GCM: Gefahr durch doppelte Nonces ***
---------------------------------------------
Moderne TLS-Verbindungen nutzen üblicherweise das AES-GCM-Verschlüsselungsverfahren. Das benötigt einen sogenannten Nonce-Wert, der sich nicht wiederholen darf. Ansonsten ist die Sicherheit dahin.
---------------------------------------------
http://www.golem.de/news/tls-gcm-gefahr-durch-doppelte-nonces-1605-121005.h…
*** Important Security-Bulletin Pre-Announcement ***
---------------------------------------------
https://typo3.org/news/article/important-security-bulletin-pre-announcement…
*** Resource Data Management Intuitive 650 TDB Controller Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for a privilege escalation vulnerability and a cross-site request forgery vulnerability in Resource Data Management's Intuitive 650 TDB Controller.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-140-01
*** Siemens SIPROTEC Information Disclosure Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for information disclosure vulnerabilities in the Siemens SIPROTEC 4 and SIPROTEC Compact.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-140-02
*** Hacked in a public space? Thanks, HTTPS ***
---------------------------------------------
Kali Linux, laptop, coffee - hack on! Have you ever bothered to look at who your browser trusts? The padlock of a HTTPS connection doesnt mean anything if you cant trust the other end of the connection and its upstream signatories. Do you ..
---------------------------------------------
www.theregister.co.uk/2016/05/20/https_wifi_trust_in_a_public_place/
*** Wichtiger Sicherheits-Patch für Typo3 voraus ***
---------------------------------------------
In vielen Typo3-Versionen klafft offensichtlich eine schwerwiegende Sicherheitslücke. Ein Patch soll Anfang nächster Woche erscheinen.
---------------------------------------------
http://heise.de/-3212058
*** l+f: Erpressung für den guten Zweck ***
---------------------------------------------
Ein Verschlüsselungs-Trojaner fordert ein horrende Summe und will damit Gutes tun. Wer's glaubt ...
---------------------------------------------
http://heise.de/-3212111