=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 10-07-2015 18:00 − Montag 13-07-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Government Grade Malware: a Look at HackingTeam's RAT ***
---------------------------------------------
Security researchers the world over have been digging through the massive HackingTeam dump for the past five days, and what we've found has been surprising. I've heard this situation called many things, and there's one description that I can definitely agree with: it's like Christmas for hackers. "On the fifth day of Christmas Bromium sent to...
---------------------------------------------
http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hacki…
*** Pawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit ***
---------------------------------------------
Analysis and data by Brooks Li (Threats Analyst) and Feike Hacquebord (Senior Threat Researcher) Zero-day exploits continued to be used in targeted attacks because they are effective, given that software vendors have yet to create patches for them. Throughout our on-going investigation and monitoring of a targeted attack campaign, Operation Pawn Storm, we found suspicious URLs that...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/5OzXdZhhVhc/
*** New Zero-Day Vulnerability (CVE-2015-5123) in Adobe Flash Emerges from Hacking Team Leak ***
---------------------------------------------
After two Adobe Flash player zero-days disclosed in a row from the leaked data of Hacking Team, we discovered another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) that surfaced from the said leak. Adobe has already released a security advisory after we reported the said zero-day. This vulnerability is rated as critical and...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rV5yri4x48E/
*** Mit Windows 10 kommen Updates automatisch ***
---------------------------------------------
Windows 10-Kunden können sich künftig nur noch sehr begrenzt aussuchen, wann sie ein Update erhalten.
---------------------------------------------
http://futurezone.at/produkte/mit-windows-10-kommen-updates-automatisch/141…
*** Jump List Files Are OLE Files, (Sun, Jul 12th) ***
---------------------------------------------
Jump List files are another type of files that are actually OLE files. They can contain useful data for forensic investigations. There are a couple of tools that can extract information from these files. Here you can see oledump analyzing an automatic Jump List file: The stream DestList contains the Jump List data: There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files: The plugin takes an option...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19911&rss
*** Identifying the five principal methods of network attacks ***
---------------------------------------------
Companies are underestimating the risk of failing to provide security training to non-technical staff. A new Intel Security study, which surveyed IT decision makers in European-based companies, fo...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/gSbxVIXvO94/secworld.php
*** Mobile SSL failures: More common than they should be ***
---------------------------------------------
Securing your mobile application traffic is apparently more difficult than it should be, as researchers Anthony Trummer and Tushar Dalvi discovered when looking into SSL/TLS usage on the Android opera...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/dY8mHp2RDC4/article.php
*** Identifying and exploiting IBM WebSphere Application Server ***
---------------------------------------------
IBM WebSphere is application server similar to Tomcat, JBoss and WebLogic. Therefore, it should be interesting to any penetration tester doing enterprise scale work where Websphere might be present. It should be also interesting to anyone who is working on securing enterprise environment since Websphere allows deploying own (malicious or not) code to the server. I have written NSE scripts to identify IBM Websphere consoles of application servers and to brute force any usernames and passwords. I...
---------------------------------------------
https://k0st.wordpress.com/2015/07/13/identifying-and-exploiting-ibm-websph…
*** Start Secure 2015 - Sicherheits-Start-ups gesucht ***
---------------------------------------------
Der Wettbewerb "Start Secure 2015" wird gemeinsam vom Innenministerium und der futurezone veranstaltet. Als Organisationspartner fungieren SBA Research, das die Sieger-Start-ups auf Wunsch auch als Inkubator bei der Investorensuche berät, sowie das Kuratorium Sicheres Österreich.
---------------------------------------------
http://futurezone.at/thema/start-ups/sicherheits-start-ups-gesucht/139.420.…
*** Common Assessment Tool Cheatsheets ***
---------------------------------------------
I have an unhealthy obsession for time savers when im doing pentest work. Since a lot of my time is spent on the command line I love cheatsheets. I thought id use this thread to post some of the more awesome cheat sheets I find...
---------------------------------------------
https://forum.bugcrowd.com/t/common-assessment-tool-cheatsheets/502
*** Tunneling Data and Commands Over DNS to Bypass Firewalls ***
---------------------------------------------
No matter how tightly you restrict outbound access from your network, you probably allow DNS queries to at least one server. Adversaries can abuse this "hole" in your firewall to exfiltrate data and establish stealthy Command and Control (C2) channels that are very difficult to block. ... I am struggling to come up with a solution to plug this firewall "hole", but I have a few risk mitigation recommendations:...
---------------------------------------------
https://zeltser.com/c2-dns-tunneling/
*** Google Photo App Uploads Your Images To Cloud, Even After Uninstalling ***
---------------------------------------------
Have you ever seen any mobile application working in the background silently even after you have uninstalled it completely? I have seen Google Photos app doing the same. Your Android smartphone continues to upload your phone photos to Google servers without your knowledge, even if you have already uninstalled the Google Photos app from your device. Nashville Business...
---------------------------------------------
http://feedproxy.google.com/~r/TheHackersNews/~3/yxF2id-ZsHg/google-photo-a…
*** "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory ***
---------------------------------------------
Low-profile information-stealing Trojan is used only against high-value targets
---------------------------------------------
http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon…
*** BGP Hijacking - why you need to care! ***
---------------------------------------------
This came across our desk this morning when we were putting together Dragon News Bytes. There is lots of talk about what has been discovered in the recent reporting on the data dump from the Hacking Team incident. A lot of the reporting discusses the ethics of the company's services and whom they have been selling them to. Concentrating for a moment on the technology deployed in this activity, it is suggested that BGP hijacking was involved. This is described the article entitled...
---------------------------------------------
https://blog.team-cymru.org/2015/07/bgp-hijacking-why-do-you-need-to-care/
*** Allerletzter Aufruf: Support fÜr Windows 2003 Server endet ***
---------------------------------------------
Am 14. Juli ist endgÜltig Schluss. FÜr Windows 2003 Server liefert Microsoft keine Updates mehr aus, auch nicht bei Sicherheitsproblemen. Wobei auch hier zu gelten scheint: Ausnahmen bestÄtigen die Regel.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Allerletzter-Aufruf-Support-fuer-Win…
*** Hacking Team 0-day Flash Wave with Exploit Kits ***
---------------------------------------------
https://www.f-secure.com/weblog/archives/00002819.html
*** New PHP Releases Fix BACRONYM MySQL Flaw ***
---------------------------------------------
Several new versions of PHP have been released, all of which contain a number of bug fixes, most notably a patch for the so-called BACKRONYM vulnerability in MySQL. That bug in MySQL is caused by a problem with the way that the database software handles requests for secure connections. Researchers at Duo Security disclosed the...
---------------------------------------------
http://threatpost.com/new-php-releases-fix-bacronym-mysql-flaw/113740
*** The Adobe Flash Conundrum: Old Habits Die Hard ***
---------------------------------------------
Is it time to hop off the endless cycle of Flash vulnerabilities and updates? Last week has not been great for Adobe Flash. The 440GB of leaked Hacking Team emails has become a treasure trove for vulnerability hunters. Over the past 7 days, Flash was hit by three separate vulnerabilities: CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 At this time, only the...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/AmkybOPif7Y/
*** Bugtraq: ESA-2015-115: EMC RecoverPoint for Virtual Machines (VMs) Restriction Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/535981
*** Cisco Mobility Services Engine Control And Provisioning Information Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39825
*** Juniper Security Advisories ***
---------------------------------------------
*** Juniper Junos IPv6 SEND Processing Flaw Lets Remote Users Deny Service ***
http://www.securitytracker.com/id/1032849
*** Juniper Junos SRX Network Security Daemon Bug Lets Remote Users Deny Service ***
http://www.securitytracker.com/id/1032848
*** Juniper Junos EX4600 and QFX Series Unspecified Flaw Lets Remote Users Deny Service ***
http://www.securitytracker.com/id/1032847
*** Juniper Junos J-Web Bugs Let Remote Users Conduct Cross-Site Scripting and Denial of Service Attacks ***
http://www.securitytracker.com/id/1032846
*** Bugtraq: [security bulletin] HPSBGN03373 rev.1 - HP Release Control running TLS, Remote Disclosure of Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/535983
*** Cisco WebEx Meeting Center Reflected Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39782
*** F5 Security Advisories ***
---------------------------------------------
*** Security Advisory: Boost memory allocator vulnerability CVE-2012-2677 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16946.htm…
*** Security Advisory: Multiple SQLite vulnerabilities ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16950.htm…
*** Security Advisory: Mailx vulnerabilities CVE-2004-2771 and CVE-2014-7844 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16945.htm…
*** Security Advisory: Expat vulnerabilities CVE-2012-0876 and CVE-2012-1148 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16949.htm…
*** Splunk Enterprise and Splunk Light Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1032859
*** Squid CONNECT Method Peer Response Processing Flaw Lets Remote Users Bypass Security Controls ***
---------------------------------------------
http://www.securitytracker.com/id/1032873
*** PHP 5.x Security Updates, (Sun, Jul 12th) ***
---------------------------------------------
PHP 5.6.11, 5.5.27 and 5.4.43 were updated fixing numerous bugs in the various components of PHP including CVE-2015-3152. PHP recommend testing and upgrading to the current release. The binaries and packages are available here and the release notes here. [1] http://www.php.net/ChangeLog-5.php [2] http://windows.php.net/download/ ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19907&rss
*** Joomla J2Store 3.1.6 SQL Injection ***
---------------------------------------------
Topic: Joomla J2Store 3.1.6 SQL Injection Risk: Medium Text:J2Store v3.1.6, a Joomla! extension that adds basic store functionality to a Joomla! instance, suffered from two unauthenticate...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015070053
*** DFN-CERT-2015-0907 FreeRADIUS: Eine Schwachstelle ermÖglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0907/
*** DFN-CERT-2015-1030 strongSwan: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1030/
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 09-07-2015 18:00 − Freitag 10-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Multiple vulnerabilities in Cisco TelePresence products ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39798http://tools.cisco.com/security/center/viewAlert.x?alertId=39802http://tools.cisco.com/security/center/viewAlert.x?alertId=39801http://tools.cisco.com/security/center/viewAlert.x?alertId=39795http://tools.cisco.com/security/center/viewAlert.x?alertId=39796http://tools.cisco.com/security/center/viewAlert.x?alertId=39800http://tools.cisco.com/security/center/viewAlert.x?alertId=39797
*** VMSA-2015-0005 ***
---------------------------------------------
VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process.
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0005.html
*** The Massive OPM Hack Actually Hit 21 Million People ***
---------------------------------------------
The massive hack that struck the US Office of Personnel Management affected some 21.5 million people, all of them people who had information stolen about them from a backgrounds investigation database used for evaluating people who sought classified clearances from the government.
---------------------------------------------
http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/
*** Yubikeys Zwei-Faktor-Authentifizierung unter Linux nutzen ***
---------------------------------------------
Mit Hilfe des Yubikeys lässt sich eine verschlüsselte Systempartition unter Linux zusätzlich per Zwei-Faktor-Authentifizierung absichern. In dieser Kombination kann auch ein bequemeres Kennwort genutzt werden.
---------------------------------------------
http://www.golem.de/news/systemverschluesselung-yubikeys-zwei-faktor-authen…
*** Magento-Patch: Update soll Kundendaten-Leck stopfen ***
---------------------------------------------
Im Shop-System Magento klaffen Lücken, die es Angreifern erlauben, Admin-Konten zu kapern und Kundendaten auszulesen. Der Hersteller hat jetzt einen Patch veröffentlicht, der Abhilfe schaffen soll.
---------------------------------------------
http://heise.de/-2747984
*** Hacking Team Shows the World How Not to Stockpile Exploits ***
---------------------------------------------
Bank robber Willie Sutton’s famous line about why he robs banks—“because that’s where the money is”—was particularly apt this week after the Italian firm Hacking Team was hacked and at least two zero-day exploits the firm possessed were spilled to the public, along with about 400 gigabytes of company emails and other data.
---------------------------------------------
http://www.wired.com/2015/07/hacking-team-shows-world-not-stockpile-exploit…
*** Rootkits: User Mode & Kernel Mode - Part 1 ***
---------------------------------------------
In this article, we will learn about what rootkits are and how they operate. The focus will be on two types of Rootkits exploits: User Mode & Kernel Mode, what are the various ways in which rootkits exploit in both modes. In this Part we will learn ..
---------------------------------------------
http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-1/
*** Programmier-Tipps für die BIOS-Backdoor ***
---------------------------------------------
Der Hacker Cr4sh erklärt, wie er eine Hintertür in die UEFI-Firmware eines Intel-Mainboards einbaut. Dabei zeigen sich einmal mehr kritische Lücken in der x86-Plattform, vor allem beim System Management Mode.
---------------------------------------------
http://heise.de/-2748219
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 08-07-2015 18:00 − Donnerstag 09-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan... on July 1 ***
---------------------------------------------
Earlier this week several vulnerabilities were disclosed as part of the leak of information from the Italian company Hacking Team. We've noted that this exploit is now in use by various exploit kits. However, feedback provided by the Smart Protection Network also indicates that this exploit was also used in limited attacks in Korea and Japan....
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Ys8noghmsHc/
*** Ding! Your RAT has been delivered ***
---------------------------------------------
Talos is constantly observing malicious spam campaigns delivering various different types of payloads. Common payloads include things like Dridex, Upatre, and various versions of Ransomware. One less common payload that Talos analyzes periodically are Remote Access Trojans or RATs. A recently observed spam campaign was using freeware remote access trojan DarkKomet (a.k.a DarkComet). This isn't a novel approach since threat actors have been leveraging tools like DarkKomet or Hawkeye...
---------------------------------------------
http://blogs.cisco.com/security/talos/darkkomet-rat-spam
*** Finnland: 17-jähriger Botnetz-Betreiber verurteilt ***
---------------------------------------------
Über 50.000 Rechner für ein Botnetz gekapert, DDoS-Attacken geritten und Kreditkartendaten geklaut: Ein 17-jähriger Finne, angeblich Mitglied der Hackergruppe Lizard Squad, wird zu zwei Jahren auf Bewährung verurteilt.
---------------------------------------------
http://heise.de/-2745646
*** Detecting Random - Finding Algorithmically chosen DNS names (DGA), (Thu, Jul 9th) ***
---------------------------------------------
Most normal user traffic communicates via a hostname and not an IP address. So looking at traffic communicating directly by IP with no associated DNS request is a good thing do to. Some attackers use DNS names for their communications. There is also malware such as Skybot and the Styx exploit kit that use algorithmically chosen host name rather than IP addresses for their command and control channels. This malware uses what has been called DGA or Domain Generation Algorithms to create random...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19893&rss
*** Happy Video Game Day 2015 ***
---------------------------------------------
Gamers are being targeted more and more by malware, trojans, and keyloggers, especially those that participate in pay-to-play games and MMORPGs (Massively Multiplayer Online Role-Playing Game). Your accounts, personal identity, banking information and even credit card numbers can be stolen if you are playing without a cyber-security solution. The PC gaming market is increasing rapidly and is expected to reach $30.9 Billion in 2016, and with that, the targets are getting bigger and more...
---------------------------------------------
http://www.webroot.com/blog/2015/07/08/happy-video-game-day-2015
*** Cisco PSIRT reporting Customers affected by ASA VPN DoS attacks, (Thu, Jul 9th) ***
---------------------------------------------
Patch your firewalls! 2015-July-08 UPDATE:">Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19895&rss
*** Sicherheitslücke: OpenSSL akzeptiert falsche Zertifikate ***
---------------------------------------------
Ein OpenSSL-Update behebt eine kritische Sicherheitslücke. Mittels einiger Tricks kann ein Angreifer damit ein gewöhnliches Zertifikat zu einer Zertifizierungsstelle machen. Betroffen sind vor allem Clients.
---------------------------------------------
http://www.golem.de/news/sicherheitsluecke-openssl-akzeptiert-falsche-zerti…
*** OpenSSL CVE-2015-1793: Man-in-the-Middle Attack ***
---------------------------------------------
As announced at the beginning of this week, OpenSSL has released the fix for CVE-2015-1793.
---------------------------------------------
https://ma.ttias.be/openssl-cve-2015-1793-man-middle-attack/
*** OpenSSL Security Advisory [9 Jul 2015] ***
---------------------------------------------
An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. (original advisory). Reported by Adam Langley and David Benjamin (Google/BoringSSL).
---------------------------------------------
https://openssl.org/news/secadv_20150709.txt
*** Administration Views - Critical - Information Disclosure - SA-CONTRIB-2015-132 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2015-132Project: Administration Views (third-party module)Version: 7.xDate: 2015-July-08Security risk: 15/25 ( Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureDescriptionAdministration Views module replaces overview/listing pages with actual views for superior usability.The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have
---------------------------------------------
https://www.drupal.org/node/2529378
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 07-07-2015 18:00 − Mittwoch 08-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Security Advisory for Adobe Flash Player (APSA15-03) ***
---------------------------------------------
A Security Advisory (APSA15-03) has been published regarding a critical vulnerability (CVE-2015-5119) in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1223
*** Security Updates Available for Adobe Flash Player (APSB15-16) ***
---------------------------------------------
A security bulletin (APSB15-16) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1228
*** Multiple vulnerabilities in Cisco products ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39675http://tools.cisco.com/security/center/viewAlert.x?alertId=39643http://tools.cisco.com/security/center/viewAlert.x?alertId=39641http://tools.cisco.com/security/center/viewAlert.x?alertId=39623
*** CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits ***
---------------------------------------------
http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxx…
*** When ‘int’ is the new ‘short’ ***
---------------------------------------------
This is going to be a quick post, just describing a particularly interesting Chrome issue that I found last month; how I found it; and what is interesting about it�I was looking through some Chrome networking code; and I noticed an interesting API design ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2015/07/when-int-is-new-short.html
*** Windows 10 kann WLAN-Passwörter an Kontakte verteilen ***
---------------------------------------------
In Windows 10 lässt sich das WLAN-Passwort automatisch an Facebook-Freunde oder Skype-Kontakte verteilen. Das erspart das lästige Diktieren von Kennwörtern bei Besuch, bringt aber auch Risiken mit sich.
---------------------------------------------
http://www.golem.de/news/it-sicherheit-windows-10-kann-wlan-passwoerter-an-…
*** Schwachstelle in Nameserversoftware BIND 9 ***
---------------------------------------------
Ein Angreifer, der einen Nameserver mit aktivierter DNSSEC-Validierung dazu bringen kann, eine Zone mit speziellem Inhalt abzufragen, kann den Nameserver zum Absturz bringen.
---------------------------------------------
https://cert.at/warnings/all/20150708.html
*** "Zero-Day"-Sicherheitslücke in Adobe Flash Player (aktiv ausgenützt) - Patches jetzt verfügbar ***
---------------------------------------------
Durch Ausnutzen dieser Lücke kann ein Angreifer vermutlich vollständige Kontrolle über betroffene Systeme erlangen. Damit sind alle Daten auf diesen Systemen, sowie alle durch diese erreichbaren (etwa durch Login, VPN etc.) Daten und Systeme gefährdet.
---------------------------------------------
https://cert.at/warnings/all/20150708-2.html
*** Dyre Banking Trojan Exploits CVE-2015-0057 ***
---------------------------------------------
CVE-2015-0057 is a Use-After-Free vulnerability that exists in the win32k.sys component of the Windows Kernel which can be exploited to perform local privilege escalation. The vulnerability was reported to Microsoft by Udi Yavo, and, after the patch ..
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.ht…
*** Prenotification: Upcoming Security Updates for Adobe Acrobat and Reader (APSB15-15) ***
---------------------------------------------
A prenotification security advisory has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, July 14, 2015. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1232
*** Wild Neutron – Economic espionage threat actor returns with new tricks ***
---------------------------------------------
A powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho”) has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.
---------------------------------------------
https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 06-07-2015 18:00 − Dienstag 07-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Security Advisory: BIG-IQ remote authentication vulnerability CVE-2015-4637 ***
---------------------------------------------
When remote authentication is configured on the BIG-IQ system for a LDAP server that allows anonymous BIND operations, a unauthenticated user may obtain an authentication token from the REST API for any known (or guessed) LDAP user account and will receive all the access and privileges of that user account for REST API calls. (CVE-2015-4637)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/800/sol16861.htm…
*** Fraudulent BatteryBot Pro App Yanked from Google Play ***
---------------------------------------------
A malicious Android app spoofing the popular BatteryBot Pro app has been pulled from Google Play. Researchers at Zscaler reported the app, which had a package name of com.polaris.BatteryIndicatorPro. The app requested excessive permissions from the user in an attempt to get full control of an ..
---------------------------------------------
http://threatpost.com/fraudulent-batterybot-pro-app-yanked-from-google-play…
*** Malvertisement - A Nuclear EK Tale ***
---------------------------------------------
Over the past couple of years delivering malware via advertisements, or "malvertisement," has become one of the most popular methods of distribution for exploit kits. Like most trends in the world of Internet security, the longer it endures - the ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Malvertisement-%e2%80%9…
*** Social Engineering - A Case Study ***
---------------------------------------------
In this article, I am going to illustrate a real life social engineering hack that I did it for my friend. My friend saw some property ads on internet. He filled the query form for that ad, and after a day he got a call fraudulent call ..
---------------------------------------------
http://resources.infosecinstitute.com/social-engineering-a-case-study/
*** Two major IT-Security Myths debunked ***
---------------------------------------------
There are two statements G DATA’s security experts hear and read time and again: “I do not surf on porn websites, my computer can’t get infected” as well as “my computer does not hold anything valuable and I have nothing to hide – why should I be a target?” It would be a pleasure to confirm this, but, unfortunately, we do not live in an ideal world. The company’s latest Malware Report underlines why such sentences should be regarded as myths and IT-Security is important for everyone.
---------------------------------------------
https://blog.gdatasoftware.com/blog/article/two-major-it-security-myths-deb…
*** NewStatPress <= 1.0.4 - Reflected Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8081
*** NewStatPress <= 1.0.4 - SQL Injection ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8080
*** Safer Internet ***
---------------------------------------------
Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend ..
---------------------------------------------
http://securityblog.switch.ch/2015/07/07/safer-internet/
*** Kritischer OpenSSL-Patch voraus ***
---------------------------------------------
Mit einer kurzen Notiz verkündet Mark J. Cox, dass man Donnerstag, den 9. Juli, ein Sicherheits-Update für OpenSSL veröffentlichen wolle. Dies sei der höchsten Sicherheitsstufe zuzurechnen (high). Das bedeutet, dass gängige Konfigurationen betroffen sind und die Lücke sich wahrscheinlich ausnutzen lässt, um Denial-of-Service-Angriffe durchzuführen, Daten zu klauen oder sogar betroffene System zu kapern.
---------------------------------------------
http://heise.de/-2739804
*** Landeskriminalamt Salzburg warnt vor gefälschten Paketdienst-E-Mails ***
---------------------------------------------
In Salzburg sind derzeit verstärkt Internet-Betrüger aktiv. Die Polizei warnt akut vor gefälschten E-Mails im Namen bekannter Paketdienste, die vorgeben, dass eine Postsendung unterwegs sei. Über einen Link könne man den aktuellen Paketstatus abrufen. Ein Klick darauf installiert in Wirklichkeit aber die Schadsoftware "CryptoLocker", welche die auf der Festplatte gespeicherten Daten verschlüsselt.
---------------------------------------------
http://derstandard.at/2000018700461
*** Fuzzing: Auf Fehlersuche mit American Fuzzy Lop ***
---------------------------------------------
Programme testweise mit massenhaft fehlerhaften Daten zu füttern, ist eine effektive Methode, um Fehler zu finden. Das sogenannte Fuzzing ist schon seit Jahrzehnten bekannt, doch bessere Tools und einige spektakuläre Funde von Sicherheitslücken haben zuletzt das Interesse daran erneut geweckt.
---------------------------------------------
http://www.golem.de/news/fuzzing-auf-fehlersuche-mit-american-fuzzy-lop-150…
*** New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries ***
---------------------------------------------
Unit 42 discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. We named this malware family 'Gunpoder' based on the main malicious component name, ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/07/new-android-malware-fami…
*** Hacked Hacking Team ***
---------------------------------------------
Wie ja seit gestern gross durch die diversen Medien getrommelt wird (siehe etwa heise.de, derstandard.at), wurde das Unternehmen "Hacking Team" anscheinend selbst Opfer eines Angriffs. In den dabei geleakten Daten sind auch etliche Hinweise auf bislang unbekannte Exploits ("0-days") zu finden. Leider fehlt uns die Kapazität, die gesamten geleakten Daten (gut 160.000 Dateien mit insg. rund 400GB!) in endlicher Zeit selbst zu analysieren, daher müssen wir uns dabei auf die Community verlassen.
---------------------------------------------
http://www.cert.at/services/blog/20150707141314-1556.html
*** Attack of the Zombie Orkut Phishing Pages ***
---------------------------------------------
Sometimes long dead websites are targeted by phishing pages. When those sites made use of single sign-on, the danger will never quite go away. Orkut may be gone, but the fake login pages persist ..
---------------------------------------------
https://blog.malwarebytes.org/fraud-scam/2015/07/attack-of-the-zombie-orkut…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 03-07-2015 18:00 − Montag 06-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** [20150602] - Core - CSRF Protection ***
---------------------------------------------
http://developer.joomla.org/security-centre/618-20150602-core-remote-code-e…
*** [20150601] - Core - Open Redirect ***
---------------------------------------------
http://developer.joomla.org/security-centre/617-20150601-core-open-redirect…
*** This 20-year-old Student Has Written 100 Malware Programs in Two Years ***
---------------------------------------------
Security firm Trend Micro has identified a 20-year-old Brazilian college student responsible for developing and distributing over 100 Banking Trojans selling each for around ..
---------------------------------------------
http://thehackernews.com/2015/07/student-hacker.html
*** A .BUP File Is An OLE File ***
---------------------------------------------
Yesterday I mentioned that McAfee quarantine files on Windows (.BUP extension) are actually OLE files. Im going to write a couple of diary entries highlighting some file types that are OLE files, and ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19869
*** MMD-0036-2015 - KINS (or ZeusVM) v2.0.0.0 tookit (builder & panel) leaked. ***
---------------------------------------------
The background KINS (or ZeusVM to be precised) v2.0.0.0 tookit (builder & panel) was leaked and spread all over the internet. On Jun 26th 2015 we were informed about this and after several internal discussion, considering that: "so ..
---------------------------------------------
http://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.h…
*** A fileless Ursnif doing some POS focused reco ***
---------------------------------------------
http://malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.…
*** BizCN gate actor changes from Fiesta to Nuclear exploit kit ***
---------------------------------------------
Introduction An actor using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK). This happened around last month, and we first noticed the change on 2015-06-15. I started writing about this actor in 2014 ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19875
*** Don't Be Fooled By Phony Online Reviews ***
---------------------------------------------
The Internet is a fantastic resource for researching the reputation of companies with which you may wish to do business. Unfortunately, this same ease-of-use can lull the unwary into falling for marketing scams originally perfected ..
---------------------------------------------
http://krebsonsecurity.com/2015/07/dont-be-fooled-by-phony-online-reviews/
*** Spionagefirma Hacking Team: "Feind des Internets" selbst gehackt ***
---------------------------------------------
Die italienische Überwachungsfirma Hacking Team wurde selbst Opfer eines massiven Hacks: Eindringlinge konnten rund 480 GB an internen Daten übernehmen und diese als Download bereitstellen. Auch der Twitter-Account des Unternehmens wurde übernommen und in "Hacked Team" umbenannt. Die veröffentlichten Informationen ..
---------------------------------------------
http://derstandard.at/2000018630550
*** Blue-Pill-Lücke in Xen geschlossen ***
---------------------------------------------
In der langen Liste der Sicherheits-Verbesserungen von Xen 4.5.1 finden sich auch eine Lücke, die den Ausbruch aus einer virtuellen Maschine erlaubt - und ein geheimnisvoller, noch undokumentierte Eintrag.
---------------------------------------------
http://heise.de/-2736158
*** ManageEngine Password Manager Pro 8.1 SQL Injection ***
---------------------------------------------
An authenticated user (even the guest user) is able to execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc. The SQL query is build manually and is not escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar.
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015070020
*** Insider Threats Defined ***
---------------------------------------------
According to the second annual SANS survey on the security of the financial services sector, the number one threat companies are concerned about doesn’t relate to nation-states, organised criminal gangs or ‘APTs’. Rather the main worry revolves around insider threats – but what exactly is an insider threat and what can be done to detect and respond to these threats?
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/insider-threats-defined
*** How to Deal with Reverse Domain Name Hijacking ***
---------------------------------------------
The fact that one owns a trademark which is identical or confusingly similar to a domain name does not necessarily mean that she is entitled to that domain name. For ..
---------------------------------------------
http://resources.infosecinstitute.com/how-to-deal-with-reverse-domain-name-…
*** Rätselaufgaben gegen DDoS-Angriffe auf TLS ***
---------------------------------------------
Ein Akamai-Mitarbeiter beschreibt, wie mit einfachen Rechenaufgaben DDoS-Angriffe durch Clients auf TLS-Verbindungen minimiert werden könnten. Die Idee ist zwar noch ein Entwurf, könnte aber als Erweiterung für TLS 1.3 standardisiert werden.
---------------------------------------------
http://www.golem.de/news/ietf-raetselaufgaben-gegen-ddos-angriffe-auf-tls-1…
*** AWS Best Practices for DDoS Resiliency (PDF) ***
---------------------------------------------
http://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf
*** No one expect command execution ! ***
---------------------------------------------
Unix is a beautiful world where your shell gives you the power of launching any command you like. But sometimes, command can be used to launch another commands, and thats sometimes unexpected.
---------------------------------------------
http://0x90909090.blogspot.fr/2015/07/no-one-expect-command-execution.html
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 02-07-2015 18:00 − Freitag 03-07-2015 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Security Advisory: PHP vulnerability CVE-2015-4024 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/800/sol16826.html
*** Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving ***
---------------------------------------------
Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths to evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing ..
---------------------------------------------
http://it.slashdot.org/story/15/07/02/1829244/angler-exploit-kit-evasion-te…
*** Plex: Foren des Media Servers gehackt ***
---------------------------------------------
Unbekannten Angreifern ist es offenbar gelungen das zum Service gehörige Forum zu hacken, und Zugriff auf sensible Daten zu erhalten. Neben Mail-Adressen sollen dabei auch Passwort-Hashes, private Nachrichten und IP-Adressen abgegriffen worden sein. ... So wurden alle betroffenen User mittlerweile per ..
---------------------------------------------
http://derstandard.at/2000018475799/Plex-Foren-des-Media-Servers-gehackt
*** Cisco Adaptive Security Appliance Software OSPFv2 Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39612
*** DSA-3299 stunnel4 - security update ***
---------------------------------------------
Johan Olofsson discovered an authentication bypass vulnerability inStunnel, a program designed to work as an universal SSL tunnel fornetwork daemons. When Stunnel in ..
---------------------------------------------
https://www.debian.org/security/2015/dsa-3299
*** REcon Recap: Here's What Caught My Eye ***
---------------------------------------------
A few weeks ago I was fortunate enough to attend REcon in Montreal, Canada. This conference focuses on reverse engineering and exploitation techniques and has been ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/07/recon-recap/
*** WordPress File Upload <= 2.7.6 - Multiple Vulnerabilities ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8070
*** Sicherheitsrisiko: LGs Update-App für Smartphones ist anfällig ***
---------------------------------------------
Smartphones von LG sind aufgrund einer schlecht umgesetzten SSL-Verschlüsselung anfällig für Man-in-the-Middle-Attacken. Offenbar weiß der Hersteller schon länger davon, ein Patch soll das Problem beheben - auf manchen Geräten ist dieser aber noch nicht angekommen.
---------------------------------------------
http://www.golem.de/news/sicherheitsrisiko-lgs-update-app-fuer-smartphones-…
*** Viele VPNs plaudern wahre Identität ihrer Nutzer aus ***
---------------------------------------------
Forscher finden grobe Implementationsprobleme - IPv6 und DNS-Abfragen unterwandern Sicherheit
---------------------------------------------
http://derstandard.at/2000018498920
*** Mozilla: Firefox 39 schmeisst alte Krypto raus ***
---------------------------------------------
SSLv3 ist aus Firefox 39 endgültig entfernt worden, und RC4 ist nur noch temporär für einige wenige Seiten erlaubt. Das Mozilla-Team erweitert den Schutz des Browsers vor Malware, daneben gibt es noch viele kleinere Neuerungen.
---------------------------------------------
http://www.golem.de/news/mozilla-firefox-39-schmeisst-alte-krypto-raus-1507…
*** Kovter AdFraud is updating Flash Player (and Internet Explorer) ***
---------------------------------------------
Checking my systems I noticed multiple VM trying to grab last version of Flash and thought they were not properly setup allowing Flash Player to auto-update (which we do not want obviously - we want to keep them exploitable and also avoid behavioural/network noise).
---------------------------------------------
http://malware.dontneedcoffee.com/2015/07/kovter-adfraud-is-updating-flash-…
*** l+f: Noch mehr Hintertüren bei Cisco ***
---------------------------------------------
http://heise.de/-2734480
*** Apple: EFI-Sicherheits-Update nicht für ältere Macs ***
---------------------------------------------
Das Sicherheits-Update, das eine mögliche Modifikation der Firmware verhindert, steht zwar für ältere OS-X-Versionen zur Verfügung – lässt sich jedoch nur auf jüngeren Macs installieren.
---------------------------------------------
http://heise.de/-2735051
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 01-07-2015 18:00 − Donnerstag 02-07-2015 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Attackers Revive Deprecated RIPv1 Routing Protocol in DDoS Attacks ***
---------------------------------------------
An advisory from Akamai warns of a recent reflection style DDoS attack in which the deprecated RIPv1 routing protocol was leveraged against targets.
---------------------------------------------
http://threatpost.com/attackers-revive-deprecated-ripv1-routing-protocol-in…
*** EMC Documentum D2 Input Validation Flaw Lets Remote Authenticated Users Obtain Potentially Sensitive Information ***
---------------------------------------------
A remote authetnicated user can send specially crafted data to inject data query language (DQL) commands and obtain potentially sensitive information from the database on the target system.
...
The D2CenterstageService.getComments method is affected [CVE-2015-0547].
...
The D2DownloadService.getDownloadUrls method is affected [CVE-2015-0548].
---------------------------------------------
http://www.securitytracker.com/id/1032769
*** Updated Point-to-Point Encryption standard now provides more flexibility ***
---------------------------------------------
The Payment Card Industry Security Standards Council (PCI SSC) published an important update to one of its eight security standards, simplifying the development and use of Point-to-Point Encryption (P2PE) solutions that make payment card data unreadable and less valuable to criminals if stolen in a breach.
---------------------------------------------
http://www.net-security.org/secworld.php?id=18581
*** Final Year Dissertation Paper Release: An Evaluation of the Effectiveness of EMET 5.1 ***
---------------------------------------------
My paper covers three separate exploits that I converted to try bypass EMET 5.1s protections as best I could and the techniques that I used to do so as well as how successful EMET 5.1 was at preventing me from exploiting the vulnerable programs.
---------------------------------------------
http://tekwizz123.blogspot.co.at/2015/07/final-year-dissertation-paper-rele…
*** ENISA's Udo Helmbrecht at EPP Hearing on cybersecurity ***
---------------------------------------------
ENISA's Udo Helmbrecht participated at the EPP Hearing on data driven security, which took place today 1st July 2015, at the European Parliament in Brussels.
Topics discussed included:
Session I: New trends in digital technology developments and cyber threats to security
Session II: Fighting crime: use of new technologies and use of data
Session III: Cyber Security: ensuring security and safety on state and individual levels
---------------------------------------------
http://www.enisa.europa.eu/media/news-items/enisa2019s-udo-helmbrecht-at-ep…
*** How safe is the Windows 10 Wi-Fi sharing feature? ***
---------------------------------------------
... what worries security experts is the fact that it allows users to share access to their password-protected Wi-Fi networks with their Outlook.com contacts, Skype contacts, and Facebook friends.
...
While this feature can come very handy, it could also open users to security risks.
---------------------------------------------
http://www.net-security.org/secworld.php?id=18584
*** Cisco Security Advisories/Vulnerability Alerts ***
---------------------------------------------
Cisco Unified Communications Domain Manager Default Static Privileged Account Credentials
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
---------------------------------------------
Cisco Adaptive Security Appliance SNMP Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39611
---------------------------------------------
Cisco Nexus Operating System Devices Command Line Interface Local Privilege Escalation Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39583
---------------------------------------------
Cisco Digital Content Manager Message Processing Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39556
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 30-06-2015 18:00 − Mittwoch 01-07-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** What is Wi-Fi Sense and Why Does It Want Your Facebook Account? ***
---------------------------------------------
Wi-Fi Sense is a feature built into Windows 10. You may see a pop-up saying "Wi-Fi Sense needs permission to use your Facebook account." It also works with Outlook.com and Skype contacts. This feature allows you to share Wi-Fi login information - network names and passphrases - with your friends. It's designed to automatically connect Windows 10 devices to shared networks.
...
Wi-Fi Sense was originally a Windows Phone 8.1 feature that made the jump to desktop PCs and tablets with Windows 10.
---------------------------------------------
http://www.howtogeek.com/219700/what-is-wi-fi-sense-and-why-does-it-want-yo…
*** EU-Kompromiss zu Meldepflichten bei Cyberangriffen steht ***
---------------------------------------------
Betreiber "wesentlicher" Infrastrukturen und Dienste in der EU müssen bald Cyberangriffe melden, für Digitalplattformen wie soziale Netzwerke sollen abgestufte Regeln gelten. Darauf haben sich EU-Rat und Parlament geeinigt.
---------------------------------------------
http://www.heise.de/newsticker/meldung/EU-Kompromiss-zu-Meldepflichten-bei-…
*** Apple Patches Dozens of Flaws in iOS 8.4, OS X 10.10.4 ***
---------------------------------------------
Apple has released new versions of iOS and OS X, both of which include a significant number of security patches, several for bugs that can lead to remote code execution and other serious issues. Version 8.4 of iOS contains fixes for more than 30 security vulnerabilities, including bugs in the iOS kernel, WebKit, and CoreText.
---------------------------------------------
http://threatpost.com/apple-patches-dozens-of-flaws-in-ios-8-4-os-x-10-10-4…
*** ZDI-15-275: (0Day) SolarWinds Storage Manager AuthenticationFilter Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SolarWinds Storage Manager. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-275/
*** TYPO3 CMS 6.2.14 and 7.3.1 released ***
---------------------------------------------
We are announcing the release of the following TYPO3 CMS updates:
TYPO3 CMS 6.2.14 LTS
TYPO3 CMS 7.3.1
Both versions are maintenance releases and contain bug and security fixes.
---------------------------------------------
http://www.typo3.org/news/article/typo3-cms-6214-and-731-released/
*** Apple gets around to fixing those 77 security holes in OS X Yosemite ***
---------------------------------------------
Your OS X box can still be owned by, well, just about everything Apple has released a series of security updates to address 77 CVE-listed security vulnerabilities in OS X Yosemite.
---------------------------------------------
http://www.theregister.co.uk/2015/06/30/apple_finally_gets_around_to_fixing…
*** A third of iThings open to VPN-hijacking, app-wrecking attacks ***
---------------------------------------------
Masques off: Researchers detail five ways to wreck Apple stuff A trio of FireEye researchers have reported twin app-demolishing iOS vulnerabilities Apple has partially fixed in its latest update that could wreck core apps such as the App Store and Settings.
---------------------------------------------
http://www.theregister.co.uk/2015/07/01/masque_attack_ios_fireeye/
*** June 2015 Android malware review from Doctor Web ***
---------------------------------------------
PRINCIPAL TRENDS IN JUNE
- Activity of banking Trojans
- Emergence of new downloader
- Trojans Emergence of new Android ransomware
- Growing number of SMS Trojans
---------------------------------------------
http://news.drweb.com/show/?i=9511&lng=en&c=9
*** Cisco Vulnerability Alerts ***
---------------------------------------------
Cisco Nexus Devices NX-OS Software Command-Line Interpreter Local Privilege Escalation Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39569
---------------------------------------------
Cisco Nexus Devices Python Subsystem Local Privilege Escalation Vulnerabilities
http://tools.cisco.com/security/center/viewAlert.x?alertId=39571
---------------------------------------------
Cisco Unified MeetingPlace SQL Injection Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39570
---------------------------------------------
Cisco Nexus 7000 Devices Virtual Device Context Privilege Escalation Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39568
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
IBM Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server that shipped with WebSphere Enterprise Service Bus (CVE-2015-4000)
http://www.ibm.com/support/docview.wss?uid=swg21961048
---------------------------------------------
IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects PowerKVM (CVE-2015-4000)
http://www.ibm.com/support/docview.wss?uid=isg3T1022395
---------------------------------------------
IBM Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server that shipped with WebSphere Enterprise Service Bus Registry Edition (CVE-2015-4000)
http://www.ibm.com/support/docview.wss?uid=swg21961049
---------------------------------------------
IBM Security Bulletin: CICS Transaction Gateway for Multiplatforms
http://www.ibm.com/support/docview.wss?uid=swg21903636
---------------------------------------------
IBM Security Bulletin: A security vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager for Web version 7.0 software installations and IBM Tivoli Access Manager for e-business (CVE-2015-1920)
http://www.ibm.com/support/docview.wss?uid=swg21960450
---------------------------------------------
IBM Security Bulletin: Multiple vulnerabilities in the FreeType library affect IBM Security Access Manager for Web
http://www.ibm.com/support/docview.wss?uid=swg21960562
---------------------------------------------
IBM Security Bulletin: Multiple vulnerabilities in FreeType library affect IBM Security Access Manager for Mobile.
http://www.ibm.com/support/docview.wss?uid=swg21958900
---------------------------------------------
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Access Manager for Web
http://www.ibm.com/support/docview.wss?uid=swg21960668
---------------------------------------------
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Security Access Manager for Mobile.
http://www.ibm.com/support/docview.wss?uid=swg21958903
---------------------------------------------
IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2013-7423)
http://www.ibm.com/support/docview.wss?uid=swg21960456
---------------------------------------------
Vulnerabilities in NTPv4 affect AIX
http://www.ibm.com/support/
---------------------------------------------
IBM Security Bulletin: Multiple cross-site scripting (XSS) vulnerabilities in IBM Dojo Toolkit affects IBM Case Manager (CVE-2014-8917)
http://www.ibm.com/support/docview.wss?uid=swg21883851
---------------------------------------------
IBM Security Bulletin: PowerKVM is affected by a kexec-tools vulnerability (CVE-2015-0267)
http://www.ibm.com/support/docview.wss?uid=isg3T1022407
---------------------------------------------
IBM Security Bulletin: Dual_EC_DRBG vulnerability and RC4 stream cipher vulnerability affect WebSphere Transformation Extender Secure Adapter Collection (CVE-2007-6755, CVE-2015-2808)
http://www.ibm.com/support/docview.wss?uid=swg21959577
---------------------------------------------
IBM Security Bulletin: XSS vulnerability in Error dialog which can execute scripts injected into addressability and comments features that affects IBM Case Manager (CVE-2015-1979)
http://www.ibm.com/support/docview.wss?uid=swg21959695
---------------------------------------------
IBM Security Bulletin: Vulnerabilities in OpenSSL including Logjam affect Sterling Connect:Express for UNIX (CVE-2015-4000, CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792)
http://www.ibm.com/support/docview.wss?uid=swg21959308
---------------------------------------------
IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Cognos Command Center (CVE-2015-4000)
http://www.ibm.com/support/docview.wss?uid=swg21960508
---------------------------------------------
IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects the Enterprise Common Collector component of the IBM Tivoli zEnterprise Monitoring Agent (CVE-2015-4000)
http://www.ibm.com/support/docview.wss?uid=swg21960019
---------------------------------------------
IBM Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM InfoSphere Optim Performance Manager (CVE-2015-4000)
http://www.ibm.com/support/docview.wss?uid=swg21959591
---------------------------------------------
IBM Security Bulletin: JavaScript evaluation vulnerability in IBM Business Process Manager (CVE-2015-1961)
http://www.ibm.com/support/docview.wss?uid=swg21959052
---------------------------------------------
IBM Security Bulletin: IBM Security Identity Manager Virtual Appliance affected by Java vulnerabilities (CVE-2015-0138 CVE-2015-0204 CVE-2015-1914 CVE-2015-2808 )
http://www.ibm.com/support/docview.wss?uid=swg21960515
---------------------------------------------
IBM Security Bulletin: Potential denial of service may affect IBM WebSphere Application Server shipped with IBM Tivoli Network Performance Manager (CVE-2015-1829)
http://www.ibm.com/support/docview.wss?uid=swg21960364
---------------------------------------------
IBM Security Bulletin: PowerKVM is affected by a bind vulnerability (CVE-2015-1349)
http://www.ibm.com/support/docview.wss?uid=isg3T1022295
---------------------------------------------
IBM Security Bulletin: PowerKVM is affected by a qemu vulnerability (CVE-2014-9718)
http://www.ibm.com/support/docview.wss?uid=isg3T1022294
---------------------------------------------
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Access Manager for Mobile (CVE-2015-0488, CVE-2015-0478, CVE-2015-1916)
http://www.ibm.com/support/docview.wss?uid=swg21959597
---------------------------------------------
IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2013-7423)
http://www.ibm.com/support/docview.wss?uid=swg21959604
---------------------------------------------
IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance v2 API unrestricted path traversal (CVE-2014-9493, CVE-2015-1195)
http://www.ibm.com/support/docview.wss?uid=nas8N1020785
---------------------------------------------
IBM Security Bulletin: IBM PowerVC is impacted by Apache Qpid security vulnerabilities (CVE-2015-0203, CVE-2015-0223, CVE-2015-0224)
http://www.ibm.com/support/docview.wss?uid=nas8N1020787
---------------------------------------------
IBM Security Bulletin: A cross-site scripting vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-1966)
http://www.ibm.com/support/docview.wss?uid=swg21959068
---------------------------------------------
IBM Security Bulletin: A cross-site scripting vulnerability affects IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway (CVE-2015-1966)
http://www.ibm.com/support/docview.wss?uid=swg21959071
---------------------------------------------
IBM Security Bulletin: XSS Vulnerability in IBM Jazz Foundation affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0130)
http://www.ibm.com/support/docview.wss?uid=swg21960407
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 29-06-2015 18:00 − Dienstag 30-06-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Windows kerberos ticket theft and exploitation on other platforms ***
---------------------------------------------
I decided to take a look at how the kerberos tickets can be dumped from a Windows target and re-used on Linux. It was surprisingly easy to accomplish.
---------------------------------------------
https://mikkolehtisalo.wordpress.com/2015/06/29/copying-windows-kerberos-ti…
*** Why vulnerability disclosure shouldn't be a marketing tool ***
---------------------------------------------
So now we have three approaches to vulnerability disclosure: full disclosure, responsible disclosure, and marketing disclosure. My concern with the latter is that by its very nature it will get more coverage in both the IT industry and mainstream media.
...
In the cases where the vulnerability does affect the organization, the security team is called into action to remediate it, but this remediation may be based more on the impact the vulnerability has had on the news headlines rather than on the impact it actually may have on the environment, This results in already overstretched security teams being distracted from other core tasks.
---------------------------------------------
http://www.net-security.org/article.php?id=2318
*** DSA-3297 unattended-upgrades - security update ***
---------------------------------------------
It was discovered that unattended-upgrades, a script for automaticinstallation of security upgrades, did not properly authenticatedownloaded packages when the force-confold or force-confnew dpkg optionswere enabled via the DPkg::Options::* apt configuration.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3297
*** How Malware Campaigns Employ Google Redirects and Analytics, (Tue, Jun 30th) ***
---------------------------------------------
The email message sent to the bank employee claimed that the sender received a wire transfer from the recipients organization and that the sender wanted to confirm that the payment went through without issues. The victim was encouraged to click a link that many people would considersafe, in part because it began with https://www.google.com/.
How would you examine the nature of this email? Examining MSG and EML Files on Linux One way to analyze the suspicious message saved as an Outlook .msg file
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19843&rss
*** Tearing Apart a Datto ***
---------------------------------------------
Datto devices are becoming a popular backup solution for small to medium sized businesses. They are easy to use and well equipped out of the box. We recently found ourselves in an engagement where one of these devices was accessible via the LAN. Gaining access to backups is a bit of a goldmine during an assessment; unrestricted access to file shares, configuration information, extracting hashes from the NTDS.dit file, and a multitude of other things.
---------------------------------------------
http://silentbreaksecurity.com/tearing-apart-a-datto/
*** Vulnerability in Citrix NetScaler Application Deliver Controller and NetScaler Gateway Management Interface Could Result in Arbitrary Command Injection ***
---------------------------------------------
A vulnerability has been identified in Citrix NetScaler Application Delivery Controller (ADC) and Citrix NetScaler Gateway Management Interface that could allow an authenticated malicious user to execute shell commands on the appliance.
CVE: CVE-2015-5080
---------------------------------------------
http://support.citrix.com/article/CTX201149
*** Viele Android-Geräte über Debugger angreifbar ***
---------------------------------------------
Über eine Schwachstelle im Debugger können Angreifer den Inhalt des Hauptspeichers von über 90 Prozent aller Android-Geräte auslesen und so weitere Attacken fahren.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Viele-Android-Geraete-ueber-Debugger…
*** Analyzing a Facebook Clickbait Worm ***
---------------------------------------------
Here at Sucuri we suspect everything, especially when your friends start to share content written in another language with clickbait headlines.
If you are not familiar with the term, clickbait is when web content is created in a way that psychologically exploits the reader's curiosity using compelling headlines. When someone clicks on the article to read it, the service promoting the article generates online advertisement revenue.
---------------------------------------------
https://blog.sucuri.net/2015/06/analyzing-a-facebook-clickbait-worm.html
*** Vulnerabilities in Cisco products***
---------------------------------------------
Cisco Unified IP Phones 9900 Series Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39554
---------------------------------------------
Cisco Unified Communications Domain Manager Information Disclosure Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39557
---------------------------------------------
*** Vulnerabilities in IBM products***
---------------------------------------------
Security Bulletin: Vulnerabilities in libxml2 affect System Networking Products (CVE-2014-0191, CVE-2013-2877, CVE-2014-3660)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098306
---------------------------------------------
Security Bulletin: Vulnerabilities in OpenSSL affect Flex System FC3171 8Gb SAN Switch and Flex System FC3171 8Gb SAN Pass-thru (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098265
---------------------------------------------
Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Flex System Manager (FSM) SMIA Configuration Tool (CVE-2015-4000)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098403
---------------------------------------------
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware. (CVE-2015-2808)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098314
---------------------------------------------
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM System Networking RackSwitch (CVE-2015-2808)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098302
---------------------------------------------Security Bulletin: Vulnerability in RC4 stream cipher affects IBM BladeCenter Switches (CVE-2015-2808)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098303
---------------------------------------------
Security Bulletin: Multiple vulnerabilities in xorg-x11-server affect IBM Flex System Manger (FSM)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098372
---------------------------------------------
Security Bulletin: GNU C library (glibc) vulnerability affects IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware (CVE-2015-0235)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098317
---------------------------------------------
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098358
---------------------------------------------
Security Bulletin: Vulnerabilities in OpenSSL affect IBM System x, BladeCenter and Flex Systems Unified Extensible Firmware Interface (UEFI) (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098339
---------------------------------------------
IBM Security Bulletin: IBM SmartCloud Analytics - Log Analysis is affected by Open Source Python Vulnerability (CVE-2014-9365)
http://www.ibm.com/support/docview.wss?uid=swg21958936
---------------------------------------------
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Endpoint Manager for Remote Control
http://www.ibm.com/support/docview.wss?uid=swg21903374
---------------------------------------------
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime, affect Tivoli Endpoint Manager for Remote Control.
http://www.ibm.com/support/docview.wss?uid=swg21903373
---------------------------------------------
IBM Security Bulletin: A vulnerability in cURL libcURL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2014-8150)
http://www.ibm.com/support/docview.wss?uid=swg21697198
---------------------------------------------