=======================
= End-of-Shift report =
=======================
Timeframe: Montag 09-03-2015 18:00 − Dienstag 10-03-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** MS15-MAR - Microsoft Security Bulletin Summary for March 2015 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for March 2015.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS15-MAR
*** Apple Patches for iOS, OS X and Apple TV, (Tue, Mar 10th) ***
---------------------------------------------
With yesterdays updates for iOS, OS X and Apple TV, Apple also addressed a number of security vulnerabilities, most notably the Freak vulnerability. After updating, the affected operating systems no longer support export quality ciphers. However, Apple browsers continue to support SSLv3 and as a result, continue to be vulnerable to POODLE. Quick Summary of the security content of Apples updates: XCode 6.2: This update addresses 4 vulnerabilities in subversion and 1 in git. OS X: 5...
---------------------------------------------
https://isc.sans.edu/diary/Apple+Patches+for+iOS%2C+OS+X+and+Apple+TV/19443
*** Exploiting the DRAM rowhammer bug to gain kernel privileges ***
---------------------------------------------
"Rowhammer" is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer...
---------------------------------------------
http://googleprojectzero.blogspot.co.at/2015/03/exploiting-dram-rowhammer-b…
*** Network Forensics What Are Your Investigations Missing - SANS DFIR WEBCAST ***
---------------------------------------------
Traditionally, computer forensic investigations focused exclusively on data from the seized media associated with a system of interest.Recently, memory analysis has become an integral part of forensic analysis, resulting in a new and significantly different way for digital examiners and investigators to perform their craft.Now another evolution in computer forensics is at hand - one that includes data collected from network devices as well as the from wires themselves. Every day, more and more...
---------------------------------------------
http://blog.malwareresearch.institute/video/2015/03/09/network-forensics-wh…
*** Yahoo Patches Critical eCommerce, Small Business Vulnerabilities ***
---------------------------------------------
Yahoo has fixed a handful of vulnerabilities that could have given an attacker free reign over all of its user-run eCommerce websites and caused multiple headaches for small business owners.
---------------------------------------------
http://threatpost.com/yahoo-patches-critical-ecommerce-small-business-vulne…
*** Attackers targeting Elasticsearch remote code execution hole ***
---------------------------------------------
Devs ring patch alarm bells, drop shell code Attackers are targeting a patched remote code execution vulnerability in Elasticsearch that grants unauthenticated bad guys access through a buggy API.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/03/10/elastic_sea…
*** SMS Trojan bypasses CAPTCHA ***
---------------------------------------------
Trojan-SMS.AndroidOS.Podec proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system. It can also subscribe users to premium-rate services while bypassing CAPTCHA.
---------------------------------------------
http://securelist.com/analysis/publications/69169/sms-trojan-bypasses-captc…
*** Xen Security Advisory CVE-2015-2150 / XSA-120 ***
---------------------------------------------
Non-maskable interrupts triggerable by guests
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-120.html
*** Xen Security Advisory CVE-2015-2151 / XSA-123 ***
---------------------------------------------
Hypervisor memory corruption due to x86 emulator flaw
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-123.html
*** Xen Security Advisory XSA-124 ***
---------------------------------------------
Non-standard PCI device functionality may render pass-through insecure
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-124.html
*** Exploiting the DRAM "Row Hammer" Bug ***
---------------------------------------------
IBM has determined that all IBM System z, System p, and System x products are not vulnerable to this attack. IBM is analyzing other IBM products to determine if they are potentially impacted by this issue. Please actively monitor both your IBM Support Portal for available fixes and/or remediation steps and this blog for additional information.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/exploiting_the_dram_r…
*** Row Hammer Privilege Escalation Vulnerability ***
---------------------------------------------
cisco-sa-20150309-rowhammer
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products ***
---------------------------------------------
cisco-sa-20150310-ssl
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Varnish 4.0.3 heap-buffer-overflow while parsing backend server HTTP response ***
---------------------------------------------
Topic: Varnish 4.0.3 heap-buffer-overflow while parsing backend server HTTP response Risk: High Text:Hi there, Latest varnish-cache 4.0.3 (https://www.varnish-cache.org/) seem to have a problem with parsing HTTP responses fro...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030056
*** Foxit Reader Update Service Unsafe Service Path Lets Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1031879
*** Foxit Reader GIF File LZWMinimumCodeSize Memory Corruption Error Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1031878
*** Foxit Reader GIF File Ubyte Size Memory Corruption Error Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1031877
*** Red Hat Enterprise MRG Messaging Qpid Daemon Bugs Let Remote Users Deny Service and Access the System ***
---------------------------------------------
http://www.securitytracker.com/id/1031872
*** Rails ActiveModel::Name Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1031873
*** Security Advisory: MainWP-Child WordPress Plugin ***
---------------------------------------------
Security Risk: Critical Exploitation level: Very Easy/Remote DREAD Score: 9/10 Vulnerability: Password bypass / Privilege Escalation Patched Version: 2.0.9.2 During a routine audit of our Website Firewall (WAF), we found a critical vulnerability affecting the popular MainWP Child WordPress plugin. According to worpdress.org, it is installed on more than 90,000 WordPress sites as as remote administration...
---------------------------------------------
http://blog.sucuri.net/2015/03/security-advisory-mainwp-child-wordpress-plu…
*** Google Analytics by Yoast 5.3.2 - Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7838
*** Fraction Theme <= 1.1.1 - Privilege Escalation via CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7840
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 06-03-2015 18:00 − Montag 09-03-2015 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Attackers concealing malicious macros in XML files ***
---------------------------------------------
XML files are harmless text files right? Wrong! The group behind the malicious Microsoft Office document campaigns have started to utilize Microsoft Office XML formats to hide malicious macros. This week, our spam traps were flooded with spam with XML...
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-ma…
*** Samba Remote Code Execution Vulnerability - CVE-2015-0240 ***
---------------------------------------------
The Samba team reported CVE-2015-0240 last February 23, 2015. This vulnerability is very difficult to exploit and we are not aware of successful exploitation. However, it is quite interesting from the point for view of detection. There are two important facts: The vulnerability resides in the Netlogon Remote Protocol implementation of Samba which is a...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/samba-remote-cod…
*** How Malware Generates Mutex Names to Evade Detection, (Mon, Mar 9th) ***
---------------------------------------------
Malicious software sometimes uses mutex objects to avoid infecting the system more than once, as well as to coordinate communications among its multiple components on the host. Incident responders can look for known mutex names to spot the presence of malware on the system. To evade detection, some malware avoids using a hardcoded name for its mutex, as is the case with the specimen discussed in this note. Static Mutex Names as Indicators of Compromise For background details about mutex...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19429&rss
*** New crypto ransomware in town : CryptoFortress ***
---------------------------------------------
This post has been heavily edited to fix my mistake.
---------------------------------------------
http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html
*** Seagate Confirms NAS Zero Day, Won't Patch Until May ***
---------------------------------------------
Seagate confirmed a publicly disclosed vulnerability in one of its network attached storage products, but said it wont have a patch available until May.
---------------------------------------------
http://threatpost.com/seagate-confirms-nas-zero-day-wont-patch-until-may/11…
*** OpenSSL Audit ***
---------------------------------------------
IntroductionThe reputation built by NCC Group, including iSEC Partners, Matasano Security, Intrepidus Group and NGS Secure, has led compani ...
---------------------------------------------
https://www.nccgroup.com/en/blog/2015/03/openssl-audit/
*** l+f: Vernetzte Wetterstation funkte WLAN-Passwort zum Hersteller ***
---------------------------------------------
Die Netatmo-Wetterstationen schickten nicht nur ihre Messwerte ins Netz, sondern auch SSID und WLAN-Passwort des Nutzers.
---------------------------------------------
http://heise.de/-2571218
*** Update - Notizen zu FREAK ***
---------------------------------------------
In den letzten Tagen gab es wieder einmal große mediale Aufmerksamkeit für eine Schwachstelle in OpenSSL und anderen Crypto-Libraries. Der Eintrag für die zugehörige CVE-ID CVE-2015-0204 besteht seit November letzten Jahres, aktualisierte Versionen von OpenSSL wurden heuer im Jänner veröffentlicht. | Update 2015-03-09 | Ergänzung: Auflistungen betroffener Bibliotheken/Anbieter finden sich auf...
---------------------------------------------
http://www.cert.at/services/blog/20150306175713-1442.html
*** Mono TLS vulnerabilities ***
---------------------------------------------
Topic: Mono TLS vulnerabilities Risk: Medium Text:Hi A TLS impersonation attack was discovered in Monos TLS stack by researchers at Inria. During checks on our TLS stack, w...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030042
*** IBM Security Bulletin: Multiple Vulnerabilities in the IBM Java SDK affect IBM Notes and Domino (Oracle January 2015 Critical Patch Update) ***
---------------------------------------------
2015-03-09T11:05:28-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21698222
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204) ***
---------------------------------------------
2015-03-09T11:04:47-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21698574
*** IBM Security Bulletin: Vulnerability in SSLv3 Affects Power Hardware Management Console (CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568) ***
---------------------------------------------
2015-03-09T11:01:43-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=nas8N1020593
*** IBM Security Bulletin: Vulnerability in SSLv3 enabled in IBM Host On-Demand affects Rational Functional Tester (CVE-2014-3566) ***
---------------------------------------------
2015-03-09T11:01:10-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21697348
*** IBM Security Bulletin: Fixes available for Security Vulnerabilities in IBM WebSphere Portal (CVE-2014-6214; CVE-2015-0139; CVE-2015-0177) ***
---------------------------------------------
2015-03-09T11:10:19-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21697213
*** HPSBUX03235 SSRT101750 rev.3 - HP-UX Running BIND, Remote Denial of Service (DoS) ***
---------------------------------------------
A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** Vulnerabilities in WordPress Pluins ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7826https://wpvulndb.com/vulnerabilities/7827https://wpvulndb.com/vulnerabilities/7828https://wpvulndb.com/vulnerabilities/7829https://wpvulndb.com/vulnerabilities/7830https://wpvulndb.com/vulnerabilities/7831https://wpvulndb.com/vulnerabilities/7832https://wpvulndb.com/vulnerabilities/7833https://wpvulndb.com/vulnerabilities/7834https://wpvulndb.com/vulnerabilities/7835https://wpvulndb.com/vulnerabilities/7836https://wpvulndb.com/vulnerabilities/7837
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 05-03-2015 18:00 − Freitag 06-03-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Oracle hängt Adware an den Java-Installer für Mac OS X ***
---------------------------------------------
Bei der Installation von Java wird nun auch Mac-Nutzern Adware angedreht - dabei handelt es sich aktuell um eine Browser-Erweiterung.
---------------------------------------------
http://heise.de/-2568995
*** Intuit Failed at 'Know Your Customer' Basics ***
---------------------------------------------
Intuit, the makers of TurboTax, recently introduced several changes to beef up the security of customer accounts following a spike in tax refund fraud at the state and federal level. Unfortunately, those changes dont go far ..
---------------------------------------------
http://krebsonsecurity.com/2015/03/intuit-failed-at-know-your-customer-basi…
*** Why A Free Obfuscator Is Not Always Free. ***
---------------------------------------------
We all love our code but some of us love it so much that we don't want anyone else to read or understand it. When you think about it, that's understandable - hours and hours of hard dev work, days of testing and weeks ..
---------------------------------------------
http://blog.sucuri.net/2015/03/why-a-free-obfuscator-is-not-always-free.html
*** Cisco IOS Autonomic Networking Infrastructure Self-Referential Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Contact Form DB 2.8.29 - CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7826
*** Cisco IOS Software and Cisco IOS XE Software Crafted RADIUS Packet Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Cisco IOS XR Software Malformed SNMP Packet Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Freak: Auch Windows von SSL-Lücke betroffen ***
---------------------------------------------
Deutlich mehr Clients gefährdet als bisher angenommen - Neben Android und iOS auch Opera unter Linux ..
---------------------------------------------
http://derstandard.at/2000012569585
*** Internetdienst Onlinetvrecorder.com gehackt ***
---------------------------------------------
Der Internet-Aufnahmedienst Onlinetvrecorder.com ist Opfer eines Hackangriffes geworden. Der Anbieter empfiehlt allen Nutzern, ihr Passwort zu ändern.
---------------------------------------------
http://heise.de/-2569350
*** Multiple vulnerabilities in Siemens products ***
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-15-064-01https://ics-cert.us-cert.gov//advisories/ICSA-15-064-02https://ics-cert.us-cert.gov//advisories/ICSA-15-064-03https://ics-cert.us-cert.gov//advisories/ICSA-15-064-04https://ics-cert.us-cert.gov//advisories/ICSA-15-064-05
*** Verbraucherschützer warnen vor falschen E-Mails von Paketdiensten ***
---------------------------------------------
Links führen laut deutscher Verbraucherzentrale zu Schadsoftware - Falsche Mails nutzen Namen von DHL und UPS
---------------------------------------------
http://derstandard.at/2000012593805
*** Powerspy: Stalking über den Akkuverbrauch ***
---------------------------------------------
Statt über Bluetooth und per GPS lassen sich Smartphone-Benutzer auch anhand ihres Akkuverbrauchs verfolgen. Powerspy macht's möglich.
---------------------------------------------
http://www.golem.de/news/powerspy-stalking-ueber-den-akkuverbrauch-1503-112…
*** Adobe drückt sich vor Finderlohn für gemeldete Lücken ***
---------------------------------------------
Wer Lücken im Adobe Reader, Flash und Co. findet, kann diese jetzt über ein Belohnungsprogramm an den Hersteller melden. Eine geldwerte Belohnung gibt es allerdings nicht – zumindest nicht von Adobe.
---------------------------------------------
http://heise.de/-2569878
*** The Ongoing Debate about the Gap between Compliance and Security ***
---------------------------------------------
Companies required to comply with the Payment Card Industry Data Security Standard (PCI DSS) must meet a wide range of technical and operation requirements. The challenge organizations face regarding PCI compliance has shifted from achieving the minimum level required to satisfy PCI audit ..
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/the-ongoing-debate-abo…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 04-03-2015 18:00 − Donnerstag 05-03-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** MICROSYS PROMOTIC Stack Buffer Overflow ***
---------------------------------------------
This advisory provides mitigation details for a stack-based buffer overflow vulnerability in the MICROSYS, spol. s r.o. PROMOTIC application.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-15-062-01
*** Adobe Launches Web Application Vulnerability Disclosure Program on HackerOne ***
---------------------------------------------
In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1179
*** SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS) ***
---------------------------------------------
The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch only. This vulnerability is mitigated by the fact that an attacker ..
---------------------------------------------
https://www.drupal.org/node/2445935
*** Cisco IOS XR Software Malformed RSVP Packet Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Cisco Secure Access Control Server Default Tomcat Administration Interface Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Toshiba Bluetooth Stack Untrusted Service Path Lets Local Users Gain System Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1031825
*** BIND DNSSEC Guide ***
---------------------------------------------
ISC has new documentation introducing DNSSEC, configuring BIND for common DNSSEC features, and basic DNSSEC troubleshooting. ISCs BIND DNSSEC Guide, co-written with DeepDive Networking, covers DNSSEC requirements, setting up a validating resolver, maintaining signed authoritative zones, and ..
---------------------------------------------
http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html
*** SANS ICS410 Vienna ***
---------------------------------------------
SANS presents the essential ICS/SCADA training course, ICS410 ICS Security Essentials. This specialist training event is running with the support of the International Atomic Energy Agency (IAEA) and follows the IAEAs International Conference on Computer Security in a Nuclear World which takes place the preceding week in Vienna.
---------------------------------------------
https://www.sans.org/event/ics410-vienna-with-iaea
*** Malware "Casper": Wie die Franzosen in Syrien spionieren ***
---------------------------------------------
Sicherheitsforscher analysieren Schadprogramm, das wohl von Frankreichs Geheimdiensten eingesetzt wird
---------------------------------------------
http://derstandard.at/2000012513213
*** Format Injection Vulnerability in Duo Security Web SDK ***
---------------------------------------------
Format Injection is not a new bug, but it was never described as a subclass of A1 Injection. You probably already hate me for giving it a name (at least I didn't create a logo!) but calling it an 'injection' is too general.
---------------------------------------------
http://sakurity.com/blog/2015/03/03/duo_format_injection.html
*** The State Of The Internet ***
---------------------------------------------
One great idea behind the internet is to connect devices from nearly every position on earth. Well, this idea sometimes has its drawbacks. In order to get an overview about devices that are actually connected, the University of ..
---------------------------------------------
https://splone.com/blog/2015/3/4/the-state-of-the-internet
*** Schutz vor Freak Attack: Diese Browser sind betroffen ***
---------------------------------------------
Der Freak-Angriff kompromittiert unzählige verschlüsselte Webseiten und Angreifer könnten sensible Daten ausspionieren. Ob man für die Attacke anfällig ist, hängt aber vom eingesetzten Betriebssystem, Webbrowser und der besuchten Internetseite ab.
---------------------------------------------
http://heise.de/-2567655
*** OpenSSL Cookbook 2nd Edition released ***
---------------------------------------------
Today we're releasing the second edition of OpenSSL Cookbook, Feisty Ducks free OpenSSL book. This edition is a major update, with some improvements to the existing text and new content added. The new edition has about 95 pages, an increase of about 35 pages.
---------------------------------------------
http://blog.ivanristic.com/2015/03/openssl-cookbook-second-edition-released…
*** Utilizing NLP To Detect APT in DNS ***
---------------------------------------------
Imagine that after a nice, relaxing long weekend, you come in to work Monday morning at your job at the bank. While waking up with a cup of coffee, you begin checking email. Among the usual messages, there's a message about a security update and you click it. Security updates are so common these days that it's ..
---------------------------------------------
https://labs.opendns.com/2015/03/05/nlp-apt-dns/
*** l+f: Abgelaufenes SSL-Zertifikat bei Visa ***
---------------------------------------------
Wenn der Browser beim Besuch von Visa.de einen Zertifikatswarnung anzeigt, kann ein Angriff im Gange sein – oder der Admin hat vergessen, wann das Zertifikat abläuft.
---------------------------------------------
http://heise.de/-2568054
*** VB2014 paper: Leaving our ZIP undone: how to abuse ZIP to deliver malware apps ***
---------------------------------------------
Gregory Panakkal explains there are different ways of looking at APK files - and that sometimes has unintended consequences.Since the close of the VB2014 conference in Seattle in October, we have been sharing VB2014 conference papers as well as video recordings of the presentations. Today, we ..
---------------------------------------------
http://www.virusbtn.com/blog/2015/03_05.xml
*** Domain Trusts: Why You Should Care ***
---------------------------------------------
Red teams have been abusing Windows domain trusts for years with great success, but the topic is still underrepresented in public infosec discussions. While the community has started to talk more about Active Directory ..
---------------------------------------------
http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/
*** Decoding ZeuS Disguised as an .RTF File ***
---------------------------------------------
While going through emails that were reported by our internal users using Reporter, I came across a particularly nasty looking phishing email that had a .doc attachment. At first when I detonated the sample in my VM, it seemed that the attackers weaponized the attachment incorrectly. ..
---------------------------------------------
http://phishme.com/decoding-zeus-disguised-as-an-rtf-file/
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 03-03-2015 18:00 − Mittwoch 04-03-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Datensicherheit: Smartphones sollen sicherer werden - zumindest ein bisschen ***
---------------------------------------------
Wie lassen sich mobile Geräte wenn schon nicht sicher, dann zumindest weniger unsicher machen? In Barcelona stellen Silent Circle, Jolla und Qualcomm ihre Ideen vor.
---------------------------------------------
http://www.golem.de/news/datensicherheit-smartphones-sollen-sicherer-werden…
*** phpMoAdmin 0-day Nmap Script ***
---------------------------------------------
An 0-day vulnerability has been posted on Full-Disclosure this morning. It affects the MongoDB GUI phpMoAdmin. The GUI is similar to the well-known phpMyAdmin and allows the DB administrator to perform maintenance tasks on the ..
---------------------------------------------
http://blog.rootshell.be/2015/03/04/phpmoadmin-0-day-nmap-script/
*** Freak Attack: SSL-Verschlüsselung von Millionen Webseiten angreifbar ***
---------------------------------------------
Wenn Nutzer von Apple- und Android-Geräten eine der Millionen für den Angriff Freak anfälligen Webseiten ansurfen, kann ein Man-in-the-Middle die verschlüsselten Verbindungen knacken. Angreifer können nicht nur Daten mitlesen, sondern auch manipulieren.
---------------------------------------------
http://heise.de/-2566444
*** CryptoFortress : Teerac.A (aka TorrentLocker) got a new identity ***
---------------------------------------------
Blitz post. I was hunting for Gootkit (pushed in a Nuclear Pack instance in France those days) but instead I got a Teerac.A.
---------------------------------------------
http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html
*** SuperFish SSL Sniffing ***
---------------------------------------------
Let's start off by saying that SuperFish may top Adobe's ColdFusion un-authenticated remote code executions versions 6-10. Although, Adobe may not have put those vulnerabilities in there themselves and knowingly, Lenovo has no excuse.
---------------------------------------------
http://pashakravtsov.com/2015/03/03/SuperFish-SSL-Sniffing/
*** Forensik-Training: Shellshock-Hinweise in Serverlogs aufspüren ***
---------------------------------------------
Die europäische Sichereitsbehörde ENISA hat ihr Trainingsmaterial für netzwerkforensische Analysen aktualisiert und um neue Themen ergänzt.
---------------------------------------------
http://heise.de/-2566554
*** Threat Spotlight: Angler Lurking in the Domain Shadows ***
---------------------------------------------
Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant accounts to create large amounts ..
---------------------------------------------
http://blogs.cisco.com/security/talos/angler-domain-shadowing
*** A Few Thoughts on Cryptographic Engineering ***
---------------------------------------------
This is the story of how a handful of cryptographers hacked the NSA. Its also a story of encryption backdoors, and why they never quite work out the way you want them to.
---------------------------------------------
http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-fac…
*** Google: Chrome-Support für Android 4.0 wird eingestellt ***
---------------------------------------------
Der Chrome-Browser wird für Android 4.0 nur noch wenige Wochen mit Updates versorgt. Nach Version 42 wird der Support beendet. Der steigende Wartungsaufwand für das dreieinhalb Jahre alte Android sei nicht mehr gerechtfertigt, sagt Google.
---------------------------------------------
http://www.golem.de/news/google-chrome-support-fuer-android-4-0-wird-einges…
*** Skyfall Meets Skype ***
---------------------------------------------
The portmanteau-named SKYPEFALL.EXE is the latest, very active, malware-spamming campaign spreading through Skype.
---------------------------------------------
http://securelist.com/blog/incidents/69065/skyfall-meets-skype/
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 02-03-2015 18:00 − Dienstag 03-03-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Ads Gone Bad ***
---------------------------------------------
FireEye Labs tracks malvertising activity and recently discovered hundreds of sites that may have been exposed to malvertisements via abuse of ad networks that use real-time bidding (RTB). Since February 4, 2015, FireEye Labs has seen over 1,700 advertiser RTB requests that resulted in downloading of malicious SWF files. We believe this activity is part of an active malvertising operation.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2015/03/ads_gone_bad.html
*** D-Link Routers Haunted by Remote Command Injection Bug ***
---------------------------------------------
Some D-Link routers contain a vulnerability that leaves them open to remote attacks that can give an attacker root access, allow DNS hijacking and other attacks. The vulnerability affects affects a number of D-Link's home routers and the key ..
---------------------------------------------
http://threatpost.com/d-link-routers-haunted-by-remote-command-injection-bu…
*** Older Keen Team Use-After-Free IE Exploit Added to Angler Exploit Kit ***
---------------------------------------------
Attackers behind one of the more popular exploit kits, Angler, have added a tweaked version of an exploit from last fall, a use after free vulnerability in Microsofts Internet Explorer browser.
---------------------------------------------
http://threatpost.com/older-keen-team-use-after-free-ie-exploit-added-to-an…
*** How to keep your Smart Home safe ***
---------------------------------------------
The Internet of Things (IoT) devices can help you save time and hassle and improve your quality of life. As an example, you can check the contents of your fridge and turn on the oven while at the grocery store thus saving money, uncertainty, and ..
---------------------------------------------
https://www.f-secure.com/weblog/archives/00002792.html
*** Symantec NetBackup OpsCenter Server Javascript Injection RCE ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** SSH-Client Putty: Fast vergessene Sicherheitslücke geschlossen ***
---------------------------------------------
Der Schöpfer von Putty entschuldigt sich dafür, eine Sicherheitslücke erst nach eineinhalb Jahren vollständig geschlossen zu haben und ergänzt die neue Version um weitere Bugfixes und zwei neue Funktionen.
---------------------------------------------
http://heise.de/-2563230
*** SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass ***
---------------------------------------------
https://www.drupal.org/node/2428851
*** New gTLD Portals Taken Offline by ICANN Due to Security Flaw ***
---------------------------------------------
The Internet Corporation for Assigned Names and Numbers (ICANN) shut down two new generic top-level domain (gTLD) portals on February 27 after learning of a vulnerability that could have been exploited to view users' data.
---------------------------------------------
http://www.securityweek.com/new-gtld-portals-taken-offline-icann-due-securi…
*** Cyber criminals target call center operators in Apple Pay fraud schema ***
---------------------------------------------
Cybercriminals are targeting call centers operators in Apple Pay fraud to circumvent the checks implemented by Apple, banks and card issuers. The security expert Cherian Abraham revealed a spike in the fraud on Apple's ..
---------------------------------------------
http://securityaffairs.co/wordpress/34359/cyber-crime/apple-pay-fraud.html
*** Captcha <= 4.0.6 - Captcha Bypass ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7822
*** Financial Trojans in 2014: Takedowns contributed to 53 percent drop in infections, but threat is still prevalent ***
---------------------------------------------
While the number of financial Trojan detections decreased in 2014, the threat was still ..
---------------------------------------------
http://www.symantec.com/connect/blogs/financial-trojans-2014-takedowns-cont…
*** phpMoAdmin Zero-day Vulnerability Puts Websites Using MongoDB at Risk ***
---------------------------------------------
About two weeks back, over 40,000 organizations running MongoDB were found unprotected and vulnerable to hackers. Now, once again the users of MongoDB database are at risk because of a critical zero-day vulnerability making ..
---------------------------------------------
http://thehackernews.com/2015/03/phpMoAdmin-mongoDB-exploit.html
*** Ted Unangst: OpenBSD will Browser sicherer machen ***
---------------------------------------------
Mindestens ein Webbrowser soll durch die Umsetzung einer Speicherrichtlinie aus OpenBSD abgesichert werden. Dafür bezahlt die Stiftung des Betriebssystems einen Entwickler mit Erfahrung bei Libressl.
---------------------------------------------
http://www.golem.de/news/ted-unangst-openbsd-will-browser-sicherer-machen-1…
*** Thanks for the Memories: Identifying Malware from a Memory Capture ***
---------------------------------------------
Weve all seen attackers try and disguise their running malware as something legitimate. They might use a file name of a legitimate Windows file or even inject code into a legitimate process thats already running. Regardless of how its done, that code has to run, which means it has to be in memory. Somewhere.
---------------------------------------------
http://www.contextis.com/resources/blog/thanks-memories-identifying-malware…
*** LogPOS - New Point of Sale Malware Using Mailslots ***
---------------------------------------------
There has been an explosion in POS malware in the last year. At Morphick, Jeremy Humble and I found 2 undiscovered families in 2014 and we just found our first new family of 2015. This new malware which were calling ..
---------------------------------------------
http://morphick.com/blog/2015/2/27/mailslot-pos
*** Change to Lollipop Encryption Policy May Not Have Much Effect, Experts Say ***
---------------------------------------------
Google has made a subtle, but important, shift in the requirements for Android handset makers, saying now that OEMs manufacturing phones that will run Lollipop do not have to enable disk encryption by default. This is a major change from the ..
---------------------------------------------
http://threatpost.com/change-to-lollipop-encryption-policy-may-not-have-muc…
*** Cisco Network Analysis Module Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 27-02-2015 18:00 − Montag 02-03-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Abusing Blu-ray Players Pt. 1 - Sandbox Escapes ***
---------------------------------------------
tl;drIn today's (28 February) closing keynote talk at the Abertay Ethical Hacking Society's Secuir-Tay conference I discussed how it was po ...
---------------------------------------------
https://www.nccgroup.com/en/blog/2015/02/abusing-blu-ray-players-pt-1-sandb…
*** dnstest - Monitor Your DNS for Hijacking ***
---------------------------------------------
In light of the latest round of attacks against and/or hijacking of DNS, it occurred to me that most people really don't know what to do about it. More importantly, many companies don't even notice they've been attacked until a customer complains. Especially for smaller companies who may not have as many customers, or only...
---------------------------------------------
https://blog.whitehatsec.com/dnstest-monitor-your-dns-for-hijacking/
*** Virtualization Incident Response ***
---------------------------------------------
Virtualization is a game changer, this session looks at the new world of virtualization and the impact on Incident Response & Computer Forensics. Details include answers to several important questions: Is forensics more difficult or perhaps actually easier in the virtual realm? What do I image if the Data Store has PI from 200 different companies on it that are not subjects to the investigation? Where are virtual machine files stored? What files are of forensic value? What about all of...
---------------------------------------------
http://blog.malwareresearch.institute/video/2015/02/27/virtualization-incid…
*** TorrentLocker campaign uses email authentication to tune the operations ***
---------------------------------------------
The emails of a new TorrentLocker campaign use Domain-based Message Authentication, Reporting and Conformance (DMARC) to avoid detection and collect data. Cyber criminals are continuously improving the technique to spread malicious code and avoid detection systems. Recently security experts at Trend Micro noticed an improvement in the evasion techniques implemented by malware authors to spread the...
---------------------------------------------
http://securityaffairs.co/wordpress/34268/cyber-crime/new-torrentlocker-cam…
*** The Rmnet botnet is very much alive! ***
---------------------------------------------
February 27, 2015 Despite the numerous reports of news agencies that Europol held massive operation to stop the Rmnet botnet, Doctor Webs analysts continue to monitor this botnets activity. According to the media reports, the staff of British polices office engaged in combating cyber crimes, together with experts from Germany, Italy and the Netherlands, has suppressed the activity of several major Rmnets command and control servers. According to the news reports, on February 24, 2015 command...
---------------------------------------------
http://news.drweb.com/show/?i=9310&lng=en&c=9
*** The return of the dangerous Trojan for Mac OS X ***
---------------------------------------------
February 27, 2015 Doctor Web analysts conducted a research of a new version of the backdoor Trojan for Mac OS X named Mac.BackDoor.OpinionSpy.3. This malicious program is intended to spy on Mac users: it can collect and transmit information about loaded web pages to the attackers, analyze the traffic passing through the computers network card, intercept the network packets sent by instant messaging programs and perform some other dangerous features. Mac.BackDoor.OpinionSpy programs have been...
---------------------------------------------
http://news.drweb.com/show/?i=9309&lng=en&c=9
*** OWASP ProActive Controls: Part 1 ***
---------------------------------------------
What is OWASP ProActive Controls? In one line, this project can be explained as "Secure Coding Practices by Developers for Developers". OWASP ProActive Controls is a document prepared for developers who are developing or are new to developing software/application with secure software development. This OWASP project lists 10 controls that can help a developer implement...
---------------------------------------------
http://resources.infosecinstitute.com/owasp-proactive-controls-part-1/
*** Xen Hypervisor Flaws Force Amazon, Rackspace to Reboot Servers (SecurityWeek) ***
---------------------------------------------
Rackspace, Amazon, Linode and likely other cloud providers will reboot some of their servers over the next week after they patch several vulnerabilities affecting the Xen open-source hypervisor.
---------------------------------------------
http://www.securityweek.com/xen-hypervisor-flaws-force-amazon-rackspace-reb…
*** Zero-Day-Lücken in Seagates Business NAS ***
---------------------------------------------
Wer ein Business-NAS von Seagate nutzt, sollte sicherstellen, dass es nicht über das Internet erreichbar ist. Im Webinterface klaffen kritische Lücken, zu denen bereits ein passender Exploit kursiert.
---------------------------------------------
http://heise.de/-2563240
*** Cisco ACE 4710 Application Control Engine and Application Networking Manager Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
CVE-2015-0651
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Cisco Unified Web Interaction Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
CVE-2015-0655
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** IBM Security Bulletin: A page in IBM Curam Universal Access contains a risk of Sensitive Information Exposure(CVE-2014-4804) ***
---------------------------------------------
2015-02-27T18:10:56-05:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21695931
*** Jetty 9.2.8 Shared Buffer Leakage ***
---------------------------------------------
Topic: Jetty 9.2.8 Shared Buffer Leakage Risk: High Text:GDS LABS ALERT: CVE-2015-2080 JetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server SYNOPSIS == Go...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015020151
*** Apache Standard Taglibs 1.2.1 XXE / Remote Command Execution ***
---------------------------------------------
Topic: Apache Standard Taglibs 1.2.1 XXE / Remote Command Execution Risk: High Text:CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags Severity: Important Vendor: The Apache Software Foundation ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015020154
*** HPSBST03274 rev.1 - HP XP P9000 Command View Advanced Edition Software Online Help for Windows and Linux, Remote Cross-site Scripting (XSS) ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP XP P9000 Command View Advanced Edition Software Online Help for Windows and Linux. The vulnerabilities could be exploited resulting in remote Cross-site scripting (XSS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** IP Blacklist Cloud - SQL Injection ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7816
*** WP-ViperGB 1.3.10 - XSS Weakness and CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7817
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 26-02-2015 18:00 − Freitag 27-02-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** #JetLeak: Jetty-Webserver gibt Verbindungsdaten preis ***
---------------------------------------------
Der Jetty-Server steckt unter anderem in Hadoop, Heroku, Eclipse und der Google AppEngine. Angreifer können eine jetzt entdeckte Lücke dazu nutzen, Daten aus den Verbindungen anderer Nutzer auszuspionieren.
---------------------------------------------
http://heise.de/-2560894
*** Spam Uses Default Passwords to Hack Routers ***
---------------------------------------------
In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims. Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam...
---------------------------------------------
http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-rout…
*** Adventures in Xen exploitation ***
---------------------------------------------
tl;drThis post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217).This issue was patched in June 2012 and was dis ...
---------------------------------------------
https://www.nccgroup.com/en/blog/2015/02/adventures-in-xen-exploitation/
*** Sicherheits-Tool PrivDog telefoniert nach Hause - unverschlüsselt ***
---------------------------------------------
Das vermeintliche Sicherheits-Tool PrivDog steht erneut in der Kritik, denn es sendet alle besuchten URLs unverschlüsselt an den Hersteller.
---------------------------------------------
http://heise.de/-2560926
*** Dridex Downloader Analysis ***
---------------------------------------------
Introduction Yesterday I received in my company inbox an email with an attached .xlsm file named D92724446.xlsm coming from Clare588(a)78-83-77-53.spectrumnet.bg. Central and local AV engines did not find anything malicious, and a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file...
---------------------------------------------
http://resources.infosecinstitute.com/dridex-downloader-analysis/
*** D-Link remote access vulnerabilities remain unpatched ***
---------------------------------------------
D-Link routers have several unpatched vulnerabilities, the worst of which could allow an attacker to gain total control over a device, according to a systems engineer in Canada. Peter Adkins, who does security research in his free time, released details of the flaws on Thursday. Adkins said in a phone interview that he has been in intermittent contact with D-Link since Jan. 11 on the issues, but the company has not indicated when it might patch.
---------------------------------------------
http://www.cio.com/article/2889994/dlink-remote-access-vulnerabilities-rema…
*** Microsoft Malware Protection Center assists in disrupting Ramnit ***
---------------------------------------------
Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol's European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft's Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC). The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit - The...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2015/02/25/microsoft-malware-protec…
*** The Evil CVE: CVE-666-666 - "Report Not Read" ***
---------------------------------------------
I had an interesting discussion with a friend this morning. He explained that, when he is conducting a pentest, he does not hesitate to add sometimes in his report a specific finding regarding the lack of attention given to the previous reports. If some companies are motivated by good intentions and ask for regular pentests against their infrastructure or a specific application, what if they even don't...
---------------------------------------------
http://blog.rootshell.be/2015/02/26/the-evil-cve-cve-666-666-report-not-rea…
*** Weekly Metasploit Wrapup ***
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2015/02/26/weekly-me…
*** Threatpost News Wrap, February 27, 2015 ***
---------------------------------------------
Mike Mimoso and Dennis Fisher discuss the news of the last week, including the Superfish fiasco, the Gemalto SIM hack controversy and the continuing NSA drama.
---------------------------------------------
http://threatpost.com/threatpost-news-wrap-february-27-2015/111312
*** VMSA-2015-0001.1 ***
---------------------------------------------
VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0001.html
*** Security Advisory: BIG-IP ASM cross-site scripting (XSS) vulnerability CVE-2015-1050 ***
---------------------------------------------
(SOL16081)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/000/sol16081.htm…
*** Security Advisory: OpenSSL vulnerability CVE-2014-0160 ***
---------------------------------------------
(SOL15159)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/100/sol15159.htm…
*** Security Advisory: XSS vulnerability in echo.jsp CVE-2014-4023 ***
---------------------------------------------
(SOL15532)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/500/sol15532.htm…
*** Cisco Security Notices ***
---------------------------------------------
*** Vulnerability in IPv6 Neighbor Discovery in Cisco IOS and IOS-XE Software ***
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Vulnerability in Authentication Proxy Feature in Cisco IOS Software ***
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco Common Services Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Cisco ACE 4710 Application Control Engine and Application Neworking Manager Cross-Site Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
---------------------------------------------
*** DSA-3176 request-tracker4 - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in Request Tracker, anextensible trouble-ticket tracking system. The Common Vulnerabilitiesand Exposures project identifies the following problems:
---------------------------------------------
https://www.debian.org/security/2015/dsa-3176
*** Network Vision IntraVue Code Injection Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a code injection vulnerability in Network Vision's IntraVue software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-057-01
*** [2015-02-27] Multiple vulnerabilities in Loxone Smart Home ***
---------------------------------------------
Multiple design and implementation flaws within Loxone Smart Home enable an attacker to control arbitrary devices connected to the system, execute JavaScript code in the users browser, steal the users credentials and cause a denial of service.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015…
*** TYPO3 CMS 6.2.10 released ***
---------------------------------------------
The TYPO3 Community announces the version 6.2.10 LTS of the TYPO3 Enterprise Content Management System.
---------------------------------------------
http://www.typo3.org/news/article/typo3-cms-6210-released/
*** IBM Security Bulletin: Rational Integration Tester component in Rational Test Workbench affected by Netty vulnerability (CVE-2014-3488) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21695042
*** IBM Security Bulletin: Rational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server affected by Castor Library vulnerablity (CVE-2014-3004) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21695037
---------------------------------------------
*** Huge-IT Slider - SQL Injection ***
https://wpvulndb.com/vulnerabilities/7811
*** CrossSlide jQuery Plugin <= 2.0.5 - Stored XSS & CSRF ***
https://wpvulndb.com/vulnerabilities/7812
*** WPBook - CSRF ***
https://wpvulndb.com/vulnerabilities/7813
*** WPBook <= 2.7 - Cross-Site Request Forgery (CSRF) ***
https://wpvulndb.com/vulnerabilities/7813
*** WP Media Cleaner <= 2.2.6 - Cross-Site Scripting (XSS) ***
https://wpvulndb.com/vulnerabilities/7814
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 25-02-2015 18:00 − Donnerstag 26-02-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** 2014 Spam Landscape: UPATRE Trojan Still Top Malware Attached to Spam ***
---------------------------------------------
The malware UPATRE was first spotted in August 2013 following the demise of the Blackhole Exploit kit. It was since known as one of the top malware seen attached to spammed messages and continues to be so all throughout 2014 with particularly high numbers seen in the fourth quarter of the year. We have released...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/jUSb_mMOQCc/
*** Webnic Registrar Blamed for Hijack of Lenovo, Google Domains ***
---------------------------------------------
Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Googles Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.
---------------------------------------------
http://krebsonsecurity.com/2015/02/webnic-registrar-blamed-for-hijack-of-le…
*** Why Websites Get Hacked ***
---------------------------------------------
I spend a good amount of time engaging with website owners across a broad spectrum of businesses. Interestingly enough, unless I'm talking large enterprise, there is a common question that often comes up: Why would anyone ever hack my website? Depending on who you are, the answer to this can vary. Nonetheless, it often revolves...
---------------------------------------------
http://blog.sucuri.net/2015/02/why-websites-get-hacked.html
*** 5 New Vulnerabilities Uncovered In SAP ***
---------------------------------------------
ERP security researchers at Onapsis have discovered five new vulnerabilities in SAP BusinessObjects and SAP HANA, three of them high-risk. One in particular gives attackers the power to overwrite data within mission-critical systems.
---------------------------------------------
http://www.darkreading.com/application-security/5-new-vulnerabilities-uncov…
*** Electronic Arts Origin Client 9.5.5 Multiple Privilege Escalation Vulnerabilities ***
---------------------------------------------
Title: Electronic Arts Origin Client 9.5.5 Multiple Privilege | Escalation Vulnerabilities | Advisory ID: ZSL-2015-5231 | Type: Local | Impact: Privilege Escalation | Risk: (3/5) | Release Date: 26.02.2015
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5231.php
*** Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation ***
---------------------------------------------
Title: Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege | Escalation | Advisory ID: ZSL-2015-5230 | Type: Local | Impact: Privilege Escalation | Risk: (2/5) | Release Date: 25.02.2015
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5230.php
*** HPSBUX03273 SSRT101951 rev.1 - HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities ***
---------------------------------------------
Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04580241 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04580241 Version: 1 HPSBUX03273 SSRT101951 rev.1 - HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** HPSBUX03244 SSRT101885 rev.2 - HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Other Vulnerabilites ***
---------------------------------------------
Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04556853 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04556853 Version: 2 HPSBUX03244 SSRT101885 rev.2 - HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Other Vulnerabilites
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM Sterling Connect:Direct File Agent (CVE-2014-3065, CVE-2014-6468) ***
---------------------------------------------
2015-02-26T11:42:30-05:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21696580
*** Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution (CVE-2014-3566, CVE-2014-6558) ***
---------------------------------------------
2015-02-25T12:49:31-05:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21697112
*** Security Advisory-Multiple Vulnerabilities on Huawei Tecal Server Products ***
---------------------------------------------
Feb 26, 2015 09:44
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** Security Advisory-Glibc Buffer Overflow Vulnerability ***
---------------------------------------------
Feb 26, 2015 16:35
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** EasyCart 1.1.30 - 3.0.20 - Privilege Escalation ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7808
*** WP All Import Pro <= 4.1.0 - RCE ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7810
*** WP All Import <= 3.2.3 - RCE ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7809
*** Security Advisories for Drupal Third-Party Modules ***
---------------------------------------------
*** SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery (CSRF) - Unsupported ***
https://www.drupal.org/node/2437993
*** SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS) - Unsupported ***
https://www.drupal.org/node/2437991
*** SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported ***
https://www.drupal.org/node/2437985
*** SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported ***
https://www.drupal.org/node/2437981
*** SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported ***
https://www.drupal.org/node/2437977
*** SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported ***
https://www.drupal.org/node/2437973
*** SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported ***
https://www.drupal.org/node/2437969
*** SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect - Unsupported ***
https://www.drupal.org/node/2437965
*** SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting (XSS) ***
https://www.drupal.org/node/2437943
*** SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting (XSS) ***
https://www.drupal.org/node/2437905
*** SA-CONTRIB-2015-041 - Feature Set - Cross Site Request Forgery (CSRF) ***
https://www.drupal.org/node/2424409
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 24-02-2015 18:00 − Mittwoch 25-02-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Security Advisory - WP-Slimstat 3.9.5 and lower ***
---------------------------------------------
Advisory for: WP-Slimstat Security Risk: Very high Exploitation level: Remote DREAD Score: 8/10 Vulnerability: Weak Cryptographic keys leading to SQL injections Patched Version: 3.9.6 WP-Slimstat's users should update as soon as possible! During a routine audit for our WAF, we discovered a security bug that an attacker could, by breaking the plugin's weak "secret" key, use to perform a SQL...
---------------------------------------------
http://blog.sucuri.net/2015/02/security-advisory-wp-slimstat-3-9-5-and-lowe…
*** Finding Unknown Malware ***
---------------------------------------------
If you have ever been given the mission to "Find Evil" on a compromised system, you understand the enormity of that tasking. In this technical presentation, Alissa will introduce sound methodology for identifying malware, using strategies based on "Knowing Normal", "Data Reduction" and "Least Frequency of Occurrence" in order to identify malicious binaries and common methods of persistence. The skills and tools presented here will aid in efficient...
---------------------------------------------
http://blog.malwareresearch.institute/video/2015/02/24/finding-unknown-malw…
*** A new strain of banking trojan VAWTRAK uses Macros and abuses Windows PowerShell ***
---------------------------------------------
Security experts at TrendMicro observed significant improvements in VAWTRAK banking trojan which couples use malicious macros and Windows PowerShell. Early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The experts MMPC have observed a significant increase in enable-macros ...
---------------------------------------------
http://securityaffairs.co/wordpress/34107/cyber-crime/vawtrak-uses-macros-w…
*** Scanning Internet-exposed Modbus devices for fun & fun ***
---------------------------------------------
[...] here is a scan I have run against the whole IPv4 address space, looking for Internet-exposed Modbus services.
---------------------------------------------
http://pierre.droids-corp.org/blog/html/2015/02/24/scanning_internet_expose…
*** "Surreptitiously Weakening Cryptographic Systems" ***
---------------------------------------------
New paper: "Surreptitiously Weakening Cryptographic Systems," by Bruce Schneier, Matthew Fredrikson, Tadayoshi Kohno, and Thomas Ristenpart. Abstract: Revelations over the past couple of years highlight the importance of understanding malicious and surreptitious weakening of cryptographic systems. We provide an overview of this domain, using a number of historical examples to drive development of a weaknesses taxonomy. This allows comparing different...
---------------------------------------------
https://www.schneier.com/blog/archives/2015/02/surreptitiously_1.html
*** Mozilla Thunderbird Flaws Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information and Let Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1031792
*** Mozilla Firefox Multiple Flaws Let Remote Users Deny Service, Execute Arbitrary Code, Bypass Security Restrictions, and Obtain Potentially Sensitive Information and Let Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1031791
*** FreeBSD IGMP Integer Overflow Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1031798
*** Splunk Enterprise 6.2.2 addresses two vulnerabilities ***
---------------------------------------------
Description Splunk Enterprise version 6.2.2 addresses two vulnerabilities Multiple vulnerabilities in OpenSSL prior to 1.0.1k (SPL-95203, CVE-2014-3572, CVE-2015-0204) Splunk Web crashes due to specific HTTP requests (SPL-93754) At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in...
---------------------------------------------
http://www.splunk.com/view/SP-CAAANV8
*** Software Toolbox Top Server Resource Exhaustion Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a resource exhaustion vulnerability in the Software Toolbox Top Server application.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-15-055-01
*** Kepware Resource Exhaustion Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a resource exhaustion vulnerability in the Kepware Technologies DNP Master Driver for the KEPServerEX Communications Platform.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-15-055-02
*** Schneider Electric Invensys Positioner Buffer Overflow Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a buffer overflow vulnerability in the Device Type Manager software for Schneider Electric's Invensys SRD Control Valve Positioner product line.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-15-055-03
*** HPSBMU03260 rev.1 - HP System Management Homepage running OpenSSL on Linux and Windows, Remote Disclosure of Information ***
---------------------------------------------
A potential security vulnerability has been identified with HP System Management Homepage running OpenSSL on Linux and Windows. This vulnerability is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE", which could be exploited remotely to allow disclosure of information.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** IBM Security Bulletins ***
---------------------------------------------
Rational Reporting for Development Intelligence - OpenSSL support for SSL 3.0 Fallback protection + 3 other CVEs
http://www.ibm.com/support/docview.wss?uid=swg21697194
AppScan Enterprise can be affected by multiple vulnerabilities (CVE-2014-6136, CVE-2014-8918)
http://www.ibm.com/support/docview.wss?uid=swg21697249
Rational Insight - Jazz Reporting Service report results can be viewed without user log-in (CVE-2014-6115)
http://www.ibm.com/support/docview.wss?uid=swg21697034
Rational Reporting for Development Intelligence - Jazz Reporting Service report results can be viewed without user log-in (CVE-2014-6115)
http://www.ibm.com/support/docview.wss?uid=swg21697035
Tivoli Storage Manager client encryption key password vulnerability (CVE-2014-4818)
http://www.ibm.com/support/docview.wss?uid=swg21697022
Tivoli Common Reporting(TCR) iFixes for Security Vulnerability
http://www.ibm.com/support/docview.wss?uid=swg21695800
Multiple vulnerabilities in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2014-3566, CVE-2014-6457, CVE-2014-6468)
http://www.ibm.com/support/docview.wss?uid=swg21697112
Vulnerabilities in OpenSSL affect IBM Systems Director (CVE-2014-3513 and CVE-2014-3567)
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5097159
Rational Insight - OpenSSL support for SSL 3.0 Fallback protection + 3 other CVEs
http://www.ibm.com/support/docview.wss?uid=swg21697193
---------------------------------------------
*** Cisco UCS C-Series Integrated Management Controller Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…