=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 21-08-2014 18:00 − Freitag 22-08-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Lua vararg functions buffer overflow ***
---------------------------------------------
Lua is vulnerable to a buffer overflow, caused by improper bounds checking by vararg functions. By sending an overly long string argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/95390
*** Researchers create privacy wrapper for Android Web apps ***
---------------------------------------------
Users can wrap Facebook and other apps to better control their privacy and security, according to researchers from North Carolina State University.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/mQ5PZ77i084/
*** Malicious app can get past Android WITHOUT PERMISSIONS ***
---------------------------------------------
Be careful what you install, say boffins. Again. Researchers presenting at Usenix have lifted the lid on yet another Android vulnerability: the way apps use memory can be exploited to leak private information with a success rate between 82 and 92 per cent of the time.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/08/22/malicious_a…
*** Security Advisory - Remote Security Bypass Vulnerability on Huawei Android Devices ***
---------------------------------------------
SA No: Huawei-SA-20140821-Android
Android version 4.1.1 - 4.4.2 is prone to a remote security bypass vulnerability (CVE-2013-6272):
A vulnerability in the Android system allows an attacker to initiate or terminate arbitrary calls without the call_phone permission.
After investigation we confirm that some Huawei smartphone and tablet products are affected.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** RTFM 0day in iOS apps: G+, Gmail, FB Messenger, etc. ***
---------------------------------------------
Normal people spend their nights watching movies, reading articles, socializing or (yes, I know its odd) sleeping. I spend my nights reading RFCs and pentesting various applications/services.
---------------------------------------------
http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc
*** PHP 5.5.16 is released ***
---------------------------------------------
The PHP Development Team announces the immediate availability of PHP 5.5.16. This release fixes several bugs against PHP 5.5.15 and resolves CVE-2014-3538, CVE-2014-3587, CVE-2014-2497, CVE-2014-5120 and CVE-2014-3597. All PHP users are encouraged to upgrade to this new version.
---------------------------------------------
http://php.net/archive/2014.php
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 20-08-2014 18:00 − Donnerstag 21-08-2014 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Cisco WebEx MeetMeNow Server Directory Traversal Vulnerability ***
---------------------------------------------
A vulnerability in a PHP file in the Cisco WebEx MeetMeNow Server could allow an authenticated, remote attacker to obtain the contents of arbitrary files on an affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** The fall of rogue antivirus software brings new methods to light ***
---------------------------------------------
Rogue antivirus software has been a part of the malware ecosystem for many years now - Win32/SpySheriff and Win32/FakeRean date all the way back to 2007. These rogues, and the many that have followed them throughout the years, generally mislead and scare users into paying a fee for "cleaning" false detections that the software claims to have found on the machine. They often use dozens ..
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/08/19/the-fall-of-rogue-antivi…
*** Researchers build security framework for Android ***
---------------------------------------------
University researchers have modified the Android operating system to let developers plug in enterprise-class security enhancements that would normally require overhauling a mobile devices firmware.The code added to the OS is called the Android Security Modules (ASM) framework, which is described ..
---------------------------------------------
http://www.csoonline.com/article/2474691/mobile-security/researchers-build-…
*** Britischer Geheimdienst GCHQ entwickelt Hackerspiel mit ***
---------------------------------------------
Im Browserspiel soll getestet werden, wie gut sich die Briten mit Online-Sicherheit auskennen. Dabei soll es Wettbewerbe geben, bei denen Nachwuchs rekrutiert wird.
---------------------------------------------
http://futurezone.at/digital-life/britischer-geheimdienst-gchq-entwickelt-h…
*** 5 excuses for doing nothing about computer security ***
---------------------------------------------
Sadly, as were sure you have found, once a friend or family member has latched onto a security avoidance excuse, it can be hard to talk them round. So, here are five excuses that we hear a lot, both from individuals and from small businesses, together with some points you can use to argue back that security really does matter.
---------------------------------------------
http://nakedsecurity.sophos.com/2014/08/20/5-excuses-for-doing-nothing-abou…
*** Need a green traffic light all the way home? Easy with insecure street signals, say researchers ***
---------------------------------------------
"While other deployments may use different wireless radios or even wired connections between intersections we have no reason to believe there are any fundamental differences between the network we studied and other traffic signal systems," the researchers concluded. "We believe that many traffic infrastructure ..
---------------------------------------------
http://www.theregister.co.uk/2014/08/20/sick_of_slow_commuting_americas_tra…
*** IoT: How I hacked my home ***
---------------------------------------------
A typical modern home can have around five devices connected to the local network which aren't computers, tablets or cellphones. As users in a connected digital environment we need to ask ourselves: Are the devices connected to my network vulnerable? What could an attacker actually do if these devices were compromised? Is my home 'hackable?'
---------------------------------------------
https://securelist.com/analysis/publications/66207/iot-how-i-hacked-my-home/
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 19-08-2014 18:00 − Mittwoch 20-08-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Apache OFBiz cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/95356
*** The Administrator of Things (AoT) - A Side Effect of Smartification ***
---------------------------------------------
In an earlier article, we talked about the ongoing smartification of the home - the natural tendency of households to accumulate more intelligent devices over time. While this has its benefits, the residents of smart homes also need to invest their time and energy to maintain these devices. These requirements will only grow as more...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/5chS0C_DSr4/
*** RSA Archer GRC Platform 5.5 SP1 Privilege Escalation / CSRF / Access Bypass ***
---------------------------------------------
Topic: RSA Archer GRC Platform 5.5 SP1 Privilege Escalation / CSRF / Access Bypass Risk: Medium Text:ESA-2014-071: RSA Archer GRC Platform Multiple Vulnerabilities EMC Identifier: ESA-2014-071 CVE Identifier: CVE-20...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014080085
*** "El Machete" ***
---------------------------------------------
"Machete" is a targeted attack campaign with Spanish speaking roots. Most of the victims are located in Venezuela, Ecuador, , Colombia, Peru, Russia, Cuba, and Spain. Targets include high-level profiles, including intelligence services, military, embassies and government institutions.
---------------------------------------------
https://securelist.com/blog/research/66108/el-machete/
*** Microsoft zieht weitere Windows-Updates zurück ***
---------------------------------------------
Nutzer klagen über Bluescreens und weitere Probleme
---------------------------------------------
http://derstandard.at/2000004536290
*** Vernetzte Geräte: Tausende Sicherheitslücken entdeckt ***
---------------------------------------------
In mehr als 140.000 Geräten haben Forscher teils schwerwiegende Sicherheitslücken entdeckt, darunter Zero-Day-Exploits, hartcodierte Passwörter und private Schlüssel.
---------------------------------------------
http://www.golem.de/news/vernetzte-geraete-tausende-sicherheitsluecken-entd…
*** Bugtraq: [security bulletin] HPSBUX03091 SSRT101667 rev.1 - HP-UX running Java7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533176
*** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140820-001] check_mk vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533180
*** Bugtraq: CVE-2014-5307 - Privilege Escalation in Panda Security Products ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533182
*** Bugtraq: CVE-2014-4973 - Privilege Escalation in ESET Windows Products ***
---------------------------------------------
Versions 5.0 - 7.0 of ESET Smart Security and ESET Endpoint Security products for Windows XP OS allow a low privileged user to execute code as SYSTEM by exploiting a vulnerability in the ESET Personal Firewall NDIS filter (EpFwNdis.sys) kernel mode driver also mentioned as Personal Firewall module Build 1183 (20140214) and prior.
---------------------------------------------
http://www.securityfocus.com/archive/1/533184
*** Aktuelle Masche: Krimineller "Blog-Klau" verärgert viele Betreiber ***
---------------------------------------------
Unbekannte spiegeln derzeit dutzende deutsche Blogs und versuchen, mit den gekaperten Inhalten illegal Kasse zu machen.
---------------------------------------------
http://www.heise.de/security/meldung/Aktuelle-Masche-Krimineller-Blog-Klau-…
*** Zertifikate: Google will vor SHA-1 warnen ***
---------------------------------------------
Google will Zertifikate, die mit SHA-1 signiert sind, bis spätestens 2017 loswerden. Der Chrome-Browser wird bald entsprechende Warnungen anzeigen. SHA-1 gilt schon seit einigen Jahren als potentiell unsicher.
---------------------------------------------
http://www.golem.de/news/zertifikate-google-will-vor-sha-1-warnen-1408-1087…
*** Multiple Vulnerabilities in various IBM Products ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/aix_libxml2_vulnerabi…https://www-304.ibm.com/connections/blogs/PSIRT/entry/vulnerability_in_aix_…https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…https://www-304.ibm.com/connections/blogs/PSIRT/entry/multiple_vulnerabilit…https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 18-08-2014 18:00 − Dienstag 19-08-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** New Attack Binds Malware in Parallel to Software Downloads ***
---------------------------------------------
Open source software distribution systems that lack security processes and integrity checks are prone to a new attack that binds malware to a download without modifying the original application.
---------------------------------------------
http://threatpost.com/new-attack-binds-malware-in-parallel-to-software-down…
*** Microsofts Windows 8 App Store Is Full of Scamware ***
---------------------------------------------
Deathspawner writes Windows 8 brought a lot to the table, with one of its most major features being its app store. However, its not a feature that Microsoft seems too intent on keeping clean. As it is today, the store is completely littered with misleading apps and outright scamware. The unfortunate thing is that ..
---------------------------------------------
http://beta.slashdot.org/story/206067
*** Virenscanner: Testlabor analysiert das fehlende Prozent ***
---------------------------------------------
In Labortests erkennen fast alle Virenscanner stets über 99 Prozent der Schädlinge. Doch genau das fehlende Prozent kann den Unterschied machen, wie die Verbreitung der durchgeschlüpften Dateien zeigt.
---------------------------------------------
http://www.heise.de/security/meldung/Virenscanner-Testlabor-analysiert-das-…
*** Part 2: Is your home network unwittingly contributing to NTP DDOS attacks?, (Sun, Aug 17th) ***
---------------------------------------------
This diary follows from Part 1, published on Sunday August 17, 2014. How is it possible that with no port forwarding enabled through the firewall that Internet originated NTP requests were getting past the firewall to the misconfigured NTP server? The reason why these packets are passing ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18549&rss
*** Stuxnet: Geschlossene Sicherheitslücke gefährdet noch immer Millionen ***
---------------------------------------------
Experten führen die hohen Zahlen auf eine mangelnde Wartung von Servern zurück
---------------------------------------------
http://derstandard.at/2000004498863
*** APT Gang Branches Out to Medical Espionage in Community Health Breach ***
---------------------------------------------
The Community Health Systems data breach has been tied to a Chinese APT gang that has branched out to medical espionage, stealing patient data in an effort to target intelligence on medical device development.
---------------------------------------------
http://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-communi…
*** Multipe vulnerabilities in EMC Documentum products ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533161http://www.securityfocus.com/archive/1/533160http://www.securityfocus.com/archive/1/533159http://www.securityfocus.com/archive/1/533162
*** DSA-3006 xen ***
---------------------------------------------
http://www.debian.org/security/2014/dsa-3006
*** FreeNAS password security bypass ***
---------------------------------------------
FreeNAS could allow a remote attacker to bypass security restrictions, caused by the use of a blank password by the Web admin. An attacker could exploit this vulnerability to reset the admin password and gain full administrative access to the device.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/95326
*** Apache HttpComponents certificate spoofing ***
---------------------------------------------
Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a ..
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/95327
*** Cisco NX-OS Software SNMP Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in the Simple Network Management Protocol (SNMP) module of Cisco NX-OS Software could allow an unauthenticated, remote attacker to access sensitive information. The vulnerability is due to a failure to respond to invalid requests in the same manner when specifying a VLAN ID. An attacker could exploit this vulnerability by making a large number of requests to ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 14-08-2014 18:00 − Montag 18-08-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Microsoft zieht Updates zurück ***
---------------------------------------------
Mit insgesamt vier der am letzten Patchday veröffentlichten Updates für Windows gibt es offenbar Probleme. Microsoft hat jetzt reagiert und warnt davor, sie einzuspielen.
---------------------------------------------
http://www.heise.de/security/meldung/Microsoft-zieht-Updates-zurueck-229417…
*** Suspicious Login Message Faked, Distributes Backdoor ***
---------------------------------------------
Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users. I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/hhVGnlO7Tzs/
*** ZDI-14-295: AlienVault OSSIM av-centerd Util.pm remote_task Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault OSSIM. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-295/
*** ZDI-14-294: AlienVault OSSIM av-centerd Util.pm get_license Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault OSSIM. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-294/
*** Siemens OpenSSL Vulnerabilities (Update B) ***
---------------------------------------------
This updated advisory is a follow-up to the updated advisory titled ICSA-14-198-03A Siemens OpenSSL Vulnerabilities that was published July 23, 2014, on the NCCIC/ICS-CERT web site. This updated advisory provides mitigation details for vulnerabilities in the Siemens OpenSSL cryptographic software library affecting several Siemens industrial products.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-14-198-03B
*** Siemens SIMATIC S7-1500 CPU Denial of Service ***
---------------------------------------------
Siemens produced a new firmware version that mitigates a denial of service vulnerability in SIMATIC S7-1500 CPU.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-14-226-01
*** 7 Places to Check for Signs of a Targeted Attack in Your Network ***
---------------------------------------------
Targeted attacks are designed to circumvent existing policies and solutions within the target network, thus making their detection a big challenge. As we've stressed in our previous entry about common misconceptions about targeted attacks, there is no one-size-fits-all solution against it; enterprises need to arm themselves with protection that can provide sensors where needed, as well as IT...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/NhRVtViIRDU/
*** Security: Lücken in Update-Servern gefährden Millionen Router ***
---------------------------------------------
Über mehrere Schwachstellen in den Auto Configuration Servern von Providern könnten Angreifer manipulierte Firmware an Millionen Router verteilen. Außerdem gibt es Fehler im dazugehörigen Kommunikationsprotokoll.
---------------------------------------------
http://www.golem.de/news/security-luecken-in-update-servern-gefaehrden-mill…
*** Internet Explorer: Veraltete ActiveX-Steuerelemente werden später blockiert ***
---------------------------------------------
Microsoft verschiebt das Blockieren veralteter Versionen von Java und Co. auf September. Der Grund sind Beschwerden einiger Admins.
---------------------------------------------
http://www.heise.de/security/meldung/Internet-Explorer-Veraltete-ActiveX-St…
*** Kein Mailversand: Spamhaus listet Web.de, GMX und 1&1 ***
---------------------------------------------
Spamhaus hat heute versehentlich die Mailserver von United Internet gelistet. Der Mailversand ist für einige Stunden nicht möglich gewesen. (Spam, E-Mail)
---------------------------------------------
http://www.golem.de/news/mailserver-spamhaus-listet-web-de-gmx-und-1-1-1408…
*** VB2014 preview: Optimized mal-ops. Hack the ad network like a boss ***
---------------------------------------------
Researchers Vadim Kotov and Rahul Kashyap to discuss how advertisements are the new exploit kits.In the weeks running up to VB2014 (the 24th Virus Bulletin International Conference), we will look at some of the research that will be presented at the event. In the second of this series, we look at the paper Optimized mal-ops. Hack the ad network like a boss, from Vadim Kotov and Rahul Kashyap, two researchers from Bromium."We conclude that ad networks could be leveraged to aid, or even be
---------------------------------------------
http://www.virusbtn.com/blog/2014/08_15.xml?rss
*** Ebola fear used as bait, leads to malware infection ***
---------------------------------------------
Summary: Ebola news is bait for attackers to steal login credentials and install Trojan.Zbot, W32.Spyrat, and Backdoor.Breut malware.
---------------------------------------------
http://www.symantec.com/connect/blogs/ebola-fear-used-bait-leads-malware-in…
*** FinFisher & Co. machen harmlose Katzenvideos zur Waffe für Cyber-Attacken ***
---------------------------------------------
Ein Forscher hat im Detail beschrieben, wie Angreifer mit Zugriff auf die Netzwerkinfrastruktur eines Internet-Providers Trojaner in den Traffic der Nutzer einschleusen können, ohne dass die Opfer etwas bemerken.
---------------------------------------------
http://www.heise.de/security/meldung/FinFisher-Co-machen-harmlose-Katzenvid…
*** Part 1: Is your home network unwittingly contributing to NTP DDOS attacks?, (Sun, Aug 17th) ***
---------------------------------------------
For the last year or so, I have been investigating UDP DDOS attacks. In this diary I would like to spotlight a somewhat surprising scenario where a manufacturer's misconfiguration on a popular consumer device combined with a design decision in a home gateway router may make you an unwitting accomplice in amplified NTP reflection DDOS attacks. This is part 1 of the story. I will publish the conclusion Tuesday August 19th. Background Today almost every house has consumer broadband services.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18547&rss
*** Web Server Attack Investigation - Installing a Bot and Reverse Shell via a PHP Vulnerability, (Sat, Aug 16th) ***
---------------------------------------------
With Windows malware getting so much attention nowadays, its easy to forget that attackers also target other OS platforms. Lets take a look at a recent attempt to install an IRC bot written in Perl by exploiting a vulnerability in PHP. The Initial Probe The web server received the initial probe from 46.41.128.231, an IP address that at the time was not flagged as malicious on various blacklists: HEAD / HTTP/1.0 The connection lacked the headers typically present in an HTTP request, which is why...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18543&rss
*** ZeroLocker wont come to your rescue ***
---------------------------------------------
In recent times weve been seeing a lot of file-encrypting ransomware activity. One of the new ones weve seen pop up in the last couple weeks is called ZeroLocker. Theres indication the C&C configuration contains some errors which would prevent...
---------------------------------------------
https://securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-re…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 13-08-2014 18:00 − Donnerstag 14-08-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Safari: Apple behebt diverse Sicherheitslücken ***
---------------------------------------------
Der Hersteller hat in der Nacht zum Donnerstag seinen hauseigenen Browser für verschiedene Betriebssysteme aktualisiert. Für Entwickler stellte Apple außerdem eine weitere Vorschauversion von OS X 10.9.5 bereit.
---------------------------------------------
http://www.heise.de/security/meldung/Safari-Apple-behebt-diverse-Sicherheit…
*** Vulnerability in Spotify Android App May Lead to Phishing ***
---------------------------------------------
We have discovered a vulnerability that affects versions of the Spotify app for Android older than 1.1.1. If exploited, the vulnerability can allow bad guys to control what is being displayed on the app interface. This vulnerability can be potentially abused by cybercriminals to launch phishing attacks that may result to information loss or theft.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ZJMVGX3NMwk/
*** Portal: Tor für mobile Router ***
---------------------------------------------
Anonymes Surfen mit Tor ist noch sicherer, wenn die Software nicht auf dem eigenen Rechner läuft. Die Software Portal integriert Tor in der Firmware Openwrt und lässt sich so auf ausgewählten mobilen Routern nutzen.
---------------------------------------------
http://www.golem.de/news/portal-tor-fuer-mobile-router-1408-108575-rss.html
*** Tiny Malware PoC: Malware Without IAT, DATA OR Resource Section ***
---------------------------------------------
Have you ever wondered about having an EXE without any entry in IAT (Import Address Table) at all? Well, I knew that its possible, but never saw an actual exe file without IAT entry. So I developed an application which is 1,536 bytes and still does basic annoying malware things.
---------------------------------------------
http://www.codeandsec.com/PoC-Tiny-Malware-Without-IAT-DATA-Or-Resource-Sec…
*** SAMHAIN v3.1.2 Released ***
---------------------------------------------
The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. Samhain been designed to monitor multiple hosts with potentially different operating systems, providingcentralized logging and maintenance, although it can also be used as standalone application on a single host.
---------------------------------------------
http://www.toolswatch.org/2014/08/samhain-v3-1-2-released/
*** ZeroLocker ***
---------------------------------------------
Recently in the news we saw FireEye and Fox-IT provide the ability to decrypt files encrypted by older crpytolocker variants. They used the command and control servers seized by the FBI during operation Tovar. Since they have access to those RSA keys they essentially have the password required for every single file encrypted by a Cryptolocker variant that used Evgeniy Bogachev's botnet.
---------------------------------------------
http://www.webroot.com/blog/2014/08/14/zero-locker/
*** JSA10643 - 2014-08 Security Bulletin: Juniper Secure Analytics (JSA)/Security Threat Response Manager (STRM): Multiple vulnerabilities resolved by third party software upgrades. ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10643&actp=RSS
*** JSA10642 - 2014-08 Security Bulletin: Network and Security Manager NSM: Multiple vulnerabilities ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10642&actp=RSS
*** Disqus 2.7.5 Cross Site Request Forgery / Cross Site Scripting ***
---------------------------------------------
Topic: Disqus 2.7.5 Cross Site Request Forgery / Cross Site Scripting Risk: Medium Text:<!-- Exploit for Disqus for Wordpress admin stored CSRF+XSS up to v2.7.5 Blog post explainer: https://www.nikcub.com/posts/...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014080064
*** Google Chrome Multiple Bugs Let Remote Users Execute Arbitrary Code and Obtain Information ***
---------------------------------------------
http://www.securitytracker.com/id/1030732
*** SSA-310688 (Last Update 2014-08-14): Denial-of-Service Vulnerability in SIMATIC S7-1500 CPU ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** SSA-234763 (Last Update 2014-08-14): OpenSSL Vulnerabilities in Siemens Industrial Products ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
Next End-of-Shift report on 2014-08-18
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 12-08-2014 18:00 − Mittwoch 13-08-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** (Updated 2014/8/13) Syria offline - initial analysis of BGP (and explanation) ***
---------------------------------------------
This blog post evolved over time - initially it was a mere scratchpad for notes during our initial research between 2012/11/29 and 11/30. Later, after Syria was back online again, I added a summary and some potential explanations of what might have happened at the end of this blog post.
UPDATE 2014/8/13: It seems it was the NSA that hacked a router, according to Snowden. Scroll to the end for links.
---------------------------------------------
http://www.cert.at/services/blog/20121129184048-616.html
*** MS14-AUG - Microsoft Security Bulletin Summary for August 2014 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for August 2014.
With the release of the security bulletins for August 2014, this bulletin summary replaces the bulletin advance notification originally issued August 7, 2014. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS14-AUG
*** Assessing risk for the August 2014 security updates ***
---------------------------------------------
Today we released nine security bulletins addressing 40 unique CVEs. Two bulletins have a maximum severity rating of Critical while the other seven have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes MS14-051 (Internet Explorer) Victim browses
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2014/08/12/assessing-risk-for-the-au…
*** Microsoft-Patchday: 26 Lücken im Internet Explorer gestopft ***
---------------------------------------------
Wie am zweiten Dienstag im Monat üblich, hat Microsoft eine Reihe von Sicherheitslücken im Internet Explorer, in Windows und in anderen Produkten geschlossen. Für den IE gibt es 26 einzelne Patches, eine Lücke wird bereits von Angreifern aktiv genutzt.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Microsoft-Patchday-26-Luecken-im-Int…
*** Cisco Unified Communications Manager and Cisco Unified Presence Server SQL Injection Vulnerability ***
---------------------------------------------
CVE-2014-3339
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Study: Firmware Plagued By Poor Encryption and Backdoors ***
---------------------------------------------
itwbennett writes: The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-X--LranmlI/story01.htm
*** Fifteen zero days found in hacker router comp romp ***
---------------------------------------------
Four routers rooted in SOHOpelessly Broken challenge DEF CON Researchers have unveiled 15 zero day vulnerabilities in four home and small business routers as part of the SOHOpelessly Broken hacker competition in DEF CON this week.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/08/13/fifteen_zer…
*** Black Hat USA 2014 talk about hypervisor security ***
---------------------------------------------
This week I presented at Black Hat USA. The talk is titled "Poacher turned gatekeeper: lessons learned from eight years of breaking hypervisors". The main points were: Describe the attack surface of Type 1 and Type 2 hypervisors Show that despite not being 100% bulletproof, hypervisors are still the best usable way to isolate potentially...
---------------------------------------------
http://labs.bromium.com/2014/08/11/black-hat-usa-2014-talk-about-hypervisor…
*** Wireless Auditing, Intrusion Detection & Prevention System ***
---------------------------------------------
WAIDPS is an open source wireless swissknife written in Python and work on Linux environment. This is a multipurpose tools designed for audit (penetration testing) networks, detect wireless intrusion (WEP/WPA/WPS attacks) and also intrusion prevention (stopping station from associating to access point).
---------------------------------------------
http://www.ehacking.net/2014/08/wireless-auditing-intrusion-detection.html
*** SSA-635659 (Last Update 2014-08-14): Heartbleed Vulnerability in Siemens Industrial Products ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** Gefälschtes Tor-Browser-Bundle mit Trojaner ***
---------------------------------------------
Eine täuschend echte Kopie der Seite torproject.org verteilt einen Trojaner. Der Student Julien Voisin hat ihn zerlegt - und konnte Kontakt zu den Verantwortlichen herstellen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Gefaelschtes-Tor-Browser-Bundle-mit-…
*** Ältere Versionen von Disqus für WordPress angreifbar ***
---------------------------------------------
Ein Sicherheitsforscher hat Sicherheitslücken im beliebten Disqus-Plug-in für WordPress entdeckt. Administratoren sollten sicherstellen, dass die entsprechenden Updates installiert sind.
---------------------------------------------
http://www.heise.de/security/meldung/Aeltere-Versionen-von-Disqus-fuer-Word…
*** New Metasploit 4.10: Credentials Are the New Exploits ***
---------------------------------------------
We’ve given credentials a new boost with Metasploit 4.10. It’s now easier to manage, reuse and report on credentials as part of a penetration test.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/08/13/credentia…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 11-08-2014 18:00 − Dienstag 12-08-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Adobe Security Bulletins Posted ***
---------------------------------------------
The following Security Bulletins have been posted today:
APSB14-18: Security updates available for Adobe Flash Player
http://helpx.adobe.com/security/products/flash-player/apsb14-18.html
APSB14-19: Security updates available for Adobe Reader and Acrobat
http://helpx.adobe.com/security/products/reader/apsb14-19.html
Customers of the affected products should consult the relevant Security Bulletin(s) for details.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1118
*** Cisco Unified Communications Manager SIP Subsystem Vulnerability ***
---------------------------------------------
CVE-2014-3337
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco Unified Communications Manager CTIManager Vulnerability ***
---------------------------------------------
CVE-2014-3338
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Two new Gameover Zeus variants in the wild ***
---------------------------------------------
About two months after botnet takedown efforts, new versions of the malware have surfaced in the U.S. and abroad.
---------------------------------------------
http://www.scmagazine.com/two-new-gameover-zeus-variants-in-the-wild/articl…
*** Millions of PCs Affected by Mysterious Computrace Backdoor ***
---------------------------------------------
Absolute Softwares anti-theft Computrace software is mysteriously installed on brand new machines, nearly impossible to remove, and exploitable.
---------------------------------------------
http://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-bac…
*** NIST wants better SCADA security ***
---------------------------------------------
Preparing the way for a test lab Americas National Institute of Standards and Technology (NIST) wants to take a hand in addressing the SCADA industry's chronic insecurity, by building a test bed for industrial control systems.
---------------------------------------------
http://www.theregister.co.uk/2014/08/12/nist_wants_better_scada_security/
*** Command Injection allows Unauthenticated Command Bypass on multiple D-Link products ***
---------------------------------------------
The DNS-315L DNS-320L, DNS-327L, DNS-340L, and DNS-345 have been identifed as having a vulnerability in their Web-GUI application that allows malicious users to gain access to the device configuraiton, device operating system, and stored file without requiring log-in credentials.
---------------------------------------------
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10042
*** 2Q 2014 Security Roundup: Turning the Tables on Cyber Attacks ***
---------------------------------------------
The incidents that cropped up in the months of April to June 2014 - from the data breaches, DDoS attacks, to malware improvements and threats to privacy - highlighted the need for enterprises to craft a more strategic response against and in anticipation of security threats. There were plenty of threats to be found in the quarter. There was...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Cf4i9ouVNiM/
*** How to hack a Macbook using just USB ***
---------------------------------------------
Yesterday, at the 2014 DEF CON hackers conference in Las Vegas, security researchers Joe Fitzpatrick and Miles Crabil demonstrated how they could directly access the memory of Apple Macbook devices using a piece of hardware they built to plug into the computer's own USB slot.
---------------------------------------------
http://www.techly.com.au/2014/08/12/hack-macbook-using-just-usb/
*** BlackBerry Z10 erlaubte freien Zugriff über das WLAN ***
---------------------------------------------
Sicherheitsforscher haben eine Lücke öffentlich gemacht, die es einem Angreifer erlaubte, auf Daten auf dem BlackBerry Z10 zuzugreifen. Der eingebaute File-Server erlaubte Zugriff auf den Telefonspeicher, ohne nach einem Passwort zu fragen.
---------------------------------------------
http://www.heise.de/security/meldung/BlackBerry-Z10-erlaubte-freien-Zugriff…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 08-08-2014 18:00 − Montag 11-08-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Cisco Unity Connection SQL Injection Vulnerability ***
---------------------------------------------
CVE-2014-3336
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Splunk Bugs Permit Remote Cross-Site Scripting and Remote Authenticated Directory Traversal Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1030690
*** Incident Response with Triage-ir, (Sun, Aug 10th) ***
---------------------------------------------
In many cases having a full disk image is not an option during an incident. Imagine that you are suspecting that you have dozen of infected or compromised system. Can you spend 2-3 hours to make a forensic copy of hard disks hundred computers? In such situation fast forensics is the solution for such situation. Instead of copying everything collecting some files that may contain an evidence can solve this issue. In this diary I am going to talk about an application that will collect most of...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18509&rss
*** Verifying preferred SSL/TLS ciphers with Nmap, (Mon, Aug 11th) ***
---------------------------------------------
In last year or two, there has been a lot of talk regarding correct usage of SSL/TLS ciphers on web servers. Due to various incidents more or less known incidents, web sites today should use PFS (Perfect Forward Secrecy), a mechanism that is used when an SSL/TLS connection is established and symmetric keys exchanged. PFS ensures that, in case an attacker obtains the server's private key, he cannot decrypt previous SSL/TLS connections to that server. If PFS is not used (if RSA is used to
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18513&rss
*** WordHound erzeugt maßgeschneiderte Wörterbücher für Passwort-Knacker ***
---------------------------------------------
Wörterbuch-Attacken auf Passwort-Hashes dauern lange und sind nicht immer erfolgreich. Schneidet man die durchzuprobierenden Passwörter aber auf das Ziel zurecht, sind selbst vergleichbar komplizierte Kennwörter unter Umständen nicht mehr sicher.
---------------------------------------------
http://www.heise.de/newsticker/meldung/WordHound-erzeugt-massgeschneiderte-…
*** You cannot cyberhijack an airplane, but you can create mischief ***
---------------------------------------------
Hacking a plane and taking control of the aircraft is a considerably scary prospect, but two speakers at DefCon 22 in Las Vegas quashed the notion and put worries to rest.
---------------------------------------------
http://www.scmagazine.com/defcon-you-cannot-cyberhijack-an-airplane-but-you…
*** Cybercrime Report: Soziale Netzwerke zunehmend betroffen ***
---------------------------------------------
2013 wurden in Österreich 11.199 Fälle von Cybercrime angezeigt. Als Motive sieht das Bundeskriminalamt finanzielle Interessen, Langeweile und Hacktivism. [...] Neue Technologien werden in Zukunft weiterhin neue Erscheinungsformen von Cyberkriminalität begünstigen, heißt es im Report. Genannt wurde der Einsatz von "NFC" (Near Field Communication) zur Durchführung kontaktloser Zahlungsvorgänge, aber auch Verkehrsmittel, die mit der Möglichkeit zur Netzwerk-Kommunikation ausgestattet werden, wie zum Beispiel Smart-Vehicles und Drohnen, warnt der Bericht abschließend.
---------------------------------------------
http://futurezone.at/netzpolitik/cybercrime-report-soziale-netzwerke-zunehm…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 07-08-2014 18:00 − Freitag 08-08-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Massives Datenleck ***
---------------------------------------------
Massives Datenleck | 6. August 2014Diverse Medien berichten, dass eine kriminelle Gruppe aus Russland eine gigantische Zahl an Zugangsdaten erbeutet hat. Siehe u.a.: New York Times, Slate, WSJ, DerStandard, Futurezone, Heise, ... | Woher die Credentials wirklich stammen (die Geschichte mit dem Botnet und SQL-Injection klingt ein bisschen nach einem Bericht aus 2013), ist auch nicht restlos geklärt: In anderen Fällen war das eine Mischung aus diversen Kampagnen, sowohl Einbrüchen in...
---------------------------------------------
http://www.cert.at/services/blog/20140806143111-1213.html
*** Black Hat USA Talks: Investigating PowerShell Attacks ***
---------------------------------------------
Threat actors are always eager to adopt new tools, tactics, and procedures that can help them evade detection and conduct their mission. Incident responders from Mandiant have observed increasing use of PowerShell by targeted attackers to conduct command-and-control in compromised...
---------------------------------------------
http://www.fireeye.com/blog/technical/2014/08/black-hat-usa-talks-investiga…
*** IETF will selbst elliptische Kurven standardisieren ***
---------------------------------------------
Künftig will die IETF nicht mehr nur einfach die von der NIST empfohlenen Krypto-Standards übernehmen, sondern eigene schaffen. Die NIST hingegen versucht weiterhin, ihr ramponiertes Image als unabhängige Instanz zu retten.
---------------------------------------------
http://www.heise.de/security/meldung/IETF-will-selbst-elliptische-Kurven-st…
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server July 2014 CPU ***
---------------------------------------------
There are multiple vulnerabilities in IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in July 2014. CVE(s): CVE-2014-4263 and CVE-2014-4244, Affected product(s) and affected version(s): IBM Java SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.2, Version 8.0.0.0 through 8.0.0.9, Version 7.0.0.0 through 7.0.0.33, Version 6.1.0.0 through 6.1.0.47
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** Checking for vulnerabilities in the Smart Grid System, (Thu, Aug 7th) ***
---------------------------------------------
SCADA systems are not composed the same way as regular IT systems. Therefore, the risk and vulnerability assessment cannot be performed as it is done for any other IT system. The most important differences are: SCADA Pentesting should not be done in production environment: SCADA devices are very fragile and some activities that could pose harmless to regular IT environments could be catastrophic to the process availability. Think of massive blackouts or no water supply for a city. SCADA
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18499&rss
*** Wordpress: Defektes Plugin erlaubt Admin-Zugriff ***
---------------------------------------------
Das Wordpress-Plugin Custom Contacts Form hat einen Fehler, der es Angreifern erlaubt, administrative Rechte über eine Webseite zu erhalten. Es gibt bereits einen Patch.
---------------------------------------------
http://www.golem.de/news/wordpress-defektes-plugin-erlaubt-admin-zugriff-14…
*** Analyzing the Fake ID Android vulnerability ***
---------------------------------------------
In this video shot at Black Hat 2014 in Las Vegas, Jeff Forristal of Bluebox Security sits with Danielle Walker, reporter at SC Magazine, to discuss the Fake ID Android vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/Tp9gYIOHaFg/
*** Black Hat 2014: 75 Prozent aller mobilen Kassensysteme verwundbar ***
---------------------------------------------
Knapp drei viertel aller gängigen mobilen Terminals zum Auslesen von Kreditkarten basieren auf der selben Hard- und Software. Forscher haben demonstriert, wie sie die Geräte unter Kontrolle bringen und so dem Kartenmissbrauch Tür und Tor öffnen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Black-Hat-2014-75-Prozent-aller-mobi…
*** Patchday: Microsoft behebt kritische Lücken in Windows und IE ***
---------------------------------------------
Am kommenden Patchday veröffentlicht Microsoft insgesammt neun Sicherheitsupdates, davon sind zwei als "kritisch" und sieben weitere als "wichtig" markiert.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Patchday-Microsoft-behebt-kritische-…
*** Microsoft: Keine Updates mehr für ältere Internet Explorer ***
---------------------------------------------
Ab Anfang 2016 will Microsoft ältere Internet-Explorer-Versionen nicht mehr unterstützen. Bis dahin sollten Windows-Nutzer den Webbrowser aktualisieren, um weiterhin Updates zu erhalten.
---------------------------------------------
http://www.heise.de/security/meldung/Microsoft-Keine-Updates-mehr-fuer-aelt…
*** How to Use Your Cat to Hack Your Neighbor's Wi-Fi ***
---------------------------------------------
Late last month, a Siamese cat named Coco went wandering in his suburban Washington, DC neighborhood. He spent three hours exploring nearby backyards. He killed a mouse, whose carcass he thoughtfully brought home to his octogenarian owner, Nancy. And while he was out, Coco mapped dozens of his neighbors' Wi-Fi networks, identifying four routers that used...
---------------------------------------------
http://feeds.wired.com/c/35185/f/661467/s/3d4f7cee/sc/10/l/0L0Swired0N0C20A…
*** HPSBHF03084 rev.1 HP PCs with UEFI Firmware, Execution of Arbitrary Code ***
---------------------------------------------
Potential security vulnerabilies have been identified with certain HP PCs with UEFI Firmware. The vulnerabilities could be exploited to allow execution of arbitrary code.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** HPSBUX03087 SSRT101413 rev.1 - HP-UX CIFS Server (Samba), Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP-UX CIFS-Server (Samba). The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** Neues Sysinternals-Tool hilft bei der Malware-Suche ***
---------------------------------------------
Mit dem Programm Sysmon ist die beliebte Werkzeugsammlung von Microsoft Sysinternals um ein neues Tool zum Aufspüren verdächtiger Aktivitäten auf Windows-Rechnern gewachsen.
---------------------------------------------
http://www.heise.de/security/meldung/Neues-Sysinternals-Tool-hilft-bei-der-…