=======================
= End-of-Shift report =
=======================
Timeframe: Montag 24-03-2014 18:00 − Dienstag 25-03-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Microsoft Security Advisory (2953095): Vulnerability in Microsoft Word Could Allow Remote Code Execution - Version: 1.0 ***
---------------------------------------------
Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer.
---------------------------------------------
http://technet.microsoft.com/en-us/security/advisory/2953095
*** Security Advisory 2953095: recommendation to stay protected and for detections ***
---------------------------------------------
Today, Microsoft released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. This blog will discuss mitigations and temporary defensive strategies that will help customers to protect themselves while we are working on a security update. This blog also provides some preliminary details of the exploit code observed in the wild. Mitigations and Workaround The in the wild
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095…
*** [dos] - Windows Media Player 11.0.5721.5230 - Memory Corruption PoC ***
---------------------------------------------
#[+] Exploit Title: Windows Media Player 11.0.5721.5230 Memory Corruption PoC
#[+] Date: 22-03-2014
#[+] Category: DoS/PoC
#[+] Tested on: WinXp/Windows 7 Pro
---------------------------------------------
http://www.exploit-db.com/exploits/32477
*** Security Notice- Allegro RomPager Information Disclosure Vulnerability in Multiple Huawei Routers ***
---------------------------------------------
Huawei has noticed an information disclosure vulnerability on the RomPager embedded web server, which is developed by Allegro. The vulnerability affects Huawei HG520c, MT880, and MT886 access routers.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…
*** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti ***
---------------------------------------------
Summary:
Three vulnerabilities were found in cacti version 0.8.7g.
The vulnerabilities are:
1) Stored Cross-Site Scripting (XSS) (via URL)
2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
3) The use of exec-like function calls without safety checks allow arbitrary commands
---------------------------------------------
http://www.securityfocus.com/archive/1/531588
*** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-003] vulnerabilities in icinga ***
---------------------------------------------
Two vulnerabilities were found in icinga version 1.9.1.
These vulnerabilities are:
1) several buffer overflows
2) Off-by-one memory access
---------------------------------------------
http://www.securityfocus.com/archive/1/531593
*** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-002] vulnerabilities in check_mk ***
---------------------------------------------
Several vulnerabilities were found in check_mk version 1.2.2p2.
The vulnerabilities are:
1 - Reflected Cross-Site Scripting (XSS)
2 - Stored Cross-Site Scripting (XSS) (via URL)
3 - Stored Cross-Site Scripting (XSS) (via external data, no link necessary)
4 - Stored Cross-Site Scripting (XSS) (via external data on service port, no link necessary)
5 - Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands
6 - Multiple use of exec-like function calls which allow arbitrary commands
7 - Deletion of arbitrary files
---------------------------------------------
http://www.securityfocus.com/archive/1/531594
*** Net-snmp snmptrapd Community String Processing Lets Remote Users Deny Service ***
---------------------------------------------
A remote user can send a specially crafted SNMP trap request with an empty community string to trigger a flaw in newSVpv() and cause the target snmptrapd service to crash.
Systems with the Perl handler enabled are affected.
---------------------------------------------
http://www.securitytracker.com/id/1029950
*** Trojan.PWS.OSMP.21 infects payment terminals ***
---------------------------------------------
March 25, 2014 Home users aren't the only ones being targeted by today's threats - various financial organisations are receiving their own share of attention from criminals who are crafting malicious applications for ATMs and payment terminals. Doctor Web has issued a warning regarding one such Trojan, namely, Trojan.PWS.OSMP.21. This malware is infecting the terminals of a major Russian payment system.
---------------------------------------------
http://news.drweb.com/show/?i=4259&lng=en&c=9
*** RSA BSAFE Micro Edition Suite (MES) 4.0.x Denial Of Service ***
---------------------------------------------
Summary:
RSA BSAFE MES 4.0.5 contains fix for a security vulnerability that could potentially be exploited by malicious users to
deny access to the affected system.
Details:
This vulnerability may cause unpredictable application behavior resulting in a server crash due to faulty certificate
chain processing logic.
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030193
*** PHP Fileinfo libmagic AWK File Processing Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error in the libmagic library bundled in the Fileinfo extension when processing certain AWK scripts, which can be exploited to cause excessive CPU resources consumption via a specially crafted AWK script file.
---------------------------------------------
https://secunia.com/advisories/57564
*** OpenVZ update for kernel ***
---------------------------------------------
OpenVZ has issued an update for kernel. This fixes multiple vulnerabilities, which can be exploited by malicious people to potentially compromise a vulnerable system.
---------------------------------------------
https://secunia.com/advisories/57573
*** Password Hashing Competition ***
---------------------------------------------
Theres a private competition to identify new password hashing schemes. Submissions are due at the end of the month.
---------------------------------------------
https://www.schneier.com/blog/archives/2014/03/password_hashin.html
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 21-03-2014 18:00 − Montag 24-03-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** NSA Targets Sys Admins to Infiltrate Networks ***
---------------------------------------------
The latest Snowden documents show how the National Security Agency targets system administrators, in particular their personal email and social media accounts, in order to access target networks.
---------------------------------------------
http://threatpost.com/nsa-targets-sys-admins-to-infiltrate-networks/104953
*** IBM Security Bulletin: IBM Security Directory Server can be affected by a vulnerability in IBM WebSphere Application Server (CVE-2014-0411) ***
---------------------------------------------
The IBM WebSphere Application Server component provided with IBM Security Directory Server is vulnerable to a transport layer security (TLS) timing attack.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** BlackOS software package automates website hacking, costs $3,800 a year ***
---------------------------------------------
An updated version of a malicious software package designed to automate the process of hacking websites is being offered up on underground markets for $3,800 a year, according to a blog by Trend Micro.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/yw9wyT8CoMQ/
*** WPA2 Wireless Security Crackable WIth "Relative Ease" ***
---------------------------------------------
An anonymous reader writes "Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK, have investigated the vulnerabilities in WPA2 and present its weakness. They say that this wireless security system might now be breached with relative ease [original, paywalled paper] by a malicious attack on a network.
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GNlVmrhVOM4/story01.htm
*** Android update process gives malware a leg-up to evil: Indiana U ***
---------------------------------------------
Old apps get access to privileges that didnt exist when they were written Researchers from Indiana University Bloomington have tagged a vulnerability in the way Android handles updates, which they say puts practically every Android device at risk of malicious software.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/23/android_upd…
*** AWS urges developers to scrub GitHub of secret keys ***
---------------------------------------------
Devs hit with unexpected bills after leaving secret keys exposed. Amazon Web Services (AWS) is urging developers using the code sharing site GitHub to check their posts to ensure they havent inadvertently exposed their log-in credentials.
---------------------------------------------
http://www.itnews.com.au/News/375785,aws-urges-developers-to-scrub-github-o…
*** D-Link DIR-600L Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A vulnerability has been reported in D-Link DIR-600L, which can be exploited by malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change administrative credentials when a logged-in user visits a specially crafted web page.
---------------------------------------------
https://secunia.com/advisories/57392
*** Array Networks vxAG / vAPV Undocumented Accounts Security Issues ***
---------------------------------------------
Some security issues have been reported in Array Networks vxAG and vAPV, which can be exploited by malicious people to bypass certain security restrictions.
The security issues are caused due to the device using certain undocumented user accounts with default credentials, which can be exploited to gain otherwise restricted access to the device.
---------------------------------------------
https://secunia.com/advisories/57442
*** PayPal for Android SSL Certificate Validation Security Issue ***
---------------------------------------------
MWR InfoSecurity has reported a security issue in PayPal for Android, which can be exploited by malicious people to conduct spoofing attacks.
The security issue is caused due to an error when verifying server SSL certificate within the WebHybridClient class and can be exploited to spoof a HTTPS connection and e.g. conduct Man-in-the-Middle (MitM) attacks.
---------------------------------------------
https://secunia.com/advisories/57351
*** php-font-lib "name" Cross-Site Scripting Vulnerability ***
---------------------------------------------
Daniel C. Marques has reported a vulnerability in php-font-lib, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed via the "name" GET parameter to www/make_subset.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
---------------------------------------------
https://secunia.com/advisories/57558
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 20-03-2014 18:00 − Freitag 21-03-2014 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Taken in phishing attack, Microsoft's unmentionables aired by hacktivists ***
---------------------------------------------
If Microsoft and eBay arent safe from social engineering attacks, who is?
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/B9IE0Uei57U/
*** Kaspersky Internet Security Regular Expression Patterns Processing Denial of Service Vulnerability ***
---------------------------------------------
CXsecurity has discovered a vulnerability in Kaspersky Internet Security, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when processing regular expression patterns and can be exploited to exhaust CPU resources and render the system unusable.
---------------------------------------------
https://secunia.com/advisories/57316
*** DotNetNuke Unspecified Script Insertion Vulnerability ***
---------------------------------------------
A vulnerability has been reported in DotNetNuke, which can be exploited by malicious users to conduct script insertion attacks.
Certain unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
---------------------------------------------
https://secunia.com/advisories/57429
*** WordPress WP-Filebase Download Manager Plugin Arbitrary Code Execution Vulnerability ***
---------------------------------------------
A vulnerability has been reported in the WP-Filebase Download Manager plugin for WordPress, which can be exploited by malicious users to compromise a vulnerable system.
...
Successful exploitation of this vulnerability requires access rights to upload files (e.g. "Editor" access rights).
The vulnerability is reported in version 0.3.0.03. Prior versions may also be affected.
---------------------------------------------
https://secunia.com/advisories/57456
*** Zeus variant blocks user activity with full-screen pop-ups ***
---------------------------------------------
Infected users are forced to contend with open windows, which are actually legitimate sites being displayed on their desktops.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/KHHSZFOdcH0/
*** A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot ***
---------------------------------------------
Cybercriminals continue to maliciously 'innovate', further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends 2013 assessment back in December, 2013, namely, that the diverse cybercrime ecosystem is poised for exponential growth. Standardizing the very basics of fraudulent and malicious operations, throughout the years, cybercriminals have successfully achieved a state of malicious economies of scale...
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/V6XSH_U-eoU/
*** Siemens SIMATIC S7-1200 Improper Input Validation Vulnerabilities ***
---------------------------------------------
OVERVIEWSiemens has reported two improper input validation vulnerabilities discovered separately by Prof. Dr. Hartmut Pohl of softScheck GmbH and Arne Vidström of Swedish Defence Research Agency (FOI) in Siemens' SIMATIC S7-1200 PLC. Siemens has produced a new version that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely.AFFECTED PRODUCTSThe following SIMATIC S7-1200 PLC versions are affected:
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-079-01
*** Siemens SIMATIC S7-1200 Vulnerabilities ***
---------------------------------------------
OVERVIEWSiemens, Ralf Spenneberg of OpenSource Training, Lucian Cojocar of EURECOM, Sascha Zinke from the FU Berlin's work team SCADACS, and Positive Technologies' researchers (Alexey Osipov, and Alex Timorin) have identified six vulnerabilities in the Siemens SIMATIC S7-1200 CPU family. Siemens has produced a new product release that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-079-02
*** Cisco AsyncOS Patch , (Fri, Mar 21st) ***
---------------------------------------------
Cisco released a patch for AsyncOS, the operating system used in its E-Mail Security Appliance (ESA) and Security Management Appliance (SMA). The vulnerability is exploited by an authenticated attacker uploading a crafted blocklist file. The file has to be uploaded via FTP, so this vulnerability is only exploitable if the FTP service is enabled. Once the blacklist is pared, arbitrary commands are executed. This sounds like an OS command injection vulnerability. The parameters (assumed to be
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17839&rss
*** Linux Kernel Netfilter DCCP Processing Flaw Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
Description: A vulnerability was reported in the Linux Kernel. A remote user can execute arbitrary code on the target system.
A remote user can send specially crafted DCCP data to trigger a memory corruption flaw in 'nf_conntrack_proto_dccp.c' and execute arbitrary code on the target system.
---------------------------------------------
http://www.securitytracker.com/id/1029945
*** Horde Framework Unserialize PHP Code Execution ***
---------------------------------------------
Topic: Horde Framework Unserialize PHP Code Execution
Risk: High
Text:## # This module requires Metasploit
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030175
*** Monitoring for unusual network traffic key to banking botnet detection ***
---------------------------------------------
Malware authors have had great success targeting financial institutions in recent years, and in turn those organizations have a vested interest in improving their banking botnet detection capabilities. However, one expert says financial firms are failing because they ignore unusual network traffic.
---------------------------------------------
http://searchsecurity.techtarget.com/news/2240216637/Monitoring-for-unusual…
*** Nokia X Android smartphone security features detailed ***
---------------------------------------------
... the Nokia X comes with the required security features to protect the data stored on the device without downloading third-party security apps. The three main ways to protect the data on the Nokia X smartphone is the screen security, encryption, and SIM card lock.
---------------------------------------------
http://gadgets.ndtv.com/mobiles/news/nokia-x-android-smartphone-security-fe…
*** Linux Worm Darlloz Infects over 31,000 Devices in Four Months ***
---------------------------------------------
The worm is designed to infect computers running Intel x86 architectures, but it's also capable of infecting devices running MIPS, ARM, PowerPC architectures. Routers, set-top boxes and other devices usually have this kind of architecture. Based on its investigation, Symantec has determined that the main goal of Darlloz is to abuse infected devices for crypto-currency mining. Once it's installed on a computer, the worm installs open source mining software (cpuminer).
---------------------------------------------
http://news.softpedia.com/news/Linux-Worm-Darlloz-Infects-over-31-000-Devic…
*** Mass-Produced ATM Skimmers, Rogue PoS Terminals via 3D Printing? ***
---------------------------------------------
On several underground forums, a cybercriminal named gripper is selling ATM skimmers and fake POS terminals, and is making some very bold claims doing so: Figure 1. Underground advertisement. The cybercriminal claims that he can mass-produce VeriFone VerixV point-of-sale (PoS) devices. (Verifone is a US-based provider of POS terminals.) Some specific VeriFone products such as the Vx510...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/YmksHI4j1OM/
*** Spotlight on Java SE 8 Security ***
---------------------------------------------
March 18, 2014 was the long anticipated release of Java SE 8. I though I would spotlight some of the key security features of Java 8 for readers. First, many are not aware of security improvements made to Java 7. Let's begin with a quick review the Java SE 7 security features that were rolled into Java SE 8.
---------------------------------------------
http://www.securitycurmudgeon.com/2014/03/20/spotlight-on-java-se-8-securit…
*** IBM Security Bulletin: IBM WebSphere MQ Internet Pass-Thru - Potential denial of service on the command port listener (CVE-2013-5401) ***
---------------------------------------------
A denial of service vulnerability exists and could be exploited by a remotely connected user to stop the remote administration service. CVE(s): CVE-2013-5401 Affected product(s) and affected version(s): WebSphere MQIPT 2.1.0.0 WebSphere MQIPT 2.0.x Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21666863 X-Force Database: http://xforce.iss.net/xforce/xfdb/87297
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** OpenSSL ECDSA Nonces Recovery Weakness ***
---------------------------------------------
Yuval Yarom and Naomi Benger have reported a weakness in OpenSSL, which can be exploited by malicious, local users to disclose certain sensitive information.
---------------------------------------------
https://secunia.com/advisories/57091
*** OpenSSH "child_set_env()" Security Bypass Security Issue ***
---------------------------------------------
The security issue is caused due to an error within the "child_set_env()" function (usr.bin/ssh/session.c) and can be exploited to bypass intended environment restrictions by using a substring before a wildcard character.
---------------------------------------------
https://secunia.com/advisories/57488
*** Oracle VirtualBox 3D Acceleration Multiple Privilege Escalation Vulnerabilities ***
---------------------------------------------
Core Security has reported multiple vulnerabilities in Oracle VirtualBox, which can be exploited by malicious, local users in a guest virtual machine to gain escalated privileges.
---------------------------------------------
https://secunia.com/advisories/57384
*** Cisco Hosted Collaboration Solution Packet Processing Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Cisco Hosted Collaboration Solution, which can be exploited by malicious people to cause a DoS (Denial of Service).
---------------------------------------------
https://secunia.com/advisories/57496
*** Video zeigt Jailbreak von iOS 7.1 ***
---------------------------------------------
Ein Entwickler hat seine Arbeit an einem Jailbreak von iOS 7.1 demonstriert. Apple hatte mit dem jüngsten iOS-Update die Schwachstellen geschlossen, die für den letzten Jailbreak zum Einsatz kamen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Video-zeigt-Jailbreak-von-iOS-7-1-21…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 19-03-2014 18:00 − Donnerstag 20-03-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** ZBOT Adds Clickbot Routine To Arsenal ***
---------------------------------------------
The ZeuS/ZBOT malware family is probably one of the most well-known malware families today . It is normally known for stealing credentials associated with online banking accounts. However, ZBOT is no one-trick pony. Some ZBOT variants perform other routines like downloading or dropping other threats like ransomware. We recently came across one variant detected as TROJ_ZCLICK.A,...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rrelQiGbzao/
*** New BlackOS Software Package Sold In Underground Forums ***
---------------------------------------------
We recently came across this particular post in an underground forum: Figure 1. Underground forum post This particular post in Russian was advertising a new product, known as "BlackOS". Contrary to the name, it is not an operating system. However, it is definitely "black", or malicious: it is used to manage and redirect Internet traffic...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mA8O58qz-TQ/
*** Phishing: Gehackter EA-Server hostet falsche Apple-Webseite ***
---------------------------------------------
Kriminelle Hacker haben auf Servern des Spieleherstellers Electronic Arts eine gefälschte Webseite untergebracht, die Apple-IDs samt Passwörtern und Kreditkarteninformationen verlangt. Wie viele Nutzer ihre Daten dort eingegeben haben, ist nicht bekannt.
---------------------------------------------
http://www.golem.de/news/phishing-gehackter-ea-server-hostet-falsche-apple-…
*** "goto fail": Apple drängt Nutzer zum Update ***
---------------------------------------------
Der Mac-Hersteller fordert inzwischen dazu auf, das Update auf OS X 10.9.2 alsbald möglich zu installieren - falls noch nicht geschehen. Ältere Versionen von OS X Mavericks und iOS weisen eine gravierende SSL-Schwachstelle auf.
---------------------------------------------
http://www.heise.de/security/meldung/goto-fail-Apple-draengt-Nutzer-zum-Upd…
*** Android: Sicherheitslücken wegen fehlender Updates bleiben Problem ***
---------------------------------------------
70 Prozent aller Android-Geräte weltweit besitzen eine Browser-Lücke, glaubt ein Forscher. Der simple Aufruf einer Website reicht, um sie auszunutzen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Android-Sicherheitsluecken-wegen-feh…
*** Analysis: Spam report: February 2014 ***
---------------------------------------------
The share of spam in global email traffic decreased by 7.6 percentage points and averaged 65.7% in January. As forecasted, the drop in the share of spam was due to a lull early in January when there is less business activity and a large number of botnets are turned off.
---------------------------------------------
http://www.securelist.com/en/analysis/204792328/Spam_report_February_2014
*** Protokollanalyse: Mogeln im Quizduell ***
---------------------------------------------
Entwickler verlassen sich zu sehr auf HTTPS und verzichten auf grundlegende Sicherheitsmaßnahmen. Über eine Man-in-the-Middle-Attacke konnten Security-Forscher in den Datenverkehr zwischen App-Server und Apps hineinsehen - und entdeckten Sonderbares.
---------------------------------------------
http://www.golem.de/news/protokollanalyse-mogeln-im-quizduell-1403-105276-r…
*** Cisco IronPort AsyncOS Software for ESA and SMA File Validation Flaw Lets Remote Authenticated Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1029937
*** SA-CONTRIB-2014-033 - Nivo Slider - Cross Site Scripting ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-033Project: Nivo Slider (third-party module)Version: 7.xDate: 2014-March-19Security risk: Moderately criticalExploitable from: RemoteVulnerability: Cross Site ScriptingDescriptionNivo Slider provides a way to showcase featured content. Nivo Slider gives administrators a simple method of adding slides to the slideshow, an administration interface to configure slideshow settings, and simple slider positioning using the Drupal block system.The module doesnt...
---------------------------------------------
https://drupal.org/node/2221481
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 18-03-2014 18:00 − Mittwoch 19-03-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Apache Update Resolves Security Vulnerabilities ***
---------------------------------------------
Apache has released version 2.4.9 of its ubiquitous HTTP web server (HTTPD), resolving two security vulnerabilities and a number of other bugs in the process.
---------------------------------------------
http://threatpost.com/apache-update-resolves-security-vulnerabilities/104849
*** Ebury-Rootkit: Zombie-Server greifen täglich eine halbe Million Rechner an ***
---------------------------------------------
Zu den Opfern der Malware-Kampagne "Operation Windigo" gehören unter anderem kernel.org und cPanel. Die mit dem Ebury-Rootkit infizierten Server versenden Spam und attackieren Besucher der kompromittierten Webseiten.
---------------------------------------------
http://www.heise.de/security/meldung/Ebury-Rootkit-Zombie-Server-greifen-ta…
*** Wide Gap Between Attackers, BIOS Forensics Research ***
---------------------------------------------
Advanced attackers are ahead of researchers when it comes to understanding firmware vulnerabilities and BIOS forensics, experts from MITRE and Intel said during last weeks CanSecWest.
---------------------------------------------
http://threatpost.com/wide-gap-between-attackers-bios-forensics-research/10…
*** Avast-Toolbar mit Shopping-Spion ***
---------------------------------------------
Die Browser-Toolbar, die unter anderem mit der Antivirensoftware auf den Rechner gelangt, schaut dem Nutzer beim Einkaufen über die Schulter und baut Konkurrenzangebot in die Shop-Seiten ein.
---------------------------------------------
http://www.heise.de/security/meldung/Avast-Toolbar-mit-Shopping-Spion-21496…
*** Data suggests Android malware threat greatly overhyped ***
---------------------------------------------
Its no secret that many in the security industry perceive Google Inc.s Android mobile platform to be plagued by malware, but Android security team lead Adrian Ludwig has made it his mission to eradicate the disingenuous meme of the burgeoning Android malware apocalypse.
---------------------------------------------
http://searchsecurity.techtarget.com/news/2240216335/Data-suggests-Android-…
*** Mailingliste Full Disclosure macht dicht ***
---------------------------------------------
Die bekannte Sicherheits-Mailingliste wurde von ihrem Betreiber bis auf weiteres geschlossen. Full Disclosure war in der Vergangenheit immer wieder Schauplatz der Enthüllung wichtiger Sicherheitslücken.
---------------------------------------------
http://www.heise.de/security/meldung/Mailingliste-Full-Disclosure-macht-dic…
*** 10 Years of Mobile Malware: How Secure Are You? ***
---------------------------------------------
Believe it or not, but it has been 10 years since the first mobile malware was created! On the infographic below, you can see a brief overview of the most important malware events in the past 10 years, with a short description of each of them.
---------------------------------------------
https://www.linkedin.com/today/post/article/20140316112657-67886711-10-year…
*** New Exploits Arrive for Old PHP Vulnerability ***
---------------------------------------------
New exploits for a two-year-old PHP vulnerability popped up in October that allow hackers to run code on websites running vulnerable versions of the web development framework.
---------------------------------------------
http://threatpost.com/new-exploits-arrive-for-old-php-vulnerability/104881
*** Fake Tor browser for iOS laced with adware, spyware, members warn ***
---------------------------------------------
Title available since November raises questions about App Store vetting process.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/qB_-ioinSh4/
*** WordPress Subscribe To Comments Reloaded Plugin Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/57015
*** Moodle Multiple Security Issues and Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/57331
*** Samba smbcacls security bypass ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/91849
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 17-03-2014 18:00 − Dienstag 18-03-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Google's Public DNS Hijacked for 22 Minutes ***
---------------------------------------------
The attackers hijacked the 8.8.8.8/32 DNS server for approximately 22 minutes. According to BGPmon, networks in Brazil and Venezuela were impacted. A screenshot published by the company shows that the traffic was redirected to BT Latin America's networks.
---------------------------------------------
http://news.softpedia.com/news/Google-s-Public-DNS-Hijacked-for-22-Minutes-…
*** Anonymisierung: Sniper-Angriff legt Tor-Nodes lahm ***
---------------------------------------------
Mit einer sogenannten Sniper-Attacke können Angreifer nicht nur gezielt einzelne Tor-Knoten außer Gefecht setzen, sondern innerhalb von wenige Minuten das gesamte Netzwerk lahmlegen. Ein Patch wurde bereits erarbeitet.
---------------------------------------------
http://www.golem.de/news/anonymisierung-sniper-angriff-legt-tor-nodes-lahm-…
*** Scans for FCKEditor File Manager, (Mon, Mar 17th) ***
---------------------------------------------
FCKEditor (now known as CKEditor [1]) is a popular full featured GUI editor many web sites use. For example, you frequently find it with blog systems like WordPress or as part of commenting/forum systems. As an additional feature, a filemanager can be added to allow users to upload images or other files. Sadly, while a very nice and functional plugin, this features if frequently not well secured and can be used to upload malicious files. We have seen some scans probing specifically...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17821&rss
*** Hintergründe des Typo3-Hacks weiter im Dunkeln ***
---------------------------------------------
Die Typo3 Association hat keine Informationen zu der Schwachstelle hinter dem Casino-Spam-Hack, der viele Typo3-Webseiten betrifft, und vermutet, dass der Hack andere Ursachen hat. Seiten ohne Typo-Installation sollen ebenfalls betroffen sein.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Hintergruende-des-Typo3-Hacks-weiter…
*** Hidden Windigo UNIX ZOMBIES are EVERYWHERE ***
---------------------------------------------
Check and wipe: The la-la-la-its-not-happening plan is no good Hackers using a Trojan seized control of over 25,000 Unix servers worldwide to create a potent spam and malware distribution platform.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/18/windigo_uni…
*** Threatglass Tool Gives Deep Look Inside Compromised Sites ***
---------------------------------------------
Trying to enumerate the compromised sites on the Internet is a Sisyphian task. Luckily, it's not a task that anyone really needs to perform any longer, especially now that Barracuda Labs has released its new Threatglass tool, a Web-based frontend that allows users to query a massive database of compromised sites to get detailed information...
---------------------------------------------
http://threatpost.com/threatglass-tool-gives-deep-look-inside-compromised-s…
*** March 2014 Security Bulletin Webcast and Q&A ***
---------------------------------------------
Today we published the March 2014 Security Bulletin Webcast Questions & Answers page. We answered eight questions in total, with the majority focusing on the updates for Windows (MS14-016) and Internet Explorer (MS14-012). One question that was not answered on air has been included on the Q&A page.
---------------------------------------------
http://blogs.technet.com/b/msrc/archive/2014/03/17/march-2014-security-bull…
*** When ASLR makes the difference ***
---------------------------------------------
We wrote several times in this blog about the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software because it's a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. In today's blog, we'll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs...
---------------------------------------------
https://blogs.technet.com/b/srd/archive/2014/03/12/when-aslr-makes-the-diff…
*** Red Hat plans unified security management for Fedora 21 ***
---------------------------------------------
One crypto policy to bind them Red Hat is planning a significant change to how its Fedora Linux distribution handles crypto policy, to ship with the due-in-late-2014 Fedora 21 release.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/18/red_hat_pla…
*** Open-Xchange AppSuite 7.4.1 / 7.4.2 Cross Site Scripting ***
---------------------------------------------
Topic: Open-Xchange AppSuite 7.4.1 / 7.4.2 Cross Site Scripting Risk: Low Text:Product: Open-Xchange AppSuite Vendor: Open-Xchange GmbH Internal reference: 31065 Vulnerability type: Cross Site Scriptin...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030134
*** Security Advisory-Y.1731 Vulnerability on Some Huawei Switches ***
---------------------------------------------
Y.1731 is an ITU-T recommendation for OAM features on Ethernet-based networks. Y.1731 provides connectivity detection, diagnosis, and performance monitoring for VLAN/VSI services on MANs.
Some Huawei switches support Y.1731 and therefore, has the Y.1731 vulnerability in processing special packets. The vulnerability causes the restart of switches (Vulnerability ID: HWPSIRT-2013-1165).
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** OpenSSH AcceptEnv Wildcard Processing Flaw May Let Remote Authenticated Users Bypass Environment Restrictions ***
---------------------------------------------
http://www.securitytracker.com/id/1029925
*** DSA-2880 python2.7 ***
---------------------------------------------
security update
---------------------------------------------
http://www.debian.org/security/2014/dsa-2880
*** Bugtraq: 2014 World Conference on IST - Madeira Island, April 15-17 ***
---------------------------------------------
The 2014 World Conference on Information Systems and Technologies
---------------------------------------------
http://www.securityfocus.com/archive/1/531513
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 14-03-2014 18:00 − Montag 17-03-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Security Exploit Patched on vBulletin - PHP Object Injection ***
---------------------------------------------
The vBulletin team just issued a warning, and released patches for a security exploit that affected all versions of vBulletin including 3.5, 3.6, 3.7, 3.8, 4.X, 5.X. They recommend that anyone using vBulletin apply these patches as soon as possible. Here is part of their announcement: A security issue has been found that affects all...
---------------------------------------------
http://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-ob…
*** Pwn2Own results for Wednesday (Day One) ***
---------------------------------------------
At Pwn4Fun, Google delivered a very impressive exploit against Apple Safari launching Calculator as root on Mac OS X. ZDI presented a multi-stage exploit, including an adaptable sandbox bypass, against Microsoft Internet Explorer, launching Scientific Calculator (running in medium integrity) with continuation.
---------------------------------------------
http://www.pwn2own.com/2014/03/pwn2own-results-for-wednesday-day-one/
*** Pwn2Own results for Thursday (Day Two) ***
---------------------------------------------
... Vulnerabilities were successfully presented on Thursday in the Pwn2Own competition ... against Google Chrome, Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, Adobe Flash.
---------------------------------------------
http://www.pwn2own.com/2014/03/pwn2own-results-thursday-day-two/
*** Verschlüsselung: Caesar-Wettbewerb sucht authentifizierte Verschlüsselung ***
---------------------------------------------
Die erste Runde des Caesar-Wettbewerbs hat begonnen. Das Ziel: Kryptografen suchen bessere Algorithmen für authentifizierte Verschlüsselung.
---------------------------------------------
http://www.golem.de/news/verschluesselung-caesar-wettbewerb-sucht-authentif…
*** The Long Tail of ColdFusion Fail ***
---------------------------------------------
Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Todays post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions.
---------------------------------------------
http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/
*** Webstorage-App von Asus schwächelt erneut bei SSL ***
---------------------------------------------
Eine eigentlich behobene SSL-Lücke in der Android-App für den Asus-Onlinespeicher Webstorage ist auferstanden: Die aktuelle App-Version überpüft nicht das vom Onlinespeicher übermittelte Serverzertifikat.
---------------------------------------------
http://www.heise.de/security/meldung/Webstorage-App-von-Asus-schwaechelt-er…
*** iOS 7 has weak random number generator ***
---------------------------------------------
Trivial to break, says researcher In an effort to improve iDevice security, Apple replaced its internal random number generator between iOS 6 and iOS 7 - but a security researcher believes Cupertino inadvertently downgraded security.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/16/ios_7_has_w…
*** VU#381692: Webmin contains a cross-site scripting vulnerability ***
---------------------------------------------
Vulnerability Note VU#381692 Webmin contains a cross-site scripting vulnerability Original Release date: 14 Mar 2014 | Last revised: 14 Mar 2014 Overview Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability in the "search" parameter of the view.cgi...
---------------------------------------------
http://www.kb.cert.org/vuls/id/381692
*** Siemens SIMATIC S7-1500 CPU Firmware Vulnerabilities ***
---------------------------------------------
Siemens and Positive Technology researchers (Yury Goltsev, Llya Karpov, Alexey Osipov, Dmitry Serebryannikov and Alex Timorin) have identified nine firmware vulnerabilities in the Siemens SIMATIC S7-1500 CPU Firmware. Siemens has produced a patch that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely. ---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-073-01
*** OpenX 2.8.11 Cross Site Request Forgery ***
---------------------------------------------
Topic: OpenX 2.8.11 Cross Site Request Forgery Risk: Low Text: Hello, Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11and earlier allows remote attackers to ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030121
*** iOS 7 Arbitrary Code Execution ***
---------------------------------------------
When a specific value is supplied in USB Endpoint descriptor for a HID device the Apple device kernel panics and reboots
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030126
*** GNU Readline Insecure usage of temporary files ***
---------------------------------------------
Topic: GNU Readline Insecure usage of temporary files Risk: Medium Text: Whilst auditing some code for insecure uses of temporary files I spotted a potential area of concern in GNU readline. (...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030129
*** HPSBNS02969 rev.1 - HP NonStop Servers running Java 7, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability ***
---------------------------------------------
Potential vulnerabilities have been identified with HP NonStop Servers running Java 7. The vulnerabilities could be exploited remotely affecting confidentiality, integrity and availability.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 13-03-2014 18:00 − Freitag 14-03-2014 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Bugtraq: [ MDVSA-2014:057 ] mediawiki ***
---------------------------------------------
Updated mediawiki packages fix multiple vulnerabilities:
---------------------------------------------
http://www.securityfocus.com/archive/1/531452
*** Vuln: Mutt Mailreader mutt_copy_hdr() Function Heap Based Buffer Overflow Vulnerability ***
---------------------------------------------
Mutt mailreader is prone to a heap-based buffer-overflow vulnerability.
Successful exploitation of this issue allow an attacker to execute arbitrary code in the context of the application, failed attempts lead to denial-of-service.
Mutt prior to 1.5.23 are vulnerable.
---------------------------------------------
http://www.securityfocus.com/bid/66165
*** Schneider Electric StruxureWare SCADA Expert ClearSCADA Parsing Vulnerability ***
---------------------------------------------
OVERVIEW
Andrew Brooks identified and reported to The Zero Day Initiative (ZDI) a File Parsing Vulnerability: Schneider Electric StruxureWare SCADA Expert ClearSCADA ServerMain.exe OPF File Parsing Vulnerability. Schneider Electric has prepared workarounds and helped develop security upgrades for a third‑party component that is affected.AFFECTED PRODUCTSThe following SCADA Expert ClearSCADA versions are affected:
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-072-01
*** VU#807134: WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability ***
---------------------------------------------
Vulnerability Note VU#807134 WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability
...
Overview WatchGuard Fireware XTM 11.8.1, and possibly earlier versions, contains a cross-site scripting vulnerability.
---------------------------------------------
http://www.kb.cert.org/vuls/id/807134
*** Squid Flaw in SSL-Bump Lets Remote Users Deny Service ***
---------------------------------------------
A remote user can send HTTPS requests to trigger a flaw in SSL-Bump and cause the target service to crash.
Specially crafted requests are not required to trigger this vulnerability.
---------------------------------------------
http://www.securitytracker.com/id/1029908
*** Wireshark NFS/M3UA/RLC Dissector Bugs Let Remote Users Deny Service and MPEG Buffer Overflow Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
Several vulnerabilities were reported in Wireshark. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions.
---------------------------------------------
http://www.securitytracker.com/id/1029907
*** Blogs of War: Don’t Be Cannon Fodder ***
---------------------------------------------
On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs arent used in attacks going forward.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/TMHH3NsEOxo/
*** Cisco Cloud Portal Discloses Cryptographic Material That Lets Remote Users Decrypt Data ***
---------------------------------------------
A vulnerability was reported in Cisco Cloud Portal. A local user can obtain cryptographic material. A remote user with access to the cryptographic material can then decrypt data.
The Cisco Intelligent Automation for Cloud (Cisco IAC) binaries include fixed cryptographic material. A remote user that can access encrypted data from the target Cisco IAC installation can decrypt the data.
---------------------------------------------
http://www.securitytracker.com/id/1029915
*** Google Docs Users Targeted by Sophisticated Phishing Scam ***
---------------------------------------------
We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link.read more
---------------------------------------------
http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophistica…
*** McAfee Email Gateway Input Validation Flaws Let Remote Authenticated Users Inject SQL and Operating System Commands ***
---------------------------------------------
Several vulnerabilities were reported in McAfee Email Gateway. A remote authenticated user can execute arbitrary operating system commands on the target system. A remote authenticated user can inject SQL commands.
---------------------------------------------
http://www.securitytracker.com/id/1029916
*** Firefox Exec Shellcode From Privileged Javascript Shell ***
---------------------------------------------
Topic: Firefox Exec Shellcode From Privileged Javascript Shell
Risk: Medium
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030113
*** A decade of securing Europe’s cyber future. The EU’s cyber security Agency ENISA is turning ten, and is looking at future challenges. ***
---------------------------------------------
In the “eternal marathon” against cyber criminals, there is a “constant, increasing need for ENISA”.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/a-decade-of-securing-europe…
*** lighttpd Directory Traversal and SQL Injection Vulnerabilities ***
---------------------------------------------
Two vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to disclose potentially sensitive information and conduct SQL injection attacks.
...
Successful exploitation requires mod_evhost and/or mod_simple_vhost modules to be enabled.
---------------------------------------------
https://secunia.com/advisories/57333
*** Samsung Backdoor May Not Be as Wide Open as Initially Thought ***
---------------------------------------------
... As demonstrated in a proof-of-concept attack, this allowed certain baseband code to gain access to a device’s storage under a specific set of circumstances. But upon closer inspection, this backdoor is most likely not as bad as it was initially made out to be.
---------------------------------------------
http://www.xda-developers.com/android/samsung-backdoor-may-not-be-as-wide-o…
*** EU-Parlament stimmt für Meldepflicht von Cyberangriffen ***
---------------------------------------------
Die Abgeordneten haben mit großer Mehrheit, aber einigen Änderungen einen Richtlinienentwurf der EU-Kommission zur Netz- und Informationssicherheit beschlossen. Mitgliedsländer sollen ihre Kooperationen stärken.
---------------------------------------------
http://www.heise.de/newsticker/meldung/EU-Parlament-stimmt-fuer-Meldepflich…
*** Gameover ZeuS Jumps on the Bitcoin Bandwagon ***
---------------------------------------------
Were always asking our analysts the following question: seen anything interesting? And yesterday, the answer to our query was this: Gameover ZeuS has some additional strings.Very interesting, indeed.Heres a screenshot of the decrypted strings: • aBitcoinQt_exe • aBitcoind_exe • aWallet_dat • aBitcoinWallet • aBitcoinWalle_0Bitcoin wallet stealing has really moved up from the bush leagues. Gameover ZeuS is a pro.Analysis is ongoing.Heres the SHA1:
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002685.html
*** Target staff IGNORED security alerts as hackers slurped 40m customers card details ***
---------------------------------------------
Reports say staff dithered while hackers went to town Staff at US retailer Target failed to stop the theft of 40 million credit card records last December despite an escalating series of alarms from the companys security systems.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/14/target_fail…
*** Debian Security Advisory DSA-2879-1 libssh -- security update ***
---------------------------------------------
It was discovered that libssh, a tiny C SSH library, did not reset the state of the PRNG after accepting a connection. A server mode application that forks itself to handle incoming connections could see its children sharing the same PRNG state, resulting in a cryptographic weakness and possibly the recovery of the private key.
---------------------------------------------
http://www.debian.org/security/2014/dsa-2879
*** Sophos UTM TCP Stack Memory Leak Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Sophos UTM, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within TCP stack and can be exploited to cause a memory leak.
The vulnerability is reported in versions prior to 9.109.
---------------------------------------------
https://secunia.com/advisories/57344
*** Blog: Analysis of, Malware from the MtGox leak archive ***
---------------------------------------------
A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic.
---------------------------------------------
http://www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_l…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 12-03-2014 18:00 − Donnerstag 13-03-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Decoding Domain Generation Algorithms (DGAs) Part III - ZeusBot DGA Reproduction ***
---------------------------------------------
At this point, you can go ahead and close the two parent processes (since we are not interested in their functionality, for the sake of simply finding the DGA). So we know that we are interested in discovering how this traffic is generated. So let's try to find out where it originates. Earlier, using API Monitor, we saw that explorer was using several functions within WinINet.dll:...
---------------------------------------------
http://vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html
*** F-Secure im Interview: "Wir erkennen Staatstrojaner und wollen das nicht ändern" ***
---------------------------------------------
Von Regierungen erstellte Malware muss nicht immer so schlecht sein wie 0zapftis, der bayerische Staatstrojaner. Für F-Secures Virenforscher Mikko Hypponen ist entscheidend, dass Anti-Malwareunternehmen auch künftig uneingeschränkt arbeiten können, wie er im Gespräch mit Golem.de sagte.
---------------------------------------------
http://www.golem.de/news/f-secure-im-interview-wir-erkennen-staatstrojaner-…
*** WordPress XML-RPC PingBack Vulnerability Analysis ***
---------------------------------------------
There were news stories this week outlining how attackers are abusing the XML-PRC "pingback" feature of WordPress blog sites to launch DDoS attacks on other sites. This blog post will provide some analysis on this attack and additional information for websites to protect themselves. Not A New Vulnerabilty The vulnerability in WordPresss XML-RPC API is not new. Here is data from the WordPress bug tracker from 7 years ago. While the vulnerability itself is not new,...
---------------------------------------------
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/MklfK5l9jYY/wordpress-…
*** A Detailed Examination of the Siesta Campaign ***
---------------------------------------------
Executive Summary FireEye recently looked deeper into the activity discussed in TrendMicro's blog and dubbed the "Siesta" campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this...
---------------------------------------------
http://www.fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-ex…
*** LightsOut EK Targets Energy Sector ***
---------------------------------------------
Late last year, the story broke that threat actors were targeting the energy sector with Remote Access Tools and Intelligence gathering malware. It would seem that the attackers responsible for this threat are back for more. This particular APT struck late February between 2/24-2/26. The attack began as a compromise of a third party law firm which includes an energy law practice known as
---------------------------------------------
http://feedproxy.google.com/~r/zscaler/research/~3/S2HhvPupa_0/lightsout-ek…
*** Trojan.Skimer.19 threatens banks ***
---------------------------------------------
March 4, 2014 Malware infecting the electronic innards of ATMs is not exactly a common phenomenon, so whenever such new kinds of programs emerge, they inevitably draw the attention of security specialists. Doctor Webs virus analysts got hold of a sample of Trojan.Skimer.19 which can infect ATMs. According to Doctor Web, banking system attacks involving Trojan.Skimer.19 persist to this day. Similar to its predecessors, the Trojan has its main payload incorporated into a dynamic link library...
---------------------------------------------
http://news.drweb.com/show/?i=4267&lng=en&c=9
*** Trojan.Rbrute hacks Wi-Fi routers ***
---------------------------------------------
March 5, 2014 Doctor Webs security researchers examined Trojan.Rbrute malware, which is designed to crack Wi-Fi router access passwords using brute force and change the DNS server addresses specified in the configuration of these devices. Criminals use this malicious program to spread the file infector known as Win32.Sector. When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a...
---------------------------------------------
http://news.drweb.com/show/?i=4271&lng=en&c=9
*** Anatomy of a Control Panel Malware Attack, Part 1 ***
---------------------------------------------
Recently we've discussed how Control Panel (CPL) malware has been spreading in Latin America. In the past, we've analyzed in some detail how CPL malware works as well as the overall picture of how this threat spreads. In this post, we shall examine in detail how they spread, and how they relate with other malicious sites.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/v3D2zLGXolU/
*** Ethical hacker backer hacked, warns of email ransack ***
---------------------------------------------
Switches registrars, tightens security after upsetting incident The IT security certification body that runs the Certified Ethical Hacker programme has itself been hacked.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/13/ethical_hac…
*** Samsung: Galaxy-Geräte haben eine Backdoor im Modem-Prozessor ***
---------------------------------------------
In mehreren Smartphones und Tablets aus Samsungs Galaxy-Modellreihe wurde eine Backdoor im Modem-Prozessor entdeckt. Diese könnte von Angreifern dazu verwendet werden, auf die Daten auf dem Smartphone oder Tablet zuzugreifen oder auch Daten zu verändern, um so Schadsoftware zu verbreiten. (Smartphone, Samsung)
---------------------------------------------
http://www.golem.de/news/samsung-galaxy-geraete-haben-eine-backdoor-im-mode…
*** Google hackt Mac OS X für den guten Zweck ***
---------------------------------------------
Das Sicherheitsteam des Suchmaschinen-Riesen hat einen brisanten Angriff auf Mac OS X demonstriert: Beim Aufruf einer Webseite mit Safari wurde Code als root ausgeführt. Das Schau-Hacken fand in einer neuen Kategorie des Wettbewerbs Pwn2Own statt.
---------------------------------------------
http://www.heise.de/security/meldung/Google-hackt-Mac-OS-X-fuer-den-guten-Z…
*** Metasploit Weekly Update: Theres a Bug In Your Brain ***
---------------------------------------------
The most fun module this week, in my humble opinion, is from Rapid7's own Javascript Dementer, Joe Vennix. Joe wrote up this crafty implementation of a Safari User-Assisted Download and Run Attack, which is not technically a vulnerability or a bug or anything -- it's a feature that ends up being a kind of a huge risk. Here's how it goes:...
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/03/13/metasploi…
*** TCIPG Seminar: Dynamic Data Attacks on Real-Time Power System Operations ***
---------------------------------------------
With increasing dependence on modern information and communication technology, a future smart grid is potentially more vulnerable to coordinated cyber attacks launched by an adversary. In this talk, we consider several possible attack mechanisms aimed at disrupting real-time operations of a power grid. In particular, we are interested in dynamic attack strategies on the power system state estimation that lead to infeasible real-time dispatch and disrupt the real-time market operation.
---------------------------------------------
http://tcipg.org/news/TCIPG-Seminar-2014-Mar-7-Tong
*** Security update available for Adobe Shockwave Player ***
---------------------------------------------
Adobe has released a security update for Adobe Shockwave Player 12.0.9.149 and earlier versions on the Windows and Macintosh operating systems. This update addresses a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system.
---------------------------------------------
http://helpx.adobe.com/security/products/shockwave/apsb14-10.html
*** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4057, CVE-2013-4058 and CVE-2013-4059) ***
---------------------------------------------
Security vulnerabilities exist in various versions of IBM InfoSphere Information Server or constituent products. See the individual descriptions for details. CVE(s): CVE-2013-4057, CVE-2013-4058, and CVE-2013-4059 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_mul…
*** Bugtraq: PowerArchiver: Uses insecure legacy PKZIP encryption when AES is selected (CVE-2014-2319) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/531440
*** SA-CONTRIB-2014-031 - Webform Template - Access Bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-031Project: Webform Template (third-party module)Version: 7.xDate: 2014-March-12Security risk: Less criticalExploitable from: RemoteVulnerability: Access BypassDescriptionThis module enables you to copy webform config from one node to another.The module doesnt respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform...
---------------------------------------------
https://drupal.org/node/2216607
*** SA-CONTRIB-2014-030 - SexyBookmarks - Information Disclosure ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-030Project: SexyBookmarks (third-party module)Version: 6.xDate: 2014-March-12Security risk: Moderately criticalExploitable from: RemoteVulnerability: Information DisclosureDescriptionThe SexyBookmarks module is a port of the WordPress SexyBookmarks plug-in. The module adds social bookmarking using the Shareaholic service.The module discloses the private files location when Drupal 6 is configured to use private files.This vulnerability is mitigated by the fact...
---------------------------------------------
https://drupal.org/node/2216269
*** Mitsubishi Electric Automation MC-WorX Suite Unsecure ActiveX Control ***
---------------------------------------------
This advisory is a follow-up to the original alert, titled ICS-ALERT-13-259-01 Mitsubishi MC-WorX Suite Unsecure ActiveX Control,a published September 16, 2013, on the NCCIC/ICS‑CERT web site (this was originally incorrectly identified as MC-WorkX, the correct product name is MC-WorX).
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-051-02
*** Cisco Intelligent Automation for Cloud Cryptographic Implementation Issues ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** GNUpanel 0.3.5_R4 Cross Site Request Forgery / Cross Site Scripting ***
---------------------------------------------
Topic: GNUpanel 0.3.5_R4 Cross Site Request Forgery / Cross Site Scripting Risk: Medium Text:# Exploit Title :GNUpanel 0.3.5_R4 - Multiple Vulnerabilities # Vendor Homepage :http://wp.geeklab.com.ar/gl-en/gnupanel...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030098
*** Proxmox Mail Gateway 3.1 Cross Site Scripting ***
---------------------------------------------
Topic: Proxmox Mail Gateway 3.1 Cross Site Scripting Risk: Low Text:I. VULNERABILITY - Multiplus XSS in Proxmox Mail Gateway 3.1 II. BACKGROUND - Proxmox Mail G...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030097
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 11-03-2014 18:00 − Mittwoch 12-03-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** When ASLR makes the difference ***
---------------------------------------------
We wrote several times in this blog about the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software because it's a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. In today's blog, we'll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs...
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2014/03/11/when-aslr-makes-the-diffe…
*** Zeus-in-the-mobile variant uses security firms name to gain victims trust ***
---------------------------------------------
Android users are tricked into installing a spurious "security" app, which allows fraudsters to bypass one-time password authentication for online banking.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/uCKACIRIxoI/
*** BB10s dated crypto lets snoops squeeze the juice from your BlackBerry ***
---------------------------------------------
BEAST will attack your sensitive web traffic, warns poster BlackBerry BB10 OS uses dated protocols that leave users at risk to known cryptographic attacks, according to a security researcher.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/12/bb10_dated_…
*** WhatsApp erweitert Einstellungen zur Privatsphäre und bleibt trotzdem unsicher ***
---------------------------------------------
Der Schutz der Privatsphäre bleibt in WhatsApp löchrig: Zwar können andere Nutzer durch das neueste Update nicht mehr sehen, wann man zuletzt im Chat online war, aber die Chats können wohl komplett durch andere Android-Apps ausgelesen werden.
---------------------------------------------
http://www.heise.de/security/meldung/WhatsApp-erweitert-Einstellungen-zur-P…
*** iOS 7.1: Innenraumortung iBeacon schwerer abzustellen ***
---------------------------------------------
Nach dem Update auf Apples jüngsten Mobilbetriebssystem reicht es nicht aus, eine Anwendung, die das Indoor-Tracking nutzt, zu schließen - selbst nach einem Geräteneustart funkt iBeacon fleißig weiter.
---------------------------------------------
http://www.heise.de/security/meldung/iOS-7-1-Innenraumortung-iBeacon-schwer…
*** Is it the ISPs Fault if Your Home Broadband Router Gets Hacked? ***
---------------------------------------------
As consumers we have a right to be huffy at our ISPs when something goes wrong. But is the Internet provider still to blame if, as in the recent cases of AAISP and now PlusNet, your home broadband router ends up being hijacked by a DNS redirection exploit?
---------------------------------------------
http://www.ispreview.co.uk/index.php/2014/03/isps-fault-home-broadband-rout…
*** Blog: Agent.btz: a source of inspiration? ***
---------------------------------------------
The past few days has seen an extensive discussion within the IT security industry about a cyberespionage campaign called Turla, aka Snake and Uroburos, which, according to G-DATA experts, may have been created by Russian special services.
---------------------------------------------
http://www.securelist.com/en/blog/8191/Agent_btz_a_source_of_inspiration
*** Yokogawa CENTUM CS 3000 Vulnerabilities ***
---------------------------------------------
Juan Vazquez of Rapid7 Inc.,a and independent researcher Julian Vilas Diaz have identified several buffer overflow vulnerabilities and released proof-of-concept (exploit) code for the Yokogawa CENTUM CS 3000 application. CERT/CC, NCCIC/ICS-CERT, and JPCERT have coordinated with Rapid7 and Yokogawa to mitigate these vulnerabilities.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-070-01
*** SSA-456423 (Last Update 2014-03-12): Vulnerabilities in SIMATIC S7-1500 CPU ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** VMSA-2014-0002 ***
---------------------------------------------
VMware vSphere updates to third party libraries
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2014-0002.html
*** Apple Safari OSX code execution ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/91654
*** WordPress WP SlimStat Plugin URL Script Insertion Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/57305
*** Bugtraq: CORE-2014-0002 - Oracle VirtualBox 3D Acceleration Multiple Memory Corruption Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/531418
*** Vuln: MediaWiki text Prameter HTML Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/65906
*** Vuln: MediaWiki CVE-2014-2242 Cross Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/65910
*** [webapps] - ZyXEL Router P-660HN-T1A - Login Bypass ***
---------------------------------------------
http://www.exploit-db.com/exploits/32204