=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 05-08-2014 18:00 − Mittwoch 06-08-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Another Bypass Identified in PayPal 2FA ***
---------------------------------------------
A security researcher has uncovered a simple method for bypassing the two-factor authentication mechanism that PayPal uses to protect accounts that are tied to eBay accounts. The vulnerability is related to the way that the login flow works when a user is prompted to connect her eBay account to her PayPal account. The eBay and...
---------------------------------------------
http://threatpost.com/another-bypass-identified-in-paypal-2fa/107605
*** Mozilla zukünftig mit zentralen Sperrlisten ***
---------------------------------------------
Sichere Internet-Verbindungen erfordern Mechanismen, kompromittierte Zertifikate als ungültig zu erklären. Die aktuellen Verfahren dazu funktionieren jedoch nicht. Zukünftig soll das bei Firefox und Co die OneCRL richten.
---------------------------------------------
http://www.heise.de/security/meldung/Mozilla-zukuenftig-mit-zentralen-Sperr…
*** Researchers release CryptoLocker decryption tool ***
---------------------------------------------
Tool uses private keys found in database of victims.The CryptoLocker ransomware is one of the nastiest pieces of malware to have targeted Internet users in recent years. The malware uses strong file encryption (more particularly, AES encryption with a key that has been encrypted using an RSA-2048 private key) to deny the user access to their files unless they pay a ransom of around US$300. At a time when we often seem to be learning about accidental or intentional vulnerabilities in encryption,...
---------------------------------------------
http://www.virusbtn.com/blog/2014/08_06.xml?rss
*** CipherShed ***
---------------------------------------------
CipherShed is free (as in free-of-charge and free-speech) encryption software for keeping your data secure and private. It started as a fork of the now-discontinued TrueCrypt Project.
---------------------------------------------
http://n0where.net/ciphershed/
*** Web-Fu - Chrome extension for pentesting web applications ***
---------------------------------------------
Chrome extension for pentesting web applications. Web-fu Is a web hacking tool focused on discovering and exploiting web vulnerabilitites.
---------------------------------------------
http://hack-tools.blackploit.com/2014/08/web-fu-chrome-extension-for-pentes…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 04-08-2014 18:00 − Dienstag 05-08-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** Synology - erste Informationen bezüglich "Synolocker" ***
---------------------------------------------
Special Notes SynoLocker Message Issue - If NAS is not infected: First, close all open ports for external access for now. Backup the data on the DiskStation and update DSM to the latest version. Synology will provide further information as soon as possible if you are vulnerable. If NAS is infected, first do not trust (and ignore) any unauthorized, non-Synology messages or emails. Hard shut down the DiskStation to prevent any further issues.
---------------------------------------------
https://myds.synology.com/support/support_form.php?lang=us
*** Synolocker: Why OFFLINE Backups are important, (Tue, Aug 5th) ***
---------------------------------------------
One current threat causing a lot of sleepless nights to victims is "Cryptolocker" like malware. Various variations of this type of malware are still haunting small businesses and home users by encrypting files and asking for ransom to obtain the decryption key. Your best defense against this type of malware is a good backup. Shadow volume copies may help, but arent always available and complete. In particular for small businesses, various simple NAS systems have become popular over
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18481&rss
*** Ubuntu-Sperrbildschirm verliert Tastatureingaben ***
---------------------------------------------
Eine jetzt geschlossene Sicherheitslücke im Sperrbildschirm der Linux-Distribution Ubuntu könnte zur Folge haben, dass Nutzer ihr Passwort aus Versehen öffentlich im Internet bekanntgeben.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Ubuntu-Sperrbildschirm-verliert-Tast…
*** Barracuda Web Application Firewall Reusable URL-Based Authentication Tokens Let Remote Users Bypass Authentication ***
---------------------------------------------
http://www.securitytracker.com/id/1030665
*** Evernote Patches Vulnerability in Android App ***
---------------------------------------------
We have previously discussed an Android vulnerability that may lead to user data being captured or used to launch attacks. We discovered that the popular Android app for Evernote contained the said vulnerability. We disclosed the details to Evernote, and they took action by issuing an update to the Android version of their app. Evernote has added additional...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/BBLQmuk3RrQ/
*** Symantec Endpoint Protection Local Client Application Device Control Buffer Overflow ***
---------------------------------------------
Revisions None Severity CVSS2Base ScoreImpactExploitabilityCVSS2 VectorSEP Local Client ADC Buffer Overflow- Medium6....
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** Bugtraq: SEC Consult SA-20140805-0 :: Multiple vulnerabilities in Readsoft Invoice Processing and Process Director ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533024
*** A Peek Into the Lions Den - The Magnitude [aka PopAds] Exploit Kit ***
---------------------------------------------
Recently we managed to have an unusual peek into the content that is used on the servers of the prevalent exploit kit, Magnitude. In this blog post we'll review its most up-to-date administration panel and capabilities, as well as review some infection statistics provided by Magnitude over the course of several weeks. These days, after the arrest of Paunch, Blackhole exploit kit creator, exploit kit developers and sellers have learned their lesson regarding doing business in the
---------------------------------------------
http://blog.spiderlabs.com/2014/08/a-peek-into-the-lions-den-the-magnitude-…
*** Vulnerability in Spotify Android App May Lead to Phishing ***
---------------------------------------------
We have discovered a vulnerability that affects versions of the Spotify app for Android older than 1.1.1. If exploited, the vulnerability can allow bad guys to control what is being displayed on the app interface. This vulnerability can be potentially abused by cybercriminals to launch phishing attacks that may result to information loss or theft.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/GZKakDZwRhw/
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 01-08-2014 18:00 − Montag 04-08-2014 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
*** ZDI-14-273: AlienVault OSSIM av-centerd Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault OSSIM. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-273/
*** Remote code execution on Android devices ***
---------------------------------------------
You walk into a coffee shop and take a seat. While waiting for your coffee, you take out your smartphone and start playing a game you downloaded the other day. Later, you go to work and check your email in the elevator. Without you knowing, an attacker has just gained a foothold in your corporate...
---------------------------------------------
http://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/
*** POWELIKS: Malware Hides In Windows Registry ***
---------------------------------------------
We spotted a malware that hides all its malicious codes in the Windows Registry. The said tactic provides evasion and stealth mechanisms to the malware, which Trend Micro detects as TROJ_POWELIKS.A. When executed, TROJ_POWELIKS.A downloads files, which can cause further system infection. Systems affected by this malware risk being infected by other malware, thus causing further...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/OEAKGdXwSnc/
*** All Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon, (Sat, Aug 2nd) ***
---------------------------------------------
A remote code execution in nmbd (the NetBIOS name services daemon) has been found in Samba versions 4.0.0 to 4.1.10. ( assgined CVE-2014-3560) and a patch has been release by the team at samba.org. Heres the details from http://www.samba.org/samba/security/CVE-2014-3560 =========== Description =========== All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18471&rss
*** TP-Link TL-WR740N v4 arbitrary shell command execution ***
---------------------------------------------
Topic: TP-Link TL-WR740N v4 arbitrary shell command execution Risk: High Text:# Exploit Title: TP-Link TL-WR740N v4 router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) arbitrary shell command execution # Dat...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014080013
*** Verschlüsselungstrojaner attackiert Synology-Speichersysteme ***
---------------------------------------------
Cyber-Erpresser haben einen neuen, direkten Weg gefunden, um das digitale Hab und Gut ihrer Opfer als Geisel zu nehmen: Sie nutzen eine Sicherheitslücke in der NAS-Firmware, um den gesamten Netzwerkspeicher zu verschlüsseln.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Verschluesselungstrojaner-attackiert…
*** China boots Kaspersky and Symantec off security contractor list ***
---------------------------------------------
Foreign firms dropped from roll of approved infosec vendors Kaspersky Labs and Symantec have both been booted off China's list of approved security vendors for government agencies, as the country continues to tighten up against foreign tech firms in the wake of the NSA indiscriminate surveillance revelations.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/08/04/kaspersky_s…
*** Bugtraq: ownCloud Unencrypted Private Key Exposure ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533010
*** Backdoor Techniques in Targeted Attacks ***
---------------------------------------------
Backdoors are an essential part of targeted attacks, as they allow an external threat actor to exercise control over any compromised machines. These allow the threat actor to collect information and move laterally within the targeted organization. Our investigations into various targeted attacks have showed that a wide variety of tactics are used by backdoors to carry out...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/fHW4IPov8YE/
*** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM WebSphere Real Time ***
---------------------------------------------
Java SE issues disclosed in the Oracle July 2014 Critical Patch Update, plus 1 additional vulnerability CVE(s): CVE-2014-3086, CVE-2014-4227, CVE-2014-4262, CVE-2014-4219, CVE-2014-4209, CVE-2014-4220, CVE-2014-4268, CVE-2014-4218, CVE-2014-4252, CVE-2014-4266, CVE-2014-4265, CVE-2014-4221, CVE-2014-4263, CVE-2014-4244 and CVE-2014-4208 Affected product(s) and affected version(s): IBM WebSphere Real Time Version 3 Service Refresh 7 and earlier Refer to the following reference URLs for
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
*** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat in Rational DOORS Web Access ***
---------------------------------------------
The Apache Tomcat application server in installations of IBM Rational DOORS Web Access version contains security vulnerabilities. CVE(s): CVE-2013-4322, CVE-2013-4590, CVE-2014-0096, CVE-2014-0099 and CVE-2014-0119 Affected product(s) and affected version(s): Rational DOORS Web Access version 9.6.0.x, 9.5.2.x, 9.5.1.x, 9.5.0.x, 1.5.0.x, 1.4.0.4 Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin:
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 31-07-2014 18:00 − Freitag 01-08-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Russian ransomware author takes the easy route ***
---------------------------------------------
Symantec Security Response has observed a new variant of ransomcrypt malware which is easy to update and uses open source components to encrypt files. The variant, detected as Trojan.Ransomcrypt.L, uses a legitimate open source implementation of the OpenPGP standard to encrypt files on the victim’s computer. The threat then displays a ransom notice in Russian, asking the user to pay in order to unlock the files.
---------------------------------------------
http://www.symantec.com/connect/blogs/russian-ransomware-author-takes-easy-…
*** Announcing EMET 5.0 ***
---------------------------------------------
Today, we are excited to announce the general availability of the Enhanced Mitigation Experience Toolkit (EMET) 5.0. As many of you already know, EMET is a free tool, designed to help customers with their defense in depth strategies against cyberattacks, by helping detect and block exploitation techniques ..
---------------------------------------------
http://blogs.technet.com/b/srd/archive/2014/07/31/announcing-emet-v5.aspx
*** Backoff - Technical Analysis ***
---------------------------------------------
As discussed in the an advisory published by US-CERT, Trustwave SpiderLabs has discovered a previously unidentified family of Point of Sale (PoS) malware. This blog post serves as a technical analysis of the Backoff malware family. While a number ..
---------------------------------------------
http://blog.spiderlabs.com/2014/07/backoff-technical-analysis.html
*** BadUSB: Wenn USB-Geräte böse werden ***
---------------------------------------------
Wer die Firmware eines USB-Sticks kontrolliert, kann den zu einem perfekten Trojaner umfunktionieren. Deutsche Forscher zeigen, dass das komplett via Software möglich ist und sich damit ganz neue Infektions-Szenarien eröffnen.
---------------------------------------------
http://www.heise.de/security/meldung/BadUSB-Wenn-USB-Geraete-boese-werden-2…
*** Backups - The Forgotten Website Security Pillar ***
---------------------------------------------
I travel a lot (a lot might actually be an understatement these days), but the travel always revolves around a couple common threads - namely website security education and awareness. In these travels, regardless of the community I am engaging with, there are always common questions ..
---------------------------------------------
http://blog.sucuri.net/2014/07/backups-the-forgotten-website-security-pilla…
*** The Severe Flaw Found in Certain File Locker Apps ***
---------------------------------------------
Protecting data has always been one of the most important aspects of our digital life. Given the amount of activity done on smartphones, this is especially rings true for smartphones. While users may use the built-in privacy and security settings of their devices, others take it a step further and employ security ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/the-severe-flaw-…
*** MediaWiki Input Validation Flaws Permit Cross-Site Scripting and Clickjacking Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1030660
*** Offensive Security reports of Symantec Endpoint Protection zero-day vulnerability (July 2014) ***
---------------------------------------------
This Knowledge Base article will be updated as further information becomes available. Please subscribe to this document to receive update notifications automatically. To mitigate this issue while research is underway and solutions are being identified, uninstall or disable the sysplant driver.
---------------------------------------------
http://www.symantec.com/business/support/index?page=content&id=TECH223338
*** Backdoor.Gates: Also Works for Windows ***
---------------------------------------------
We have received reports about a Linux malware known as Backdoor.Gates. Analysis showed that this malware has the following features ..
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002728.html
*** SubSTATION Server Telegyr 8979 Master Vulnerabilities ***
---------------------------------------------
This advisory provides mitigation details for a Buffer Overflow Vulnerability in the SUBNET Solutions Inc (SUBNET), SubSTATION Server 2, Telegyr 8979 Master ..
---------------------------------------------
http://ics-cert.us-cert.gov//advisories/ICSA-14-196-01
*** Yes, Hackers Could Build an iPhone Botnet - Thanks to Windows ***
---------------------------------------------
A reminder to Apple and smug iPhone owners: Just because iOS has never been the victim of a widespread malware outbreak doesn't mean mass iPhone hacking isn't still possible. Now one group of security researchers plans ..
---------------------------------------------
http://www.wired.com/2014/08/yes-hackers-could-build-an-iphone-botnetthanks…
*** Citadel Malware Variant Allows Attackers Remote Access, Even After Removal ***
---------------------------------------------
A new variant of the Citadel banking Trojan has been discovered where the attackers are using Windows remote shell commands to be enable Remote Desktop Protocol access, even if the malware is discovered and removed.
---------------------------------------------
http://threatpost.com/citadel-malware-variant-allows-attackers-remote-acces…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 30-07-2014 18:00 − Donnerstag 31-07-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Innominate mGuard Unauthorized Leakage of System Data ***
---------------------------------------------
Exploitation of this vulnerability could allow a remote unauthenticated user access to release configuration information. While this is a minor vulnerability, it represents a method for further network reconnaissance.
---------------------------------------------
http://ics-cert.us-cert.gov//advisories/ICSA-14-189-02
*** How safe is your quantified self? Tracking, monitoring, and wearable tech ***
---------------------------------------------
Self-tracking enthusiasts are generating a torrent of personal information through apps and devices. Is this data safe from prying eyes?
---------------------------------------------
http://www.symantec.com/connect/blogs/how-safe-your-quantified-self-trackin…
*** Why the Security of USB Is Fundamentally Broken ***
---------------------------------------------
Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the ..
---------------------------------------------
http://www.wired.com/2014/07/usb-security/
*** TA14-212A: Backoff Point-of-Sale Malware ***
---------------------------------------------
“Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including ..
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA14-212A
*** Takedowns: Touchdown or Turnover? ***
---------------------------------------------
Over the last several months malware takedowns have made headlines. But what is really involved in such an operation? The recent takedowns have been a collaborative effort mostly between the private sector and government entities, with academic researchers also playing a role. While some operations included arrests, and others included a civil lawsuit, ..
---------------------------------------------
http://www.seculert.com/blog/2014/07/takedowns-touchdown-or-turnover.html
*** 3 security mistakes small companies make and how to avoid them ***
---------------------------------------------
Dedicated IT staff are a luxury most very small businesses do without but those organisations still need to find a way to secure their computers against cyber ciminals who arent looking to cut them a break just because they're small.
---------------------------------------------
http://nakedsecurity.sophos.com/2014/07/31/3-security-mistakes-small-compan…
*** How to Hunt Down Phishing Kits ***
---------------------------------------------
Sites like phishtank and clean-mx act as crowdsourced phishing detection and validation. By knowing how to look, you can consistently find interesting information about how attackers work, and the tools they use to conduct phishing campaigns. This post will give an example of how phishing kits are used, how to find them, as well as show a case study into other ..
---------------------------------------------
https://jordan-wright.github.io/blog/2014/07/30/how-to-hunt-down-phishing-k…
*** Spy of the Tiger ***
---------------------------------------------
A recent report documents a group of attackers known as 'PittyTiger' that appears to have been active since at least 2011; however, they may have been operating as far back as 2008. We have been monitoring the activities of this ..
---------------------------------------------
http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-th…
*** Angriff auf Videospiele-Hersteller: Hacker haben es auf Quellcode abgesehen ***
---------------------------------------------
Die Hacker der "Threat Group 3279" sind seit Jahren aktiv und versuchen, Quellcode von Spielen zu stehlen und die Sicherheitsvorkehrungen der dazugehörigen DRM-Systeme zu knacken. Die Gruppe soll aus China stammen.
---------------------------------------------
http://www.heise.de/security/meldung/Angriff-auf-Videospiele-Hersteller-Hac…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 29-07-2014 18:00 − Mittwoch 30-07-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** 22 Jump Street, Transformers Are Top Movie Lures for Summer ***
---------------------------------------------
Summertime has become synonymous with blockbuster movies. Unfortunately, these movies have become a go-to social engineering lure used by cybercriminals. Just like in previous years, Trend Micro engineers searched for possible threats related to movies released during the summer. This year, 22 Jump Street was the top movie used for social ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/22-jump-street-t…
*** Google Android Certificate Chain Validation Flaw Lets Applications Gain Elevated Privileges ***
---------------------------------------------
The software does not properly validate an application's certificate chain. An application can supply a specially crafted application identity certificate to impersonate a privileged application and gain access to vendor-specific device administration extensions.
---------------------------------------------
http://www.securitytracker.com/id/1030654
*** Erpressungs-Trojaner CTB-Locker verschlüsselt sicher und verwischt Spuren ***
---------------------------------------------
Wenn man diesem Schädling zum Opfer fällt, gibt es wenig Hoffnung für die eigenen Daten. Diese sind mit State-of-the-Art-Verschlüsselung gesichert und der Trojaner kommuniziert nur verschlüsselt über das Tor-Netz mit seinen Kontrollservern.
---------------------------------------------
http://www.heise.de/security/meldung/Erpressungs-Trojaner-CTB-Locker-versch…
*** Symantec Endpoint Protection 0day ***
---------------------------------------------
In a recent engagement, we had the opportunity to audit the Symantec Antivirus Endpoint Protection solution, where we found a multitude of vulnerabilities. Some of these made it to CERT, while others have been scheduled for review during our upcoming AWE course at Black Hat 2014, Las Vegas. Ironically, the same software that was meant to protect the organization under review was the reason for its compromise.
---------------------------------------------
http://www.offensive-security.com/vulndev/symantec-endpoint-protection-0day/
*** Scan Shows Possible Heartbleed Fix Failures ***
---------------------------------------------
Of more than 1,600 Global 2000 firms, only 3% of their public-facing servers have been fully and properly locked down from the Heartbleed vulnerability that was first revealed ..
---------------------------------------------
http://www.darkreading.com/vulnerabilities---threats/vulnerability-manageme…
*** Tor security advisory: "relay early" traffic confirmation attack ***
---------------------------------------------
On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.
---------------------------------------------
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-…
*** Internet of Things: Kreditkartennummern und das Passwort 1234 ***
---------------------------------------------
Hersteller von vernetzten Geräten gehen sorglos mit deren Sicherheit um. Kaputte Webinterfaces, überflüssige Kreditkarteninformationen und zu einfache Passwörter wie 1234 machen viele Geräte angreifbar.
---------------------------------------------
http://www.golem.de/news/internet-of-things-kreditkartennummern-und-das-pas…
*** Multiple vulnerabilities in Kunena Forum Extension for Joomla ***
---------------------------------------------
http://www.securityfocus.com/archive/1/532933http://www.securityfocus.com/archive/1/532932
*** Multiple vulnerabilities in SAP products ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/94932http://xforce.iss.net/xforce/xfdb/94931http://xforce.iss.net/xforce/xfdb/94930http://xforce.iss.net/xforce/xfdb/94922http://xforce.iss.net/xforce/xfdb/94923http://xforce.iss.net/xforce/xfdb/94921
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 28-07-2014 18:00 − Dienstag 29-07-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Critroni/Onion - Newest Addition to Encrypting Ransomware ***
---------------------------------------------
In my last blog post about a week ago, I talked about how Cryptolocker and the like are not dead and we will continue to see more of them in action. It's a successful 'business model' and I don't see it going away anytime soon. Not even a few days after my post a new encrypting ransomware emerged. This ..
---------------------------------------------
http://www.webroot.com/blog/2014/07/25/critroni-new-encrypting-ransomware/
*** Interesting HTTP User Agent "chroot-apach0day", (Mon, Jul 28th) ***
---------------------------------------------
Our reader Robin submitted the following detect: Ive got a site that was scanned this morning by a tool that left these entries in the logs: [HTTP_USER_AGENT] => chroot-apach0day ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18453
*** Cisco Prime Data Center Network Manager Input Validation Flaw Permits Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1030652
*** Hacker klauten Pläne für Israels Raketenschild "Iron Dome" ***
---------------------------------------------
Bei einem Hackerangriff auf drei israelische Waffenschmieden sollen Hacker der chinesischen Regierung in den Jahren 2011 und 2012 haufenweise wichtige Daten zu dem Raketenabwehrsystem erbeutet haben. Die Angreifer sollen der Spezialeinheit 61398 angehören.
---------------------------------------------
http://www.heise.de/security/meldung/Hacker-klauten-Plaene-fuer-Israels-Rak…
*** Android crypto blunder exposes users to highly privileged malware ***
---------------------------------------------
The majority of devices running Google's Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, researchers have warned.
---------------------------------------------
http://arstechnica.com/security/2014/07/android-crypto-blunder-exposes-user…
*** Changes in the Asprox Botnet ***
---------------------------------------------
In this blog post, we took a quick overview of Asprox's functions and saw the updates that it has made to its C&C code. With added RSA encryption, another C&C command, and updated messaging format, it does not look like Asprox will stop evolving. We will continue to monitor Asprox for any changes and will keep you updated.
---------------------------------------------
https://blog.fortinet.com/Changes-in-the-Asprox-Botnet/
*** How Cybercrime Exploits Digital Certificates ***
---------------------------------------------
Security experts recognize 2011 as the worst year for certification authorities. The number of successful attacks against major companies reported during the year has no precedent, many of them had serious consequences.
---------------------------------------------
http://resources.infosecinstitute.com/cybercrime-exploits-digital-certifica…
*** Security: Antivirenscanner machen Rechner unsicher ***
---------------------------------------------
Ein Datenexperte hat sich aktuelle Virenscanner angesehen. Viele seien durch einfache Fehler angreifbar, meint er. Da sie tief ins System eingreifen, stellen sie eine besondere Gefahr dar - obwohl sie eigentlich schützen sollen.
---------------------------------------------
http://www.golem.de/news/security-antivirenscanner-machen-rechner-unsicher-…
*** Elasticsearch-Lücke verwandelt Amazon-Cloud-Server in DDoS-Zombies ***
---------------------------------------------
Durch eine Sicherheitslücke in einer älteren Elasticsearch-Version können Angreifer beliebigen Schadcode ausführen. Das wird momentan dazu genutzt, Server in Amazons EC2-Cloud zu kapern und für DDoS-Angriffe zu missbrauchen.
---------------------------------------------
http://www.heise.de/security/meldung/Elasticsearch-Luecke-verwandelt-Amazon…
*** Multiple vulnerabilities in Oxwall 1.7.0 ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014070156http://cxsecurity.com/issue/WLB-2014070155
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 25-07-2014 18:00 − Montag 28-07-2014 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco WebEx Meetings Server Authenticated Encryption Vulnerability ***
---------------------------------------------
A vulnerability in the user.php script of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to view sensitive information.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cacti cross-site scripting ***
---------------------------------------------
Cacti is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the Full Name field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting ..
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/94862
*** Cisco WebEx Meetings Server OutlookAction Class Vulnerability ***
---------------------------------------------
A vulnerability in the OutlookAction Class of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to enumerate valid user accounts. The vulnerability is due to ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco WebEx Meetings Server Web Framework Vulnerability ***
---------------------------------------------
A vulnerability in the web framework of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to view sensitive information. The vulnerability occurs because sensitive information is passed in a query string. An attacker could ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Service Drains Competitors' Online Ad Budget ***
---------------------------------------------
The longer one lurks in the Internet underground, the more difficult it becomes to ignore the harsh reality that for nearly every legitimate online business there is a cybercrime-oriented anti-business. Case in point: Todays post looks at a popular service that helps crooked online marketers exhaust the Google AdWords budgets of their competitors.
---------------------------------------------
http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-bud…
*** Daimler: Mit eigener Hacker-Gruppe gegen Sicherheitslücken ***
---------------------------------------------
Der Automobilhersteller Daimler beschäftigt eine fest angestellte Gruppe von Datenspezialisten, deren Aufgabe es ist, das eigene Firmennetzwerk zu attackieren. So sollen Sicherheitslücken schneller aufgespürt werden.
---------------------------------------------
http://www.golem.de/news/daimler-mit-eigener-hacker-gruppe-gegen-sicherheit…
*** Ubiquiti UbiFi Controller 2.4.5 Password Hash Disclosure ***
---------------------------------------------
If remote logging is enabled on the UniFi controller, syslog messages
are sent to a syslog server. Contained within the syslog messages is
the admin password that is used by both the UniFi controller, and all
managed Access Points. This CVE was ..
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014070146
*** Tails: Zero-Day im Invisible Internet Project ***
---------------------------------------------
In der Linux-Distribution Tails befindet sich eine Sicherheitslücke, über die Nutzeridentitäten aufgedeckt werden können. Die Schwachstelle ist nicht in Tor, sondern im Invisible-Internet-Project-Netzwerk zu finden.
---------------------------------------------
http://www.golem.de/news/tails-zero-day-im-invisible-internet-project-1407-…
*** DANE disruptiv: Authentifizierte OpenPGP-Schlüssel im DNS ***
---------------------------------------------
Pretty Good Privacy soll das DNS zur Schlüsselpropagierung nutzen. Auf der Liste der Entwickler der Internet Engineering Task Force (IETF) steht als nächstes die Zulassung eigenen Schlüsselmaterials.
---------------------------------------------
http://www.heise.de/security/meldung/DANE-disruptiv-Authentifizierte-OpenPG…
*** Behind the Android.OS.Koler distribution network ***
---------------------------------------------
Android.OS.Koler.a a ransomware program that blocks the screen of an infected device and requests a ransom in order to unlock the device. An entire network of malicious porn sites linked to a traffic direction system that redirects the victim to different payloads targeting not only mobile devices but any other visitor.
---------------------------------------------
https://securelist.com/blog/research/65189/behind-the-android-os-koler-dist…
*** Dissecting the CVE-2013-2460 Java Exploit ***
---------------------------------------------
In this vulnerability, code is able to get the references of some restricted classes which are cleverly used for privilege escalation and bypassing the JVM sandbox. The vulnerable 'invoke' method of the 'sun.tracing.ProviderSkeleton' class is used to ..
---------------------------------------------
http://research.zscaler.com/2014/07/dissecting-cve-2013-2460-java-exploit.h…
*** Anatomy of an iTunes phish - tips to avoid getting caught out ***
---------------------------------------------
Even if youd back yourself to spot a phish every time, heres a step-by-step account that might help to save your friends and family in the future...
---------------------------------------------
http://nakedsecurity.sophos.com/2014/07/28/anatomy-of-an-itunes-phish-tips-…
*** ICS 3C - ICS Cybersecurity Council Conference ***
---------------------------------------------
ICS 3C gathers experts and decision makers placing Cybersecurity at the heart of a Pan-European Dialogue on solutions for securing critical processes.
---------------------------------------------
http://www.anapur.de/u_e_ICS_Cybersecurity_Conference_2014_HD.htm
*** Trojaner: Warnungen vor gefälschten Ikea-Mails ***
---------------------------------------------
Schon mehrere tausend Funde, E-Mails sind "täuschend echt" ..
---------------------------------------------
http://derstandard.at/2000003626539
*** Malware, Would You Install it for One Cent? ***
---------------------------------------------
A research study report entitled It's All About The Benjamins: An empirical study on incentivizing users to ignore security ..
---------------------------------------------
http://www.seculert.com/blog/2014/07/would-you-install-potential-malware-fo…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 24-07-2014 18:00 − Freitag 25-07-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** More Details of Onion/Critroni Crypto Ransomware Emerge ***
---------------------------------------------
New ransomware has been dubbed Onion by researchers at Kaspersky Lab as its creators use command and control servers hidden in the Tor Network (a/k/a The Onion Router) to obscure their malicious activity.
---------------------------------------------
http://threatpost.com/onion-ransomware-demands-bitcoins-uses-tor-advanced-e…
*** Kali 1.0.8 released with UEFI boot support, more info at http://www.kali.org/news/kali-1-0-8-released-uefi-boot-support/, (Fri, Jul 25th) ***
---------------------------------------------
-- Bojan INFIGO IS (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18443&rss
*** Gefährlicher als die NSA: Firmen unterschätzen kriminelle Hacker ***
---------------------------------------------
Allianz für Cyber-Sicherheit beim deutschen Bundesamt für Sicherheit in der Informationstechnik sieht größten Nachholbedarf in produzierenden Unternehmen
---------------------------------------------
http://derstandard.at/2000003528513
*** TAILS Team Recommends Workarounds for Flaw in I2P ***
---------------------------------------------
The developers of the TAILS operating system say that users can mitigate the severity of the critical vulnerability researchers discovered in the I2P software that's bundled with TAILS with a couple of workarounds, but there is no patch for the bug yet. The vulnerability that affects TAILS is in the I2P anonymity network software that comes...
---------------------------------------------
http://threatpost.com/tails-team-recommends-workarounds-for-flaw-in-i2p/107…
*** Fake GoogleBots are third most common DDoS attacker ***
---------------------------------------------
An analysis of 400 million search engine visits to 10,000 sites done by Incapsula researchers has revealed details that might be interesting to web operators and SEO professionals.
---------------------------------------------
http://www.net-security.org/secworld.php?id=17169
*** New SSL server rules go into effect Nov. 1 ***
---------------------------------------------
Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks.
---------------------------------------------
http://www.networkworld.com/article/2457649/security0/new-ssl-server-rules-…
*** The App I Used to Break Into My Neighbor's Home ***
---------------------------------------------
Leave your ring of cut-brass secrets unattended on your desk at work, at a bar table while you buy another round, or in a hotel room, and any stranger---or friend---can upload your keys to their online collection.
---------------------------------------------
http://feeds.wired.com/c/35185/f/661467/s/3cdb9908/sc/36/l/0L0Swired0N0C20A…
*** Attackers abusing Internet Explorer to enumerate software and detect security products ***
---------------------------------------------
During the last few years we have seen an increase on the number of malicious actors using tricks and browser vulnerabilities to enumerate the software that is running on the victim's system using Internet Explorer.In this blog post we will describe some of the techniques that attackers are using to perform reconnaisance that gives them information for future attacks. We have also seen these techniques being used to decide whether or not they exploit the victim based on detected...
---------------------------------------------
http://www.alienvault.com/open-threat-exchange/blog/attackers-abusing-inter…
*** Building a Legal Botnet in the Cloud ***
---------------------------------------------
Two researchers have built a botnet using free anonymous accounts. They only collected 1,000 accounts, but theres no reason this cant scale to much larger numbers....
---------------------------------------------
https://www.schneier.com/blog/archives/2014/07/building_a_lega.html
*** Bugtraq: Security advisory for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14 ***
---------------------------------------------
http://www.securityfocus.com/archive/1/532895
*** Morpho Itemiser 3 Hard-Coded Credential ***
---------------------------------------------
This advisory provides vulnerability information for hard-coded credentials in the Morpho Itemiser 3.
---------------------------------------------
http://ics-cert.us-cert.gov//advisories/ICSA-14-205-01
*** VU#394540: Sabre AirCentre Crew contains a SQL injection vulnerability ***
---------------------------------------------
Vulnerability Note VU#394540 Sabre AirCentre Crew contains a SQL injection vulnerability Original Release date: 25 Jul 2014 | Last revised: 25 Jul 2014 Overview Sabre AirCentre Crew 2010.2.12.20008 and earlier contains a SQL injection vulnerability. Description CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Sabre AirCentre Crew 2010.2.12.20008 and earlier is vulnerable to a SQL Injection attack in the username and password fields in CWPLogin.aspx.
---------------------------------------------
http://www.kb.cert.org/vuls/id/394540
*** Cisco Unified Presence Server Sync Agent Vulnerability ***
---------------------------------------------
CVE-2014-3328
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco WebEx Meetings Server Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
CVE-2014-3305
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco WebEx Meetings Server Stack Trace Vulnerability ***
---------------------------------------------
CVE-2014-3301
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 23-07-2014 18:00 − Donnerstag 24-07-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** ZDI-14-264: (0Day) Apple QuickTime mvhd Atom Heap Memory Corruption Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-264/
*** ZDI-14-263: (0Day) Hewlett-Packard Data Protector Cell Request Service Opcode 1091 Directory Traversal Arbitrary File Write Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-263/
*** ZDI-14-262: (0Day) Hewlett-Packard Data Protector Cell Request Service Opcode 305 Directory Traversal Arbitrary File Creation Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-14-262/
*** [Honeypot Alert] Wordpress XML-RPC Brute Force Scanning ***
---------------------------------------------
There are news reports of new Wordpress XML-PRC brute force attacks being seen in the wild. The SANS Internet Storm Center also has a Diary entry showing similar data. We have captured similar attacks in our web honeypots so we wanted to share more data with the community. Please reference earlier blog posts we have done related to Wordpress: Wordpress XML-RPC Pingback Vulnerability Analysis Defending Wordpress Logins from Brute Force Attacks Thanks goes to my SpiderLabs Research colleague
---------------------------------------------
http://blog.spiderlabs.com/2014/07/honeypot-alert-wordpress-xml-rpc-brute-f…
*** Smart Grid Attack Scenarios ***
---------------------------------------------
This is the third (and last) in a series of posts looking at the threats surrounding smart grids and smart meters. In the first post, we introduced smart meters, smart grids, and showed why these can pose risks. In the second post, we looked at the risks of attacks on smart meters. In this post,...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/6sRN65gV904/
*** Windows Previous Versions against ransomware, (Thu, Jul 24th) ***
---------------------------------------------
One of the cool features that Microsoft actually added in Windows Vista is the ability to recover previous versions of files and folders. This is part of the VSS (Volume Shadow Copy Service) which allows automatic creation of backup copies on the system. Most users "virtually meet" this service when they are installing new software, when a restore point is created that allows a user to easily revert the operating system back to the original state, if something goes wrong. However,
---------------------------------------------
https://isc.sans.edu/diary/Windows+Previous+Versions+against+ransomware/184…
*** BMWs ConnectedDrive falls over, bosses blame upgrade snafu ***
---------------------------------------------
Traffic flows up 20% as motorway middle lanes miraculously unclog BMWs ConnectedDrive car-to-mobe interface has suffered a UK-wide outage that may also affect customers in mainland Europe.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/07/24/bmw_connect…
*** Dirty Dozen Spampionship - which country is spewing the most spam? ***
---------------------------------------------
The World Cup may be done and dusted, but the Spampionship continues! Where did you come in our spam-sending league tables?
---------------------------------------------
http://nakedsecurity.sophos.com/2014/07/22/dirty-dozen-spampionship-which-c…
*** A new generation of ransomware ***
---------------------------------------------
Trojan-Ransom.Win32.Onion a highly dangerous threat and one of the most technologically advanced encryptors out there. Its developers used both proven techniques 'tested' on its predecessors and solutions that are completely new for this class of malware. The use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server.
---------------------------------------------
https://securelist.com/analysis/publications/64608/a-new-generation-of-rans…
*** Bugcrowd Releases Open Source Vulnerability Disclosure Framework ***
---------------------------------------------
The problems that come from doing security research on modern Web applications and other software aren't just challenging for researchers, but also for the companies on the receiving end of their advisories. Companies unaccustomed to dealing with researchers can find themselves in a difficult position, trying to figure out the clearest path forward. To help...
---------------------------------------------
http://threatpost.com/bugcrowd-releases-open-source-vulnerability-disclosur…
*** SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-072Project: freelinking (third-party module)Project: freelinking case tracker (third-party module)Version: 6.x, 7.xDate: 2014-July-23Security risk: CriticalExploitable from: RemoteVulnerability: Access bypassDescriptionThe freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as [[pluginname:identifier]].The module doesnt sufficiently...
---------------------------------------------
https://www.drupal.org/node/2308503
*** Siemens OpenSSL Vulnerabilities (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-14-198-03 Siemens OpenSSL Vulnerabilities that was published July 17, 2014, on the NCCIC/ICS-CERT web site. This updated advisory provides mitigation details for vulnerabilities in the Siemens OpenSSL cryptographic software library affecting several Siemens industrial products.
---------------------------------------------
http://ics-cert.us-cert.gov//advisories/ICSA-14-198-03A
*** Sierra Wireless AirLink Raven X EV-DO Vulnerabilities (Update B) ***
---------------------------------------------
This updated advisory is a follow-up to the advisory titled ICSA-14-007-01A Sierra Wireless AirLink Raven X EV-DO Multiple Vulnerabilities that was published January 16, 2014, on the NCCIC/ICS CERT web site.
---------------------------------------------
http://ics-cert.us-cert.gov//advisories/ICSA-14-007-01B
*** HPSBMU03076 rev.1 - HP Systems Insight Manager (SIM) on Linux and Windows running OpenSSL, Multiple Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP Systems Insight Manager running on Linux and Windows which could be exploited remotely resulting in multiple vulnerabilities.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** HPSBMU03074 rev.1 - HP Insight Control server migration on Linux and Windows running OpenSSL, Remote Denial of Service (DoS), Code Execution, Unauthorized Access, Disclosure of Information ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP Insight Control server migration running on Linux and Windows which could be exploited remotely resulting in denial of service (DoS), code execution, unauthorized access, or disclosure of information.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** Cisco TelePresence Management Interface Vulnerability ***
---------------------------------------------
CVE-2014-3324
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Bugtraq: Beginners error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account ***
---------------------------------------------
Beginners error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account
---------------------------------------------
http://www.securityfocus.com/archive/1/532875