===================== = End-of-Day report = =====================

Timeframe: Montag 13-11-2017 18:00 − Dienstag 14-11-2017 18:00 Handler: Nina Bieringer Co-Handler: Robert Waldner

===================== = News = =====================

∗∗∗ Breaking security controls using subdomain hijacking ∗∗∗ --------------------------------------------- Users obtain a domain name to establish a unique identity on the Internet. Domain names are not only used to serve names and addresses of computers and services but also to store security controls, such as SPF or CAA records. --------------------------------------------- https://securityblog.switch.ch/2017/11/14/subdomain-hijacking/

∗∗∗ Investigating Command and Control Infrastructure (Emotet) ∗∗∗ --------------------------------------------- Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying Command and Control (C2) servers and understanding their topology, using Emotet as an example. --------------------------------------------- https://www.malwaretech.com/2017/11/investigating-command-and-control-infras...

∗∗∗ XZZX Cryptomix Ransomware Variant Released ∗∗∗ --------------------------------------------- A new CryptoMix Ransomware variant has been discovered that appends the .XZZX extension to encrypted files. This article will discuss the changes found in this new variant. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-var...

===================== = Vulnerabilities = =====================

∗∗∗ SQL Injection in bbPress ∗∗∗ --------------------------------------------- During regular audits of our Sucuri Firewall (WAF), one of our researchers at the time, Slavco Mihajloski, discovered an SQL Injection vulnerability affecting bbPress. If the proper conditions are met, this vulnerability is very easy to abuse by any visitors on the victim’s website. Because details about this vulnerability have been made public today on a Hackerone report, and updating to the latest version of WordPress fixes the root cause of the problem, we chose to disclose this bug --------------------------------------------- https://blog.sucuri.net/2017/11/sql-injection-bbpress.html

∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Flash Player (APSB17-33), Photoshop CC (APSB17-34), Connect (APSB17-35), Acrobat and Reader (APSB17-36), DNG Converter (APSB17-37), InDesign CC (APSB17-38), Digital Editions (APSB17-39), Shockwave Player (APSB17-40) and Adobe Experience Manager (APSB17-41). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1510

∗∗∗ #AVGater: Systemübernahme via Quarantäne-Ordner ∗∗∗ --------------------------------------------- Eine neue Angriffstechnik nutzt die Wiederherstellungs-Funktion der Anti-Viren-Quarantäne, um Systeme via Malware zu kapern. Bislang reagierten sechs Software-Hersteller mit Updates. --------------------------------------------- https://heise.de/-3889107

∗∗∗ Authentication bypass, cross-site scripting & code execution in Siemens SICAM RTU SM-2556 ∗∗∗ --------------------------------------------- The Siemens SICAM RTUs SM-2556 COM Modules (firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00) are affected by an authentication bypass vulnerability as the authentication checks are only performed client-side (JavaScript). Furthermore, the device is affected by cross site scripting vulnerabilities and outdated webserver software which allows code execution. --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/authentication-bypass-cross-s...

∗∗∗ Vulnerability in windows antivirus products (IK-SA-2017-0002) ∗∗∗ --------------------------------------------- A privilege escalation and arbitrary write vulnerability was found in all our windows antivirus products. [...] Successful exploitation of this issue would allow an attacker to overwrite any memory region (including kernel) in the client machine with elevated privileges. --------------------------------------------- http://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-wi...

∗∗∗ SAP Security Patch Day - November 2017 ∗∗∗ --------------------------------------------- On 14th of November 2017, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 9 updates to previously released security notes. --------------------------------------------- https://blogs.sap.com/2017/11/14/sap-security-patch-day-november-2017/

∗∗∗ DFN-CERT-2017-2025/">OTRS: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2025/

∗∗∗ DFN-CERT-2017-2024/">Symantec Endpoint Encryption: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-2024/

∗∗∗ IBM Security Bulletin: Vulnerability may affect IBM® SDK for Node.js™ (CVE-2017-14919) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009851

∗∗∗ IBM Security Bulletin: IBM® Db2® is affected by vulnerabilities in the IBM® SDK, Java Technology Edition Quarterly Critical Patch Updates (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010282

∗∗∗ IBM Security Bulletin: Open Source VMware Fusion Vulnerabilities in IBM Pure Application System (CVE-2017-4903, CVE-2017-4904, CVE-2017-4905) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009145

∗∗∗ Cacti Input Validation Flaw in Page Refresh Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039774

∗∗∗ jQuery vulnerability CVE-2016-7103 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K95208524

∗∗∗ Java vulnerability CVE-2017-10135 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23489380

∗∗∗ Java vulnerability CVE-2017-10198 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04734043

∗∗∗ Java SE and JRockit vulnerability CVE-2017-10243 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54747614