[CERT-daily] Tageszusammenfassung - Freitag 27-12-2013

Daily end-of-shift report team at cert.at
Fri Dec 27 18:09:38 CET 2013


=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 23-12-2013 18:00 − Freitag 27-12-2013 18:00
Handler:     Matthias Fraidl
Co-Handler:  n/a

*** Hintergrund: Erfolgreicher Angriff auf Linux-Verschlüsselung ***
---------------------------------------------
Linux Unified Key Setup (LUKS) ist das Standardverfahren für die Komplettverschlüsselung der Festplatte unter Linux; viele Systeme, darunter Ubuntu 12.04 LTS, setzen dabei LUKS im CBC-Modus ein. Jakob Lell demonstriert, dass diese Kombination anfällig für das Einschleusen einer Hinterür ist.
---------------------------------------------
http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Verschluesselung-2072199.html




*** Protection metrics - November results ***
---------------------------------------------
In our October results, we talked about a trio of families related to Win32/Sefnit. Our November results showed progress against Sefnit and the installers and downloaders of Sefnit (Win32/Rotbrow and Win32/Brantall). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-november-results.aspx




*** Turkey: Understanding high malware encounter rates in SIRv15 ***
---------------------------------------------
In our most recent version of the Security Intelligence Report, we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware.  
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/12/23/turkey-understanding-high-malware-encounter-rates-in-sirv15.aspx




*** Popular Registrar Namecheap Fixes DNS Hijack Bug ***
---------------------------------------------
The domain registrar and Web-hosting company Namecheap has fixed a cross site request forgery vulnerability in its DNS setup page.
---------------------------------------------
http://threatpost.com/popular-registrar-namecheap-fixes-dns-hijack-bug/103281




*** What a successful exploit of a Linux server looks like ***
---------------------------------------------
Like most mainstream operating systems these days, fully patched installations of Linux provide a level of security that requires a fair amount of malicious hacking to overcome. Those assurances can be completely undone by a single unpatched application, as Andre' DiMino has demonstrated when he documented an Ubuntu machine in his lab being converted into a Bitcoin-mining, denial-of-service-spewing, vulnerability-exploiting hostage under the control of attackers.
---------------------------------------------
http://arstechnica.com/security/2013/12/anatomy-of-a-hack-what-a-successful-exploit-of-a-linux-server-looks-like/




*** Turkey Tops World in Per Capita Malware Encounters ***
---------------------------------------------
Microsoft claims that Turkish machines encounter more malware than computers in any other country in the world.
---------------------------------------------
http://threatpost.com/turkey-tops-world-in-per-capita-malware-encounters/103290




*** New Trojan.Mods mines bitcoins ***
---------------------------------------------
Russian anti-virus company Doctor Web is warning users about a new Trojan.Mods modification that has been dubbed Trojan.Mods.10. This Trojans authors followed the major trend of December 2013 and added a bitcoin miner to the set of Trojan.Mods.10's features. You may recall that Trojan.Mods programs were found in large numbers in the wild in spring 2013 and were primarily designed to intercept browsers DNS queries and redirect users to malignant sites.
---------------------------------------------
http://news.drweb.com/show/?i=4176&lng=en&c=9




*** New CryptoLocker Spreads Via Removable Drives ***
---------------------------------------------
We recently came across a CryptoLocker variant that had one notable feature - it has propagation routines.
Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. 
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/new-cryptolocker-spreads-via-removable-drives/




*** OpenSSL mit kaputter Hintertür ***
---------------------------------------------
Die von der NSA als Hintertür entworfene Zufallszahlenfunktion Dual EC findet sich auch in der offenen Krypto-Bibliothek OpenSSL. Allerdings war sie dort funktionsunfähig, ohne dass es jemand bemerkt hätte.
---------------------------------------------
http://www.heise.de/security/meldung/OpenSSL-mit-kaputter-Hintertuer-2072370.html




*** Big Data and security analytics collide ***
---------------------------------------------
Big Data will become "The next big thing" - a critical re-evaluation and re-tooling of our analytical abilities. This is not about being able to query more data, but being able to query all data.
---------------------------------------------
http://www.scmagazine.com/big-data-and-security-analytics-collide/article/326869/




*** Infection found on "feedburner.com" ***
---------------------------------------------
Recently we have seen the websites of MySQL and PHP.net being compromised. We have also blogged about Google Code being used as a drop site for holding malicious code. These instances clearly suggest that attackers are targeting popular websites and using them in their attacks as they are less likely to be blocked by URL filters. This time we found that Google acquired "FeedBurner", which provides custom RSS feeds and management tools to users is hosting an infected page.
---------------------------------------------
http://research.zscaler.com/2013/12/infection-found-on-feedburnercom.html




*** Hackers who breached php.net exposed visitors to highly unusual malware ***
---------------------------------------------
Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that's highly unusual, if not unique.
---------------------------------------------
http://arstechnica.com/security/2013/12/hackers-who-breached-php-net-exposed-users-to-highly-unusual-malware/




*** Python Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56234




*** Puppet Enterprise Multiple Vulnerabilities ***
---------------------------------------------
https://secunia.com/advisories/56251




*** Novell Client Bug Lets Local Users Crash the System ***
---------------------------------------------
http://www.securitytracker.com/id/1029533




*** Cisco IOS XE VTY Authentication security bypass ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89901




*** cPanel WHM XML and JSON APIs Arbitrary File Disclosure Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/56207




*** VMware Patches Privilege Vulnerability in ESX, ESXi ***
---------------------------------------------
http://threatpost.com/vmware-patches-privilege-vulnerability-in-esx-esxi/103286




*** Zimbra 8.0.2 and 7.2.2 Collaboration Server LFI Exploit ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120155




*** Synology DiskStation Manager SLICEUPLOAD Remote Command Execution ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013120156




*** RT: Request Tracker 4.0.10 SQL Injection ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013040083




*** Bugtraq: Song Exporter v2.1.1 RS iOS - File Include Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/530489


More information about the Daily mailing list