[CERT-daily] Tageszusammenfassung - Mittwoch 20-11-2013

Wed Nov 20 18:08:48 CET 2013

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 19-11-2013 18:00 − Mittwoch 20-11-2013 18:00
Handler:     Matthias Fraidl
Co-Handler:  n/a

*** New variant of Android ransomware "Fake Defender" surfaces ***
---------------------------------------------
Symantec researchers believe the malicious app is a variant of "Fake Defender," malware used in earlier ransomware scams.
---------------------------------------------
http://www.scmagazine.com/new-variant-of-android-ransomware-fake-defender-surfaces/article/311547/


*** Google Extends Scope of External Bug Bounty ***
---------------------------------------------
Google has expanded the bounds of its Patch Rewards Program to include open source components of Android, Apache, Sendmail, OpenVPN and other services.
---------------------------------------------
http://threatpost.com/google-extends-scope-of-external-bug-bounty/102962


*** TrustKeeper Scan Engine Update - November 14, 2013 ***
---------------------------------------------
It's time again for another TrustKeeper Scan Engine update.  This release contains over 30 new tests vulnerabilities in Cisco ASA/IOS, JIRA, jQuery, Microsoft Windows, Oracle Database/MySQL, and more.  This release also contains default credential checks for both WordPress and Cisco ASA SSL VPN (aka: AnyConnect).
---------------------------------------------
http://blog.spiderlabs.com/2013/11/trustkeeper-scan-engine-update-november-14-2013.html


*** VU#295276: Adobe ColdFusion is vulnerable to cross-site scripting via the logviewer directory ***
---------------------------------------------
Adobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory.
The vulnerability requires using a relative path, although there is no directory traversal vulnerability.
---------------------------------------------
http://www.kb.cert.org/vuls/id/295276


*** Understanding Google´s Blacklist Cleaning Your Hacked Website and Removing From Blacklist ***
---------------------------------------------
Today we found an interesting case where Google was blacklisting a client´s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight toRead More
---------------------------------------------
http://blog.sucuri.net/2013/11/understanding-googles-blacklist-cleaning-your-hacked-website-and-removing-from-blacklist.html


*** Searching live memory on a running machine with winpmem, (Wed, Nov 20th) ***
---------------------------------------------
Winpmem may appear to be a simple a memory acquisition tool, but it is really much more. One of my favorite parts of Winpmem is that it has the ability to analyze live memory on a running computer.  Rather than dumping the memory and analyzing it in two seperate steps you can search for memory on a running system.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17063


*** Netflixers Beware: Angler Exploit Kit Targets Silverlight Vulnerability ***
---------------------------------------------
Developers behind the Angler Exploit Kit have added a new exploit over the last week that leverages a vulnerability in Microsoft´s Silverlight framework.
---------------------------------------------
http://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverlight-vulnerability/102968


*** Mobile threats in October 2013 ***
---------------------------------------------
In 2013, Russian anti-virus company Doctor Web started using a new system to collect statistics, so that it could promptly obtain information about the malicious applications that are threatening Google Android.  An analysis of the data collected in October showed that the Dr.Web resident monitor under Android detected malware about 11 million times, and over 4 million threats to Android were detected by the scanner. These figures correspond to data obtained in September 2013.
---------------------------------------------
http://news.drweb.com/show/?i=4061&lng=en&c=9


*** Repeated attacks hijack huge chunks of Internet traffic, researchers warn ***
---------------------------------------------
Man-in-the-middle attacks divert data on scale never before seen in the wild.
---------------------------------------------
http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-internet-traffic-researchers-warn/


*** US police department pays $750 Cryptolocker Trojan ransom demand ***
---------------------------------------------
A US police department was so determined to get back important files that had been encrypted by the rampaging Cryptolocker Trojan it decided to pay the sizable ransom being demanded by the criminals.
---------------------------------------------
http://news.techworld.com/security/3489937/us-police-department-pays-750-cryptolocker-trojans-ransom-demand/


*** Backup the best defense against (Cri)locked files ***
---------------------------------------------
Crilock also known as CryptoLocker - is one notorious ransomware that´s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2013/11/19/backup-the-best-defense-against-cri-locked-files.aspx


*** JBoss Attacks Up Since Exploit Code Disclosure ***
---------------------------------------------
Researchers at Imperva have detected a surge in attacks against webservers running JBoss Application Server since the public disclosure of exploit code last month.
---------------------------------------------
http://threatpost.com/jboss-attacks-up-since-exploit-code-disclosure/102971


*** [webapps] - Ruckus Wireless Zoneflex 2942 Wireless Access Point - Authentication Bypass ***
---------------------------------------------
http://www.exploit-db.com/exploits/29709


*** nginx URI Parsing Flaw Lets Remote Users Bypass Security Restrictions ***
---------------------------------------------
http://www.securitytracker.com/id/1029363


*** PayPal Billsafe Cross Site Scripting ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110142


*** EMC Document Sciences xPression XSS / CSRF / Redirect / SQL Injection ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110139