[CERT-daily] Tageszusammenfassung - Donnerstag 13-03-2014

Daily end-of-shift report team at cert.at
Thu Mar 13 18:15:44 CET 2014


=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 12-03-2014 18:00 − Donnerstag 13-03-2014 18:00
Handler:     Stephan Richter
Co-Handler:  n/a




*** Decoding Domain Generation Algorithms (DGAs) Part III - ZeusBot DGA Reproduction ***
---------------------------------------------
At this point, you can go ahead and close the two parent processes (since we are not interested in their functionality, for the sake of simply finding the DGA). So we know that we are interested in discovering how this traffic is generated. So let's try to find out where it originates. Earlier, using API Monitor, we saw that explorer was using several functions within WinINet.dll:...
---------------------------------------------
http://vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html




*** F-Secure im Interview: "Wir erkennen Staatstrojaner und wollen das nicht ändern" ***
---------------------------------------------
Von Regierungen erstellte Malware muss nicht immer so schlecht sein wie 0zapftis, der bayerische Staatstrojaner. Für F-Secures Virenforscher Mikko Hypponen ist entscheidend, dass Anti-Malwareunternehmen auch künftig uneingeschränkt arbeiten können, wie er im Gespräch mit Golem.de sagte.
---------------------------------------------
http://www.golem.de/news/f-secure-im-interview-wir-erkennen-staatstrojaner-und-wollen-das-nicht-aendern-1403-105133-rss.html




*** WordPress XML-RPC PingBack Vulnerability Analysis ***
---------------------------------------------
There were news stories this week outlining how attackers are abusing the XML-PRC "pingback" feature of WordPress blog sites to launch DDoS attacks on other sites. This blog post will provide some analysis on this attack and additional information for websites to protect themselves. Not A New Vulnerabilty The vulnerability in WordPresss XML-RPC API is not new. Here is data from the WordPress bug tracker from 7 years ago.  While the vulnerability itself is not new,...
---------------------------------------------
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/MklfK5l9jYY/wordpress-xml-rpc-pingback-vulnerability-analysis.html




*** A Detailed Examination of the Siesta Campaign ***
---------------------------------------------
Executive Summary FireEye recently looked deeper into the activity discussed in TrendMicro's blog and dubbed the "Siesta" campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this...
---------------------------------------------
http://www.fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-examination-of-the-siesta-campaign.html




*** LightsOut EK Targets Energy Sector ***
---------------------------------------------
Late last year, the story broke that threat actors were targeting the energy sector with Remote Access Tools and Intelligence gathering malware. It would seem that the attackers responsible for this threat are back for more. This particular APT struck late February between 2/24-2/26. The attack began as a compromise of a third party law firm which includes an energy law practice known as
---------------------------------------------
http://feedproxy.google.com/~r/zscaler/research/~3/S2HhvPupa_0/lightsout-ek-targets-energy-sector.html




*** Trojan.Skimer.19 threatens banks ***
---------------------------------------------
March 4, 2014 Malware infecting the electronic innards of ATMs is not exactly a common phenomenon, so whenever such new kinds of programs emerge, they inevitably draw the attention of security specialists.  Doctor Webs virus analysts got hold of a sample of Trojan.Skimer.19 which can infect ATMs. According to Doctor Web, banking system attacks involving Trojan.Skimer.19 persist to this day. Similar to its predecessors, the Trojan has its main payload incorporated into a dynamic link library...
---------------------------------------------
http://news.drweb.com/show/?i=4267&lng=en&c=9




*** Trojan.Rbrute hacks Wi-Fi routers ***
---------------------------------------------
March 5, 2014 Doctor Webs security researchers examined Trojan.Rbrute malware, which is designed to crack Wi-Fi router access passwords using brute force and change the DNS server addresses specified in the configuration of these devices.  Criminals use this malicious program to spread the file infector known as Win32.Sector. When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a...
---------------------------------------------
http://news.drweb.com/show/?i=4271&lng=en&c=9




*** Anatomy of a Control Panel Malware Attack, Part 1 ***
---------------------------------------------
Recently we've discussed how Control Panel (CPL) malware has been spreading in Latin America. In the past, we've analyzed in some detail how CPL malware works as well as the overall picture of how this threat spreads. In this post, we shall examine in detail how they spread, and how they relate with other malicious sites.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/v3D2zLGXolU/




*** Ethical hacker backer hacked, warns of email ransack ***
---------------------------------------------
Switches registrars, tightens security after upsetting incident The IT security certification body that runs the Certified Ethical Hacker programme has itself been hacked.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/13/ethical_hacker_cert_org_pwned/




*** Samsung: Galaxy-Geräte haben eine Backdoor im Modem-Prozessor ***
---------------------------------------------
In mehreren Smartphones und Tablets aus Samsungs Galaxy-Modellreihe wurde eine Backdoor im Modem-Prozessor entdeckt. Diese könnte von Angreifern dazu verwendet werden, auf die Daten auf dem Smartphone oder Tablet zuzugreifen oder auch Daten zu verändern, um so Schadsoftware zu verbreiten. (Smartphone, Samsung)
---------------------------------------------
http://www.golem.de/news/samsung-galaxy-geraete-haben-eine-backdoor-im-modem-prozessor-1403-105124-rss.html




*** Google hackt Mac OS X für den guten Zweck ***
---------------------------------------------
Das Sicherheitsteam des Suchmaschinen-Riesen hat einen brisanten Angriff auf Mac OS X demonstriert: Beim Aufruf einer Webseite mit Safari wurde Code als root ausgeführt. Das Schau-Hacken fand in einer neuen Kategorie des Wettbewerbs Pwn2Own statt.
---------------------------------------------
http://www.heise.de/security/meldung/Google-hackt-Mac-OS-X-fuer-den-guten-Zweck-2141483.html




*** Metasploit Weekly Update: Theres a Bug In Your Brain ***
---------------------------------------------
The most fun module this week, in my humble opinion, is from Rapid7's own Javascript Dementer, Joe Vennix. Joe wrote up this crafty implementation of a Safari User-Assisted Download and Run Attack, which is not technically a vulnerability or a bug or anything -- it's a feature that ends up being a kind of a huge risk. Here's how it goes:...
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/03/13/metasploit-weekly-update




*** TCIPG Seminar: Dynamic Data Attacks on Real-Time Power System Operations ***
---------------------------------------------
With increasing dependence on modern information and communication technology, a future smart grid is potentially more vulnerable to coordinated cyber attacks launched by an adversary. In this talk, we consider several possible attack mechanisms aimed at disrupting real-time operations of a power grid. In particular, we are interested in dynamic attack strategies on the power system state estimation that lead to infeasible real-time dispatch and disrupt the real-time market operation.
---------------------------------------------
http://tcipg.org/news/TCIPG-Seminar-2014-Mar-7-Tong




*** Security update available for Adobe Shockwave Player ***
---------------------------------------------
Adobe has released a security update for Adobe Shockwave Player 12.0.9.149 and earlier versions on the Windows and Macintosh operating systems. This update addresses a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system.
---------------------------------------------
http://helpx.adobe.com/security/products/shockwave/apsb14-10.html




*** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4057, CVE-2013-4058 and CVE-2013-4059) ***
---------------------------------------------
Security vulnerabilities exist in various versions of IBM InfoSphere Information Server or constituent products. See the individual descriptions for details.  CVE(s):  CVE-2013-4057, CVE-2013-4058, and CVE-2013-4059  Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_multiple_security_vulnerabilities_exist_in_ibm_infosphere_information_server_cve_2013_4057_cve_2013_4058_and_cve_2013_4059?lang=en_us




*** Bugtraq: PowerArchiver: Uses insecure legacy PKZIP encryption when AES is selected (CVE-2014-2319) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/531440




*** SA-CONTRIB-2014-031 - Webform Template - Access Bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-031Project: Webform Template (third-party module)Version: 7.xDate: 2014-March-12Security risk: Less criticalExploitable from: RemoteVulnerability: Access BypassDescriptionThis module enables you to copy webform config from one node to another.The module doesnt respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform...
---------------------------------------------
https://drupal.org/node/2216607




*** SA-CONTRIB-2014-030 - SexyBookmarks - Information Disclosure ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-030Project: SexyBookmarks (third-party module)Version: 6.xDate: 2014-March-12Security risk: Moderately criticalExploitable from: RemoteVulnerability: Information DisclosureDescriptionThe SexyBookmarks module is a port of the WordPress SexyBookmarks plug-in. The module adds social bookmarking using the Shareaholic service.The module discloses the private files location when Drupal 6 is configured to use private files.This vulnerability is mitigated by the fact...
---------------------------------------------
https://drupal.org/node/2216269




*** Mitsubishi Electric Automation MC-WorX Suite Unsecure ActiveX Control ***
---------------------------------------------
This advisory is a follow-up to the original alert, titled ICS-ALERT-13-259-01 Mitsubishi MC-WorX Suite Unsecure ActiveX Control,a published September 16, 2013, on the NCCIC/ICS‑CERT web site (this was originally incorrectly identified as MC-WorkX, the correct product name is MC-WorX).
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-051-02




*** Cisco Intelligent Automation for Cloud Cryptographic Implementation Issues ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0694




*** GNUpanel 0.3.5_R4 Cross Site Request Forgery / Cross Site Scripting ***
---------------------------------------------
Topic: GNUpanel 0.3.5_R4 Cross Site Request Forgery / Cross Site Scripting Risk: Medium Text:# Exploit Title :GNUpanel 0.3.5_R4 - Multiple Vulnerabilities # Vendor Homepage :http://wp.geeklab.com.ar/gl-en/gnupanel...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030098




*** Proxmox Mail Gateway 3.1 Cross Site Scripting ***
---------------------------------------------
Topic: Proxmox Mail Gateway 3.1 Cross Site Scripting Risk: Low Text:I. VULNERABILITY - Multiplus XSS in Proxmox Mail Gateway 3.1 II. BACKGROUND - Proxmox Mail G...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030097


More information about the Daily mailing list