[CERT-daily] Tageszusammenfassung - Mittwoch 9-12-2015

Wed Dec 9 18:10:02 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 07-12-2015 18:00 − Mittwoch 09-12-2015 18:00
Handler:     Alexander Riepl
Co-Handler:  n/a


*** Email Tracking for Dummies ***
---------------------------------------------
Recently, I was involved in an incident handling mission to find how some confidential emails were being tracked. Let's imagine a first scenario: Alice sends a mail to Bob. Bob reads Alice's email and Alice gets notified. Nothing special, this is a standard feature offered by most commercial messaging ..
---------------------------------------------
https://blog.rootshell.be/2015/12/07/email-tracking-for-dummies/


*** Another Brick in the FrameworkPoS ***
---------------------------------------------
FrameworkPoS is a well-documented family of malware that targets Point of Sale (PoS) systems and has been attributed to at least one high profile retail breach. The malware author(s) have continued to improve upon the original malware, releasing ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Another-Brick-in-the-FrameworkPoS/


*** EU verschärft Regeln zur Cybersicherheit ***
---------------------------------------------
Internetkonzerne müssen schwere Hackerangriffe künftig den Behörden melden - derstandard.at/2000027140552/EU-verschaerft-Regeln-zur-Cybersicherheit
---------------------------------------------
http://derstandard.at/2000027140552


*** Bitcoin Extortionist Copycats on the Rise, Experts Say ***
---------------------------------------------
Experts believe that the success tied to a recent spate of DDoS for hire groups may be because many are copycat collectives operating with a shorter lifespan.
---------------------------------------------
http://threatpost.com/bitcoin-extortionist-copycats-on-the-rise-experts-say/115582/


*** Citrix NetScaler Service Delivery Appliance Multiple Security Updates ***
---------------------------------------------
http://support.citrix.com/article/CTX202482


*** Day 2: UK research network Janet still being slapped by DDoS attack ***
---------------------------------------------
DNS services appear to be targeted, switching may work Members of UKs academic community from freshers to senior academics are facing more connection issues today as a persistent and continuous DDoS attack against the academic computer network Janet continues to stretch resources.
---------------------------------------------
www.theregister.co.uk/2015/12/08/uk_research_network_janet_ddos/


*** The German Underground: Buying and Selling Goods via Droppers ***
---------------------------------------------
We have frequently talked about how the Deep Web is used as a venue for the illegal trade in weapons and drugs. This part of the cybercrime underground includes a German-speaking community. Our new research examines these sites in some detail.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/the-german-underground-buying-and-selling-goods-via-droppers/


*** Authentifikation von McAfees Enterprise Security Manager löchrig ***
---------------------------------------------
Angreifer können sich mit einem speziellen Nutzernamen und einem beliebigen Passwort beim Enterprise Security Manager von McAfee anmelden. Gefixte Versionen stehen bereit.
---------------------------------------------
http://heise.de/-3036068


*** Security Updates Available for Adobe Flash Player (APSB15-32) ***
---------------------------------------------
A security bulletin (APSB15-32) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1302


*** MS15-DEC - Microsoft Security Bulletin Summary for December 2015 - Version: 1.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS15-DEC


*** Apple Patches Everything, (Tue, Dec 8th) ***
---------------------------------------------
And to not be outdone by Microsoft and Adobe, Apple just released patches for: iOS 9.2  A total of 50 vulnerabilities (CVE IDs) are addressed. About 10 of them affect WebKit and may lead to arbitrary code execution by visiting a malicious ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20465


*** Cisco Wireless Residential Gateway Stored Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151208-wrg


*** ZDI-15-624: Wireshark PCAPNG if_filter Arbitrary Free Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Wireshark. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-624/


*** Adobe, Microsoft Each Plug 70+ Security Holes ***
---------------------------------------------
Adobe and Microsoft today independently issued software updates to plug critical security holes in their software. Adobe released a patch that fixes a whopping 78 security vulnerabilities in its Flash Player software. Microsoft pushed a dozen patch bundles to address at least 71 flaws in various versions of the Windows operating system and associated software.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/RuUekEfVS0g/


*** XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability ***
---------------------------------------------
This advisory provides mitigations details for a cross-site scripting vulnerability in XZERES's 442SR turbine generator operating system.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-342-01


*** LOYTEC Router Information Exposure Vulnerability ***
---------------------------------------------
This advisory provides mitigations details for a password file vulnerability in LOYTEC's LIP-3ECTB routers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-342-02


*** Pacom 1000 CCU GMS System Cryptographic Implementation Vulnerabilities ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on December 3, 2015, and is being released to the ICS-CERT web site. This advisory provides mitigation details for crypto implementation flaws in the Pacom GMS system.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03


*** Rockwell Automation Micrologix 1100 and 1400 PLC Systems Vulnerabilities (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-15-300-03 Rockwell Automation MicroLogix 1100 and 1400 PLC Systems Vulnerabilities that was published October 27, 2015, on the NCCIC/ICS-CERT web site. This advisory provides mitigation details for vulnerabilities in the Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 programmable logic controller (PLC) systems.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03A


*** Analyzing Bartalex - A Prolific Malware Distributor ***
---------------------------------------------
Bartalex is a name that continues to appear in a cyberthief�s arsenal as one of the most popular mechanisms for distributing banking Trojans, ransomware, RATs, and other malware. The SANS ISC recently published a very interesting technical analysis of Bartalex. With this post, we hope to add a little more color and supplement what you already know about this prolific malware distributor.
---------------------------------------------
https://blog.phishlabs.com/bartalex


*** Blog of News Site 'The Independent' Hacked, Leads to TeslaCrypt Ransomware ***
---------------------------------------------
The blog page of one of the leading media sites in the United Kingdom, 'The Independent' has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed The Independent about this security incident and are working with them to contain the ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/blog-of-news-site-the-independent-hacked-leads-to-teslacrypto-ransomware/


*** Enforcing USB Storage Policy with PowerShell, (Wed, Dec 9th) ***
---------------------------------------------
In a previous diary, I presented the CIRCLean (USB sanitizer) developed by the Luxembourg CERT (circl.lu). This tool is very useful to sanitize suspicious USBsticks but it lacks of control and enforcement. Nevertheless, ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20469


*** Epic failure of Phone House & Dutch telecom providers to protect personal data: How I could access 12+ million records #phonehousegate ***
---------------------------------------------
On September 11, 2015 I visited Media Markt in Utrecht Hoog Catherijne, a well-known electronics shop in The Netherlands. Since summer 2014, the biggest independent Dutch phone retail company Phone House also operates (white labeled) from within Media Markt locations as a store-in-a-store ..
---------------------------------------------
http://sijmen.ruwhof.net/weblog/608-personal-data-of-dutch-telecom-providers-extremely-poorly-protected-how-i-could-access-12-million-records


*** Verschlüsselungstrojaner: Neue TeslaCrypt-Version grassiert ***
---------------------------------------------
Ransomware ist der absolute Renner in der Crimeware-Szene. Seit einigen Tagen gibt es vermehrt Hinweise auf Infektionen durch eine neue Version des Verschlüsselungstrojaners TeslaCrypt, der Dateien verschlüsselt und mit der Endung .vvv versieht. 
---------------------------------------------
http://heise.de/-3037099


*** Audit und Web-Client: Kritik an SSL/TLS-Zertifizierungsstelle Lets Encrypt ***
---------------------------------------------
Die Tätigkeit von Let's Encrypt als Zertifizierungsstelle wurde noch nicht der vorgeschriebenen Sicherheitsprüfung unterzogen. Trotzdem stellt die CA schon Zertifikate aus.
---------------------------------------------
http://heise.de/-3031849


*** POS Security: What You Need To Know ***
---------------------------------------------
October 1, 2015 marked the deadline set by credit card issuers to shift liability for fraudulent activity from card issuers or payment processors to the party that is the least Europay-Mastercard-Visa (EMV) compliant during a fraudulent ..
---------------------------------------------
https://www.alienvault.com/open-threat-exchange/blog/pos-security-what-you-need-to-know


*** Cisco Prime Collaboration Assurance Default Account Credential Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-pca