[CERT-daily] Tageszusammenfassung - Mittwoch 7-01-2015

Wed Jan 7 18:42:31 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 05-01-2015 18:00 − Mittwoch 07-01-2015 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Debunking Myths Around Industrial Control Systems Cybersecurity ***
---------------------------------------------
General awareness for the need to improve cybersecurity in industrial control systems (ICS) has increased significantly in recent years, but there are still plenty of misconceptions. A recent incident that can be used to highlight...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/01/debunking-myths-around-industrial-control-systems-cybersecurity/


*** Who's Attacking Whom? Realtime Attack Trackers ***
---------------------------------------------
It seems nearly every day were reading about Internet attacks aimed at knocking sites offline and breaking into networks, but its often difficult to visualize this type of activity. In this post, well take a look at multiple services for tracking online attacks and attackers around the globe and in real-time.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/qZhz3RO9frg/


*** l+f: SSH mit Alu-Hut ***
---------------------------------------------
Wer der NSA das Leben schwer machen will, kann das Fernwartungsprotokoll mit einigen Handgriffen auf der Kommandozeile abhärten.
---------------------------------------------
http://www.heise.de/security/meldung/l-f-SSH-mit-Alu-Hut-2512471.html


*** Inside Cryptowall 2.0 Ransomware ***
---------------------------------------------
An analysis of Cryptowall 2.0 reveals that the ransomware relies on complex encryption routines and sandbox detection capabilities to survive. It also uses Tor for command and control, and can execute on 32- and 64-bit systems.
---------------------------------------------
http://threatpost.com/inside-cryptowall-2-0-ransomware/110228


*** New Variant of Emotet Banking Malware targets German Users ***
---------------------------------------------
A new Spam email campaign making the rounds in Germany are delivering a new variant of a powerful banking malware, a financial threat designed to steal users' online banking credentials, according to security researchers from Microsoft. The malware, identified as Emotet, was first spotted last June by security vendors at Trend Micro. The most standout features of Emotet is its network...
---------------------------------------------
http://thehackernews.com/2015/01/emotet-banking-malware.html


*** Linux DDoS Trojan hiding itself with an embedded rootkit ***
---------------------------------------------
At the end of September 2014, a new threat for the Linux operating system dubbed XOR.DDoS forming a botnet for distributed denial-of-service attacks was reported ... In this blog post, we will describe the installation steps, the rootkit itself, and the communication protocol for getting attack commands.
---------------------------------------------
https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/


*** AOL Advertising Network Abused to Distribute Malware ***
---------------------------------------------
Security researchers have uncovered a malvertising campaign used to distribute malware to visitors of The Huffington Post website, as well as several other sites, through malicious advertisements served over the AOL advertising network. At the end of last year, Cyphort Labs, security firm specialized in detecting malware threats, came across some malicious advertisements that were being
---------------------------------------------
http://thehackernews.com/2015/01/aol-advertising-network-abused-to_6.html


*** SPARTA - Network Infrastructure Penetration Testing Tool ***
---------------------------------------------
SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analysing results.
---------------------------------------------
http://hack-tools.blackploit.com/2015/01/sparta-network-infrastructure.html


*** Malformed AndroidManifest.xml in Apps Can Crash Mobile Devices ***
---------------------------------------------
Every Android app comprises of several components, including something called the AndroidManifest.xml file or the manifest file. This manifest file contains essential information for apps, "information the system must have before it can run any of the app's code." We came across a vulnerability related to the manifest file that may cause an affected device...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/malformed-androidmanifest-xml-in-apps-can-crash-mobile-devices/


*** Interview with NYU-Poly's Professor Justin Cappos: Security Lessons From Retail Breaches ***
---------------------------------------------
In our discussion, Professor Cappos has a lot to say about weaknesses with our current approach to password-based security as well as new technologies that can be applied to credit card transactions. ... Cappos offers some very practical advice on securing systems.
---------------------------------------------
http://blog.varonis.com/conversation-nyu-polys-professor-justin-cappos-data-security-lessons-tips-companies/


*** Is now the time to deploy embedded hypervisors for BYOD security? ***
---------------------------------------------
The operating systems deployed on smartphones and tables, such as Apple IOS or Google Android, are designed as single-user platforms that dont offer much of the security or virtualization technology ... There are a number of approaches that seem viable to address the challenge including the following: ... Making enterprise or personal applications execute in a virtual machine that could either have sharply curtailed access to the device and the data it contains
---------------------------------------------
http://www.zdnet.com/article/is-now-the-time-to-deploy-embedded-hypervisors-for-byod-security/


*** Spam Nation, book review: Inside todays cybercrime ecosystem ***
---------------------------------------------
In Spam Nation, Krebs tells the tale of the Pharma Wars, in which duelling Russian spam kings squabble over territory, hacking each others systems, paying police to investigate each other. The even larger story is the economic conditions that fuel all this. Who clicks on these ads?
---------------------------------------------
http://www.zdnet.com/article/spam-nation-book-review-inside-todays-cybercrime-ecosystem/


*** Twitter AnomalyDetection tool goes open source ***
---------------------------------------------
Twitter has opened up suspicious activity tracker AnomalyDetection to developers. The social media giant said on Tuesday the tool, dubbed AnomalyDetection, is used by the firms team to detect unusual traffic events including traffic spikes and surges, as well as the presence of spam bots.
---------------------------------------------
http://www.zdnet.com/article/twitter-anomalydetection-tool-goes-open-source/


*** CVE-2014-7911 - A Deep Dive Analysis of Android System Service Vulnerability and Exploitation ***
---------------------------------------------
In this post we discuss CVE-2014-7911 and the various techniques that can be used to achieve privilege escalation. We also examine how some of these techniques can be blocked using several security mechanisms.
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2015/01/cve-2014-7911-deep-dive-analysis-android-system-service-vulnerability-exploitation/


*** The Connections Between MiniDuke, CosmicDuke and OnionDuke ***
---------------------------------------------
In September, we blogged about CosmicDuke leveraging timely, political topics to deceive the recipient into opening the malicious document. After a more detailed analysis of the files we made two major discoveries.
---------------------------------------------
https://www.f-secure.com/weblog/archives/00002780.html


*** DNS-Blacklist AHBL stellt Betrieb ein ***
---------------------------------------------
Die DNS-Blacklist Abusive Hosts Blocking List (AHBL) stellt ihre Dienste endgültig ein. Wer sie befragt, erhält grundsätzlich einen Treffer als Antwort. Administratoren von Mailservern müssen jetzt handeln.
---------------------------------------------
http://www.heise.de/newsticker/meldung/DNS-Blacklist-AHBL-stellt-Betrieb-ein-2513094.html


*** US-Cert warnt vor weiteren UEFI-BIOS-Lücken ***
---------------------------------------------
Durch neue Lücken kann man die Schutzmechanismen abermals austricksen. Angreifer könnten so tief im System ein Bootkit verankern, dem kein Virenscanner etwas anhaben kann. Wieder sollen BIOS-Updates helfen.
---------------------------------------------
http://www.heise.de/security/meldung/US-Cert-warnt-vor-weiteren-UEFI-BIOS-Luecken-2512913.html


*** JSA10663 - Out of Cycle Security Bulletin: Multiple vulnerabilities in NTP ***
---------------------------------------------
Product Affected: Junos OS, NSM Series devices, NSMXpress and NSM server software. | Problem: NTP.org has published a security advisory for six vulnerabilities resolved in ntpd (NTP daemon) that have been assigned four CVE IDs. In the worst case, some of these issues may allow remote unauthenticated attackers to execute code with the privileges of ntpd or cause a denial of service condition.
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10663


*** Open-Xchange XHTML File Input Validation Flaw Permits Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1031488


*** Mantis BugTracker 1.2.17 XSS / DoS / Redirect ***
---------------------------------------------
Topic: Mantis BugTracker 1.2.17 XSS / DoS / Redirect Risk: Medium Text:Mantis BugTracker 1.2.17 multiple security vulnerabilities. ****************************************************************...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015010024


*** Open-Xchange Server 6 / OX AppSuite 7.6.1 Cross Site Scripting ***
---------------------------------------------
Topic: Open-Xchange Server 6 / OX AppSuite 7.6.1 Cross Site Scripting Risk: Low Text:Product: Open-Xchange Server 6 / OX AppSuite Vendor: Open-Xchange GmbH Internal reference: 35512 (Bug ID) Vulnerability ty...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015010020


*** DFN-CERT-2015-0005/ - ISC BIND: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ***
---------------------------------------------
Eine Schwachstelle in BIND ermöglicht einem entfernten, nicht authentifizierten Angreifer einen Denial-of-Service-Zustand zu bewirken. Die Schwachstelle wird mit einem Update auf Version 9.9.6P1 für die SUSE Linux Enterprise 11 SP3 Produkte Software Development Kit, Server, Server für VMware und Desktop behoben.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0005/


*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM QRadar SIEM (CVE-2014-3567, CVE-2014-3568, CVE-2014-3508, CVE-2014-3511) ***
---------------------------------------------
OpenSSL vulnerabilities were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by IBM QRadar SIEM. IBM QRadar SIEM has addressed the applicable CVEs. CVE(s): CVE-2014-3567 , CVE-2014-3568 , CVE-2014-3511 and CVE-2014-3508 ...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21691210


*** IBM Security Bulletin: Connect:Enterprise For UNIX and Connect:Enterprise clients are affected by the POODLE and OpenSSL vulnerabilities (CVE-2014-3566, CVE-2014-3567) ***
---------------------------------------------
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in Connect:Enterprise For UNIX, Connect:Enterprise Command Line Client, Connect:Enterprise HTTP Option, and...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21690537


*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM InfoSphere Master Data Management (CVE-2014-3511, CVE-2014-3507, CVE-2014-3506, CVE-2014-3505 ) ***
---------------------------------------------
OpenSSL vulnerabilities were disclosed on August 6th, 2014 by the OpenSSL Project. OpenSSL is used by IBM InfoSphere Master Data Management. IBM InfoSphere Master Data Management has addressed the applicable CVEs provided by OpenSSL. CVE(s):...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21691162


*** EMC Documentum Web Development Kit cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/99632


*** EMC Documentum Web Development Kit weak security ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/99636


*** Apache Traffic Server HttpTransact Boundary Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1031499


*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Operational Decision Manager, WebSphere ILOG JRules and WebSphere Business Events (CVE-2014-6506, CVE-2014-6511, CVE-2014-6457, CVE-2014-6558, CVE-2014-3065) ***
---------------------------------------------
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6 and 7 that is used by IBM Operational Decision Manager (ODM), IBM ILOG JRules and IBM WebSphere Business Events (WBE). These issues were disclosed as part of the IBM...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21693686


*** DFN-CERT-2015-0012 - Xen: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ***
---------------------------------------------
Eine Use-after-Free-Schwachstelle in Xen ermöglicht einem lokalen, nicht authentifizierten Angreifer Denial-of-Service-Angriffe durchzuführen.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0012/


*** DFN-CERT-2015-0013 - Exiv2: Eine Schwachstelle ermöglicht Denial-of-Service-Angriffe ***
---------------------------------------------
Ein entfernter, nicht authentisierter Angreifer kann durch einen langen 'IKEY INFO Tag' Wert in einer AVI-Datei einen Absturz der Anwendung verursachen.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0013/


*** ZDI-15-006: ManageEngine Desktop Central MSP StatusUpdateServlet fileName File Upload Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-006/