[CERT-daily] Tageszusammenfassung - Montag 13-07-2015

Mon Jul 13 18:17:27 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 10-07-2015 18:00 − Montag 13-07-2015 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Government Grade Malware: a Look at HackingTeam's RAT ***
---------------------------------------------
Security researchers the world over have been digging through the massive HackingTeam dump for the past five days, and what we've found has been surprising. I've heard this situation called many things, and there's one description that I can definitely agree with: it's like Christmas for hackers. "On the fifth day of Christmas Bromium sent to...
---------------------------------------------
http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hackingteams-rat/


*** Pawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit ***
---------------------------------------------
Analysis and data by Brooks Li (Threats Analyst) and Feike Hacquebord (Senior Threat Researcher) Zero-day exploits continued to be used in targeted attacks because they are effective, given that software vendors have yet to create patches for them. Throughout our on-going investigation and monitoring of a targeted attack campaign, Operation Pawn Storm, we found suspicious URLs that...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/5OzXdZhhVhc/


*** New Zero-Day Vulnerability (CVE-2015-5123) in Adobe Flash Emerges from Hacking Team Leak ***
---------------------------------------------
After two Adobe Flash player zero-days disclosed in a row from the leaked data of Hacking Team, we discovered another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) that surfaced from the said leak. Adobe has already released a security advisory after we reported the said zero-day. This vulnerability is rated as critical and...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rV5yri4x48E/


*** Mit Windows 10 kommen Updates automatisch ***
---------------------------------------------
Windows 10-Kunden können sich künftig nur noch sehr begrenzt aussuchen, wann sie ein Update erhalten.
---------------------------------------------
http://futurezone.at/produkte/mit-windows-10-kommen-updates-automatisch/141.103.717


*** Jump List Files Are OLE Files, (Sun, Jul 12th) ***
---------------------------------------------
Jump List files are another type of files that are actually OLE files. They can contain useful data for forensic investigations. There are a couple of tools that can extract information from these files. Here you can see oledump analyzing an automatic Jump List file:  The stream DestList contains the Jump List data:  There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files:  The plugin takes an option...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19911&rss


*** Identifying the five principal methods of network attacks ***
---------------------------------------------
Companies are underestimating the risk of failing to provide security training to non-technical staff. A new Intel Security study, which surveyed IT decision makers in European-based companies, fo...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/gSbxVIXvO94/secworld.php


*** Mobile SSL failures: More common than they should be ***
---------------------------------------------
Securing your mobile application traffic is apparently more difficult than it should be, as researchers Anthony Trummer and Tushar Dalvi discovered when looking into SSL/TLS usage on the Android opera...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/dY8mHp2RDC4/article.php


*** Identifying and exploiting IBM WebSphere Application Server ***
---------------------------------------------
IBM WebSphere is application server similar to Tomcat, JBoss and WebLogic. Therefore, it should be interesting to any penetration tester doing enterprise scale work where Websphere might be present. It should be also interesting to anyone who is working on securing enterprise environment since Websphere allows deploying own (malicious or not) code to the server. I have written NSE scripts to identify IBM Websphere consoles of application servers and to brute force any usernames and passwords. I...
---------------------------------------------
https://k0st.wordpress.com/2015/07/13/identifying-and-exploiting-ibm-websphere-application-server/


*** Start Secure 2015 - Sicherheits-Start-ups gesucht ***
---------------------------------------------
Der Wettbewerb "Start Secure 2015" wird gemeinsam vom Innenministerium und der futurezone veranstaltet. Als Organisationspartner fungieren SBA Research, das die Sieger-Start-ups auf Wunsch auch als Inkubator bei der Investorensuche berät, sowie das Kuratorium Sicheres Österreich.
---------------------------------------------
http://futurezone.at/thema/start-ups/sicherheits-start-ups-gesucht/139.420.313


*** Common Assessment Tool Cheatsheets ***
---------------------------------------------
I have an unhealthy obsession for time savers when im doing pentest work. Since a lot of my time is spent on the command line I love cheatsheets. I thought id use this thread to post some of the more awesome cheat sheets I find...
---------------------------------------------
https://forum.bugcrowd.com/t/common-assessment-tool-cheatsheets/502


*** Tunneling Data and Commands Over DNS to Bypass Firewalls ***
---------------------------------------------
No matter how tightly you restrict outbound access from your network, you probably allow DNS queries to at least one server. Adversaries can abuse this "hole" in your firewall to exfiltrate data and establish stealthy Command and Control (C2) channels that are very difficult to block. ... I am struggling to come up with a solution to plug this firewall "hole", but I have a few risk mitigation recommendations:...
---------------------------------------------
https://zeltser.com/c2-dns-tunneling/


*** Google Photo App Uploads Your Images To Cloud, Even After Uninstalling ***
---------------------------------------------
Have you ever seen any mobile application working in the background silently even after you have uninstalled it completely? I have seen Google Photos app doing the same. Your Android smartphone continues to upload your phone photos to Google servers without your knowledge, even if you have already uninstalled the Google Photos app from your device.  Nashville Business...
---------------------------------------------
http://feedproxy.google.com/~r/TheHackersNews/~3/yxF2id-ZsHg/google-photo-app-sync.html


*** "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory ***
---------------------------------------------
Low-profile information-stealing Trojan is used only against high-value targets
---------------------------------------------
http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory


*** BGP Hijacking - why you need to care! ***
---------------------------------------------
This came across our desk this morning when we were putting together Dragon News Bytes. There is lots of talk about what has been discovered in the recent reporting on the data dump from the Hacking Team incident. A lot of the reporting discusses the ethics of the company's services and whom they have been selling them to. Concentrating for a moment on the technology deployed in this activity, it is suggested that BGP hijacking was involved. This is described the article entitled...
---------------------------------------------
https://blog.team-cymru.org/2015/07/bgp-hijacking-why-do-you-need-to-care/


*** Allerletzter Aufruf: Support fÜr Windows 2003 Server endet ***
---------------------------------------------
Am 14. Juli ist endgÜltig Schluss. FÜr Windows 2003 Server liefert Microsoft keine Updates mehr aus, auch nicht bei Sicherheitsproblemen. Wobei auch hier zu gelten scheint: Ausnahmen bestÄtigen die Regel.
---------------------------------------------
http://www.heise.de/newsticker/meldung/Allerletzter-Aufruf-Support-fuer-Windows-2003-Server-endet-2749074.html?wt_mc=rss.ho.beitrag.rdf


*** Hacking Team 0-day Flash Wave with Exploit Kits ***
---------------------------------------------
https://www.f-secure.com/weblog/archives/00002819.html


*** New PHP Releases Fix BACRONYM MySQL Flaw ***
---------------------------------------------
Several new versions of PHP have been released, all of which contain a number of bug fixes, most notably a patch for the so-called BACKRONYM vulnerability in MySQL. That bug in MySQL is caused by a problem with the way that the database software handles requests for secure connections. Researchers at Duo Security disclosed the...
---------------------------------------------
http://threatpost.com/new-php-releases-fix-bacronym-mysql-flaw/113740


*** The Adobe Flash Conundrum: Old Habits Die Hard ***
---------------------------------------------
Is it time to hop off the endless cycle of Flash vulnerabilities and updates? Last week has not been great for Adobe Flash. The 440GB of leaked Hacking Team emails has become a treasure trove for vulnerability hunters. Over the past 7 days, Flash was hit by three separate vulnerabilities: CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 At this time, only the...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/AmkybOPif7Y/


*** Bugtraq: ESA-2015-115: EMC RecoverPoint for Virtual Machines (VMs) Restriction Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/535981


*** Cisco Mobility Services Engine Control And Provisioning Information Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39825


*** Juniper Security Advisories ***
---------------------------------------------

*** Juniper Junos IPv6 SEND Processing Flaw Lets Remote Users Deny Service ***
http://www.securitytracker.com/id/1032849

*** Juniper Junos SRX Network Security Daemon Bug Lets Remote Users Deny Service ***
http://www.securitytracker.com/id/1032848

*** Juniper Junos EX4600 and QFX Series Unspecified Flaw Lets Remote Users Deny Service ***
http://www.securitytracker.com/id/1032847

*** Juniper Junos J-Web Bugs Let Remote Users Conduct Cross-Site Scripting and Denial of Service Attacks ***
http://www.securitytracker.com/id/1032846


*** Bugtraq: [security bulletin] HPSBGN03373 rev.1 - HP Release Control running TLS, Remote Disclosure of Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/535983


*** Cisco WebEx Meeting Center Reflected Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=39782


*** F5 Security Advisories ***
---------------------------------------------

*** Security Advisory: Boost memory allocator vulnerability CVE-2012-2677 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16946.html?ref=rss

*** Security Advisory: Multiple SQLite vulnerabilities ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16950.html?ref=rss

*** Security Advisory: Mailx vulnerabilities CVE-2004-2771 and CVE-2014-7844 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16945.html?ref=rss

*** Security Advisory: Expat vulnerabilities CVE-2012-0876 and CVE-2012-1148 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16949.html?ref=rss


*** Splunk Enterprise and Splunk Light Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1032859


*** Squid CONNECT Method Peer Response Processing Flaw Lets Remote Users Bypass Security Controls ***
---------------------------------------------
http://www.securitytracker.com/id/1032873


*** PHP 5.x Security Updates, (Sun, Jul 12th) ***
---------------------------------------------
PHP 5.6.11, 5.5.27 and 5.4.43 were updated fixing numerous bugs in the various components of PHP including CVE-2015-3152. PHP recommend testing and upgrading to the current release. The binaries and packages are available here and the release notes here. [1] http://www.php.net/ChangeLog-5.php [2] http://windows.php.net/download/ ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19907&rss


*** Joomla J2Store 3.1.6 SQL Injection ***
---------------------------------------------
Topic: Joomla J2Store 3.1.6 SQL Injection Risk: Medium Text:J2Store v3.1.6, a Joomla! extension that adds basic store functionality to a Joomla! instance, suffered from two unauthenticate...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015070053


*** DFN-CERT-2015-0907 FreeRADIUS: Eine Schwachstelle ermÖglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0907/


*** DFN-CERT-2015-1030 strongSwan: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-1030/