[CERT-daily] Tageszusammenfassung - Montag 18-05-2015

Mon May 18 18:17:06 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 15-05-2015 18:00 − Montag 18-05-2015 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Cyberattacks on Oil and Gas Firms Launched with no Malware at all ***
---------------------------------------------
Oil and gas industry targeted by hackers with a genuine looking windows file, not a malware. The attacks are ongoing for about two years. A unique targeted attack being underway for about two consecutive years exploits Windows file functions that look legitimate and a couple of homemade scripts - but not malware - in order...
---------------------------------------------
http://securityaffairs.co/wordpress/36843/cyber-crime/cyberattacks-on-oil-and-gas-firms.html


*** Microsoft Stops Chinese Group from Using TechNet Site for Attacks (May 14, 2015) ***
---------------------------------------------
Microsoft and FireEye have taken steps to prevent a group of Chinese cyber criminals known as APT17 from using the companys TechNet website in its attacks...
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/17/38/302


*** VENOM - Does it live up to the hype?, (Sat, May 16th) ***
---------------------------------------------
Unless you have been hiding under a rock this week you have heard about VENOM. The first article that I saw was fromZDNet with the headline of Bigger than Heartbleed, Venom security vulnerability threatens most datacenters. Pretty provocative stuff. Is VENOM really worth that much hype?  VENOM stands for Virtualized Environment Neglected Operations Manipulation. The cuteacronym basically means that the exploit takes advantage of a vulnerability in legacy code.In short thevulnerability is...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19701&rss


*** AEADs: getting better at symmetric cryptography ***
---------------------------------------------
I gave a talk a couple of weeks ago at the Yahoo Unconference. The conference was at the end of a particually hard week for a bunch of reasons and I fear that the talk wasn't that great. (Afterwards I got home about 3pm and pretty much slept until the following morning.) This post is a, hopefully clearer, articulation of its contents.
---------------------------------------------
http://www.imperialviolet.org/2015/05/16/aeads.html


*** About the supposed factoring of a 4096 bit RSA key ***
---------------------------------------------
tl;dr News about a broken 4096 bit RSA key are not true. It is just a faulty copy of a valid key. Earlier today a blog post claiming the factoring of a 4096 bit RSA key was published and quickly made it to the top of Hacker News. The key in question was the PGP key of a well-known Linux kernel developer. I already commented on Hacker News why this is most likely wrong, but I thought Id write up some more details. To understand what is going on I have to explain some background both on RSA and...
---------------------------------------------
https://blog.hboeck.de/archives/872-No,-nobody-has-factored-a-4096-bit-RSA-key.html


*** Google App Engine: Google reagiert träge auf Java-Sicherheitslücken ***
---------------------------------------------
Klammheimlich patcht Google Java-Schwachstellen in seiner Entwicklungsumgebung App Engine und ignoriert den Entdecker der Lücken weitgehend. Einige Sicherheitslücken klaffen immer noch.
---------------------------------------------
http://heise.de/-2652121


*** Angreifer nutzen kritische Lücke in ProFTPD aus ***
---------------------------------------------
Wer den FTP-Server ProFTPD betreibt, muss handeln: Durch eine schwerwiegende Schwachstelle können Online-Ganoven beliebigen Code ausführen. Und das tun sie auch bereits.
---------------------------------------------
http://heise.de/-2652114


*** Screech! Grand Theft Auto V malware mods warning ***
---------------------------------------------
Gamers find themselves in latest Mods & Rockstar punch-up Cybercrooks are cooking up malware disguised as mods for the Grand Theft Auto V video game.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/05/18/gta_malware_mods_warning/


*** Rombertiks disk wiping mechanism is aimed at pirates, not researchers ***
---------------------------------------------
Rombertik, the information-stealing malware that was recently analyzed by Cisco researchers and which apparently tries to prevent researchers from doing so by rewriting the computers Master Boot Reco...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/oE0fh7NZ4sg/malware_news.php


*** Oracle Patches VENOM Vulnerability ***
---------------------------------------------
Oracle on Saturday released its patch for the VENOM vulnerability, a guest escape flaw that affects many virtualization platforms.
---------------------------------------------
http://threatpost.com/oracle-patches-venom-vulnerability/112868


*** openssh 6.8p1 heap buffer overflow ***
---------------------------------------------
Topic: openssh 6.8p1 heap buffer overflow Risk: High Text:Quick background story: I started a while ago to develop a solution to use american fuzzy lop with networking input. I did so b...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015050105


*** Bugtraq: [SE-2014-02] Unconfirmed / unpatched vulnerabilities in Google App Engine ***
---------------------------------------------
http://www.securityfocus.com/archive/1/535548


*** ZDI-15-230: ManageEngine Applications Manager IT360UtilitiesServlet query SQL Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Applications Manager. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/qN5KZVA4xgA/


*** ZDI-15-229: ManageEngine Applications Manager DowntimeSchedulerServlet TASKID SQL Injection Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Applications Manager. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/PLAGhXOxQh0/


*** ZDI-15-231: Dell Sonicwall GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Dell SonicWALL Global Management System (GMS) virtual appliance. Authentication is required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/HtMlLoJoKXI/


*** Cisco Web Security Appliance Web Tracking Report Page Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=38884


*** DSA-3261 libmodule-signature-perl - security update ***
---------------------------------------------
Multiple vulnerabilities were discovered in libmodule-signature-perl, aPerl module to manipulate CPAN SIGNATURE files. The CommonVulnerabilities and Exposures project identifies the following problems:...
---------------------------------------------
https://www.debian.org/security/2015/dsa-3261


*** SAP Sybase Unwired Platform Online Data Proxy Discloses Password and Username Information to Local Users ***
---------------------------------------------
http://www.securitytracker.com/id/1032310


*** SAP Customer Relationship Management Bugs Let Users Execute Arbitrary Code and Remote Users Inject SQL Commands ***
---------------------------------------------
http://www.securitytracker.com/id/1032309


*** SAP NetWeaver RFC SDK Discloses Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1032308