[CERT-daily] Tageszusammenfassung - Freitag 6-11-2015

Fri Nov 6 18:07:48 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 05-11-2015 18:00 − Freitag 06-11-2015 18:00
Handler:     Robert Waldner
Co-Handler:  n/a


*** jQuery.min.php Malware Affects Thousands of Websites ***
---------------------------------------------
Fake jQuery injections have been popular among hackers since jQuery itself went mainstream and became one of the most widely adopted JavaScript libraries. Every now and then we write about such attacks. Almost every week we see new fake jQuery domains and scripts that mimic jQuery.
---------------------------------------------
https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html


*** OmniRAT malware scurrying into Android, PC, Mac, Linux systems ***
---------------------------------------------
Leverages Stagefright scare for installs As police across Europe crack down on the use of the DroidJack malware, a similar software nasty has emerged that can control not just Android, but also Windows, Mac, and Linux systems and is being sold openly at a fraction of the cost.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/omnirat_malware_android_poc_mac_linux/


*** Check Point Discovers Critical vBulletin 0-Day ***
---------------------------------------------
As widely reported, the main vBulletin.org forum was compromised earlier this week and an exploit for a vBulletin 0-day was up for sale in online markets. A patch later released by vBulletin fixes the vulnerability reported, but fails to neither credit any reporting nor mention the appropriate CVE number. As the vulnerability is now fixed and an exploit exists in the wild with public analyses, we follow with the technical description as submitted to vBulletin.
---------------------------------------------
http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/


*** Peter Kieseberg @ 5th KIRAS Fachtagung ***
---------------------------------------------
Today Peter Kieseberg (SBA Research) presented the results of the SCUDO-Project together with Alexander Szönyi (Thales Austria) and Wolfgang Rosenkranz (Repuco) at the 5th 'KIRAS Fachtagung' in the Austria Trend Hotel Savoyen Vienna. This project was focused on the development of a training process for defence simulation trainings in the area of critical infrastructures ...
---------------------------------------------
https://www.sba-research.org/2015/11/05/peter-kieseberg-5th-kiras-fachtagung/


*** Bundestag will Mitarbeitern Flash verbieten ***
---------------------------------------------
Nach dem schweren Hackerangriff vor rund sechs Monaten will der Deutsche Bundestag mit einigen Maßnahmen die IT-Sicherheit erhöhen. Mitarbeiter und Abgeordnete sollen zu längeren Passwörtern und PINs mit mindestens acht Zeichen verpflichtet werden, außerdem werden Flash und andere Browsererweiterungen von den Rechnern verbannt, wie Spiegel Online unter Berufung auf ein internes Dokument der Bundestagsverwaltung berichtet.
---------------------------------------------
http://www.golem.de/news/nach-hackerangriff-bundestag-will-flash-verbieten-1511-117326.html


*** Slides from RUXCON, Oct. 24-25, Melbourne ***
---------------------------------------------
* DNS as a Defense Vector, Paul Vixie
* High Performance Fuzzing, Richard Johnson
* MalwAirDrop: Compromising iDevices via AirDrop, Mark Dowd
* Broadcasting Your Attack: Security Testing DAB Radio In Cars, Andy Davis
* Windows 10: 2 Steps Forward, 1 Step Back, James Forshaw
...
---------------------------------------------
https://ruxcon.org.au/slides/?year=2015


*** Tracking HTTP POST data with ELK, (Fri, Nov 6th) ***
---------------------------------------------
The Apache webserver has a very modular logging system. It is possible to customize what to log and how. But it lacks in logging data submitted to the server via POST HTTP requests. Recently, I had to investigate suspicious HTTP traffic and one of the requirements was to analyze POST data. If you already have a solution which performs full packet capture, youre lucky but it could quickly become a pain to search for information across gigabytes of PCAP files.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20345&rss


*** Encryption ransomware threatens Linux users ***
---------------------------------------------
November 6, 2015 Doctor Web warns users about new encryption ransomware targeting Linux operating systems. Judging from the directories in which the Trojan encrypts files, one can draw a conclusion that the main target of cybercriminals is website administrators whose machines have web servers deployed on. Doctor Web security researchers presume that at least tens of users have already fallen victim to this Trojan.
---------------------------------------------
http://news.drweb.com/show/?i=9686&lng=en&c=9


*** Advantech EKI Hard-coded SSH Keys Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a hard-coded SSH key vulnerability in Advantech's EKI-122X series products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-309-01


*** ICIT Brief: Know Your Enemies - A Primer on Advanced Persistent Threat Groups ***
---------------------------------------------
This primer provides an overview of the threat landscape, attack vectors, size and sophistication of threat actors. Some of the Groups and Platforms include: The Elderwood Platform, Topsec, Axiom, Hidden Lynx, Deep Panda, PLA Unit 61398, Putter Panda, Tarh Andishan, Ajax, Bureau 121, Energetic Bear, Uroburos, APT 28, Hammertoss, CrazyDuke, Sandworm, Syrian Electronic Army, Anonymous and Butterfly Group among others.
---------------------------------------------
http://icitech.org/icit-brief-know-your-enemies-a-primer-on-advanced-persistent-threat-groups/


*** Security Advisory: NTP vulnerability CVE-2015-7704 ***
---------------------------------------------
An off-path attacker can send a crafted Kiss of Death (KoD) packet to the client, which will increase the client's polling interval to a large value and effectively disable synchronization with the server. 
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/17000/500/sol17566.html?ref=rss


*** Security Advisory - DoS Vulnerability in GPU Driver of Huawei Products ***
---------------------------------------------
Some Huawei products have a DoS vulnerability. An attacker may trick a user into installing a malicious application and use it to input invalid parameters into the GPU driver program of the products, which can crash the system of the device. (Vulnerability ID: HWPSIRT-2015-09017)
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-7740.
Huawei has released software updates to fix these vulnerabilities. 
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-460486.htm


*** Security Advisory - DoS Vulnerability in Camera Driver of Huawei Products ***
---------------------------------------------
Some Huawei products have a DoS vulnerability. An attacker who has the system or camera permission can input invalid parameters into the camera driver program to crash the system. (Vulnerability ID: HWPSIRT-2015-09013)
Huawei has released software updates to fix these vulnerabilities. 
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-460489.htm