[CERT-daily] Tageszusammenfassung - Donnerstag 19-11-2015
Daily end-of-shift report
team at cert.at
Thu Nov 19 18:11:37 CET 2015
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 18-11-2015 18:00 − Donnerstag 19-11-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** GovCERT.ch zu den DDoS-Erpressungen ***
---------------------------------------------
Die Kollegen aus der Schweiz haben ausführlich zu den aktuellen Erpressungsversuchen (DD4BC/Armada Collective) gebloggt und auch eine Zusammenfassung über Mitigations-Massnahmen geschrieben.
---------------------------------------------
http://www.cert.at/services/blog/20151119115219-1633.html
*** BSI veröffentlicht Bericht zur Lage der IT-Sicherheit in Deutschland 2015 ***
---------------------------------------------
Der Bericht zur Lage der IT-Sicherheit in Deutschland beschreibt und analysiert die aktuelle IT-Sicherheitslage, die Ursachen von Cyber-Angriffen sowie die verwendeten Angriffsmittel und -methoden. Daraus abgeleitet thematisiert der Lagebericht Lösungsansätze zur Verbesserung der IT-Sicherheit in Deutschland. Der Lagebericht verdeutlicht, dass die Anzahl der Schwachstellen und Verwundbarkeiten in IT-Systemen weiterhin auf einem hohen Niveau liegt und ...
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2015/Lage_der_IT-Sicherheit_in_Deutschland_2015_19112015.html
*** ARRIS Cable Modem has a Backdoor in the Backdoor ***
---------------------------------------------
While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether its going to fix it yet.
---------------------------------------------
https://w00tsec.blogspot.co.at/2015/11/arris-cable-modem-has-backdoor-in.html
*** BSI veröffentlicht Sicherheitsstudie zu TrueCrypt ***
---------------------------------------------
Im Auftrag des Bundesamtes für Sicherheit in der Informationstechnik (BSI) untersuchte das Fraunhofer-Institut für Sichere Informationstechnologie SIT die Verschlüsselungssoftware TrueCrypt auf Sicherheitslücken.
...
Die Sicherheitsexperten kommen zu dem Ergebnis, dass TrueCrypt weiterhin für die Verschlüsselung von Daten auf Datenträgern geeignet ist.
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2015/Sicherheitsanalyse_TrueCrypt_19112015.html
*** ZDI-15-570: SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SQLite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/U5RlY6kAls0/
*** Encrypt - Moderately Critical - Weak Encryption - SA-CONTRIB-2015-166 ***
---------------------------------------------
This module enables you to encrypt data within Drupal using a user-configurable encryption method and key provider. The module did not sufficiently validate good configurations and api usage resulting in multiple potential weaknesses ...
---------------------------------------------
https://www.drupal.org/node/2618362
*** Actors using exploit kits - How they change tactics, (Thu, Nov 19th) ***
---------------------------------------------
Introduction Exploit kits (EKs) are used by criminals to infect unsuspecting users while they are browsing the web. EKs are hosted on servers specifically dedicated to the EK. How are the users computers directed to an EK? It happens through compromised websites. Threat actors compromise legitimate websites, and pages from these compromised servers have injected script that connects the users computer to an EK server.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20391&rss
*** NVIDIA Driver Windows Control Panel Unquoted Search Path Lets Local Users Gain Elevated Privileges ***
---------------------------------------------
The NVIDIA Control Panel executable Smart Maximize Helper (nvSmartMaxApp.exe) uses an unquoted path when launching process threads. A local user can place a specially crafted program in certain locations in the search path to cause arbitrary code to be executee with elevated privileges during Windows startup.
---------------------------------------------
http://www.securitytracker.com/id/1034175
*** NVIDIA 3D Driver for Windows Named Pipe Access Control Flaw Lets Remote Authenticated Users Gain Elevated Privileges ***
---------------------------------------------
The 3D Driver's 'Vision service' (nvSCPAPISvr.exe) creates a named pipe without proper access controls. A local user or a remote authenticated user can create a specially crafted run key entry to execute arbitrary command line statements with the privileges of the target user.
In a Windows Domain environment, a remote authenticated user with access to a domain-joined system can exploit this flaw within the joined domain.
---------------------------------------------
http://www.securitytracker.com/id/1034173
*** Microsoft Security Intelligence Report: Strontium ***
---------------------------------------------
The Microsoft Security Intelligence Report (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide. The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM - a group that uses zero-day exploits to collect the sensitive information of high-value targets in government and political organizations.
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2015/11/18/microsoft-security-intelligence-report-strontium.aspx
*** NVIDIA NVAPI and Kernel Mode Driver Bugs Let Local Users Deny Service, Obtain Potentially Sensitive Information, and Gain Elevated Privielges ***
---------------------------------------------
The NVAPI support layer of NVIDIA GPU graphics drivers does not properly validate user-supplied input. In addition, an integer overflow may occur in the kernel mode driver. A local user can exploit these vulnerabilities to potentially sensitive information, deny service, or execute arbitrary code on the target system with elevated privileges.
---------------------------------------------
http://www.securitytracker.com/id/1034176
*** Open-Xchange Guard 2.0 Cross Site Scripting ***
---------------------------------------------
Topic: Open-Xchange Guard 2.0 Cross Site Scripting Risk: Low Text:Product: Open-Xchange Guard Vendor: Open-Xchange GmbH Internal reference: 41466 (Bug ID) Vulnerability type: Cross-Site-Sc...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015110166
*** Edgy online shoppers face Dyre Christmas as malware mutates ***
---------------------------------------------
Bank-plundering code now hunts Windows 10 and its Edge browser VXers have cooked up Windows 10 and Edge support for the nasty Dyre or Dyreza banking trojan.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/19/edgy_online_shoppers_face_dyre_christmas/
*** Windows Sandbox Attack Surface Analysis ***
---------------------------------------------
TL;DR; I've released my tools I use internally to test out sandboxed code and determine the likely attack surface exposed to an attacker if a sandboxed process is compromised. You can get the source code from https://github.com/google/sandbox-attacksurface-analysis-tools. This blog post will describe a few common use cases so that you can use them to do your own sandbox analysis.
---------------------------------------------
http://googleprojectzero.blogspot.co.at/2015/11/windows-sandbox-attack-surface-analysis.html
*** Bugtraq: CVE-2015-8131: Kibana CSRF vulnerability ***
---------------------------------------------
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack.
We have been assigned CVE 2015-8131 for this issue.
CVSS Score: 4.0
Remediation: We recommend that all Kibana users upgrade to either 4.1.3, 4.2.1, or a later version.
---------------------------------------------
http://www.securityfocus.com/archive/1/536935
*** Russian financial cybercrime: how it works ***
---------------------------------------------
The Russian-language cybercrime market is known all over the world. Kaspersky Lab experts have been monitoring the Russian hacker underground since its emergence. In this review we analyze how financial cybercrime works.
---------------------------------------------
http://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/
*** VMSA-2015-0008 ***
---------------------------------------------
vCenter Server, vCloud Director, Horizon View information disclosure issue
VMware products that use Flex BlazeDS may be affected by a flaw in the processing of XML External Entity (XXE) requests. A specially crafted XML request sent to the server could lead to unintended information be disclosed. ... The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3269 to this issue.
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0008.html
*** Cisco Unified Interaction Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web chat interface of Cisco Unified Interaction Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the chat on the affected system.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20150818-CVE-2015-6255
*** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450) ***
---------------------------------------------
An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by WebSphere Application Server and WebSphere Application Server Hypervisor Edition. This vulnerability does not affect the IBM HTTP Server or versions of WebSphere Application Server prior to Version 7.0.
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21970575
More information about the Daily
mailing list