[CERT-daily] Tageszusammenfassung - Montag 25-04-2016

Daily end-of-shift report team at cert.at
Mon Apr 25 18:13:42 CEST 2016


=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 22-04-2016 18:00 − Montag 25-04-2016 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter




*** Angler Exploit Kit, Bedep, and CryptXXX, (Sat, Apr 23rd) ***
---------------------------------------------
Introduction On Friday 2016-04-15, Proofpoint researchers spotted CryptXXX [1], a new type of ransomware from the actors behind Reveton. CryptXXX is currently spread through Bedep infections sent by the Angler exploit kit (EK). So far, Ive only seen Bedep send CryptXXX after Angler EK traffic caused by the pseudo-Darkleech campaign." /> CryptXXX infections have their own distinct look." /> Bedep recently improved its evasion capabilities [3]. Its being sent by one of the most...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20981&rss




*** Highlights from the 2016 HPE Annual Cyber Threat Report, (Mon, Apr 25th) ***
---------------------------------------------
HP released their annual report for 2016 that covers a broad range of information (96 pages) in various sectors and industries. The report is divided in 7 themes, those that appear the most interesting to me are Theme #5: The industry didnt learn anything about patching in 2015 and Theme #7: The monetization of malware. Theme #5 According to this report, the bug that was the most exploited in 2014 was still the most exploited last year which is now over five years old. CVE-2010-2568 where a...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20985&rss




*** Top 10 web hacking techniques of 2015 ***
---------------------------------------------
Now in its tenth year, the Top 10 List of Web Hacking Techniques takes a step back from the implications of an attack to understand how they happen. The list is chosen by the security research community, coordinated by WhiteHat Security. After receiving 39 submissions detailing hacking techniques discovered in 2015, the following hacks were voted into the top 10 spaces: FREAK (Factoring Attack on RSA-Export Keys) LogJam Web Timing Attacks Made Practical Evading All...
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/25/top-10-web-hacking-techniques-2015/




*** Kritische Lücken: HP Data Protector verzichtet auf Authentifikation ***
---------------------------------------------
Angreifer können den HP Data Protector über verschiedene Schwachstellen in den Mangel nehmen und Code auf Computer schieben. Sicherheits-Updates unterbinden das.
---------------------------------------------
http://heise.de/-3183095




*** Snap: Ubuntus neue Pakete sind auf dem Desktop nicht sicherer ***
---------------------------------------------
Die Ubuntu-Macher Canonical behaupten, mit dem neuen Paketformat Snap werden installierte Apps sicherer. Für Desktop-Anwender stimmt das allerdings nicht.
---------------------------------------------
http://heise.de/-3183128




*** RDP Replay Code Release ***
---------------------------------------------
We took a more in depth look to see what information could be extracted from a PCAP of this [RDP] activity, and this led to a tool being created to replay the RDP session as the attacker would have seen it. We have made this tool available after being asked by a number of our blog readers. This tool requires the private key for decrypting, which can usually be recovered with cooperation from the client.
---------------------------------------------
http://www.contextis.com/resources/blog/rdp-replay-code-release/




*** Apple ID und iCloud: Gezieltes Phishing mit Textnachricht ***
---------------------------------------------
Betrüger versuchen derzeit per SMS, Nutzer auf eine gefälschte Apple-ID-Anmeldeseite zu locken, um persönliche Daten in Erfahrung zu bringen. Die Mitteilung ist persönlich adressiert.
---------------------------------------------
http://heise.de/-3183878




*** A Newer Variant of RawPOS in Depth ***
---------------------------------------------
RawPOS - A History RawPOS (also sometimes referred to as Rdasrv from the original service install name) is a Windows based malware family that targets payment card data. It has been around at least since 2011, if not much earlier. Despite it being very well known and the functions it performs easy to understand, RawPOS continues to prove extremely effective in perpetuating long-term and devastating card breaches to this day. Similar to its cousin, BlackPOS, this malware targets industries...
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/a-newer-variant-of-rawpos-in-depth




*** Empty DDoS Threats: Meet the Armada Collective ***
---------------------------------------------
[...] Our conclusion was a bit of a surprise: weve been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack. In fact, because the extortion emails reuse Bitcoin addresses, theres no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments. [...]
---------------------------------------------
https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/




*** GozNym banking malware spotted now in Europe ***
---------------------------------------------
IBMs X-Force reported today the actors behind the hybrid GozNym banking trojan that stole $4 million from U.S. banks in March have released a new configuration that is targeting European banks.
---------------------------------------------
http://www.scmagazine.com/goznym-banking-malware-spotted-now-in-europe/article/491855/




*** Angriff auf Zentralbank: Billigrouter und Malware führen zu Millionenverlust ***
---------------------------------------------
Man sollte meinen, dass die Zentralbank eines Landes über eine Firewall verfügt. In Bangladesch war das offenbar nicht der Fall. So konnten Angreifer mit spezialisierter Malware fast 1 Milliarde US-Dollar überweisen - und scheiterten dann an einem Fehler.
---------------------------------------------
http://www.golem.de/news/angriff-auf-zentralbank-billigrouter-und-malware-fuehren-zu-millionenverlust-1604-120536-rss.html




*** Manipulierte PNG-Datei schießt iOS- und Mac-Apps ab ***
---------------------------------------------
Das Öffnen einer präparierten Bilddatei bringt Apps in iOS wie OS X zum Absturz, darunter den iOS-Homescreen. Die iMessage-App öffnet sich dadurch unter Umständen nicht mehr.
---------------------------------------------
http://heise.de/-3184062




*** Exploit kit targets Android devices, delivers ransomware ***
---------------------------------------------
Ransomware hitting mobile devices is not nearly as widespread as that which targets computers, but Blue Coat researchers have discovered something even less unusual: mobile ransomware delivered via exploit kit. The ransomware in question calls itself Cyber.Police (the researchers have dubbed it Dogspectus), and does not encrypt users' files, just blocks the infected Android device. It purports to be part of an action by the (nonexistent) "American national security agency"...
---------------------------------------------
https://www.helpnetsecurity.com/2016/04/25/exploit-kit-targets-android-devices/




*** VU#229047: Allround Automations PL/SQL Developer v11 performs updates over HTTP ***
---------------------------------------------
Vulnerability Note VU#229047 Allround Automations PL/SQL Developer v11 performs updates over HTTP Original Release date: 25 Apr 2016 | Last revised: 25 Apr 2016   Overview Allround Automations PL/SQL Developer version 11 checks for updates over HTTP and does not verify updates before executing commands, which may allow an attacker to execute arbitrary code.  Description CWE-345: Insufficient Verification of Data Authenticity - CVE-2016-2346 According to the researcher, Allround Automations...
---------------------------------------------
http://www.kb.cert.org/vuls/id/229047




*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in git affect PowerKVM (CVE-2016-2315, CVE-2016-2324) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023527
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in NetworkManager affect PowerKVM (CVE-2015-0272,CVE-2015-2924) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023498
---------------------------------------------
*** IBM Security Bulletin: A Security Vulnerability was fixed in IBM Security Privileged Identity Manager (CVE-2016-0357) ***
http://www.ibm.com/support/docview.wss?uid=swg21981720
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in libssh2 affects PowerKVM (CVE-2016-0787) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023482
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in ISC Bind affect PowerKVM (CVE-2016-1285, CVE-2016-1286) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023483
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in nss-util affects PowerKVM (CVE-2016-1950) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023484
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in strongSwan affects PowerKVM (CVE-2015-8023) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023447
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects Sterling Connect:Enterprise for UNIX (CVE-2016-0800). ***
http://www.ibm.com/support/docview.wss?uid=swg21980890
---------------------------------------------
*** IBM Security Bulletin: Information disclosure through unauthenticated SOAP request message. (CVE-2016-0299) ***
http://www.ibm.com/support/docview.wss?uid=swg21981155
---------------------------------------------
*** IBM Security Bulletin: ClassLoader Manipulation with Apache Struts affecting IBM WebSphere Portal (CVE-2014-0114) ***
http://www.ibm.com/support/docview.wss?uid=swg21680194
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libssh2 affects SAN Volume Controller and Storwize Family (CVE-2015-1782) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005710
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM SAN Volume Controller and Storwize Family (CVE-2016-0475) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005709
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere MQ (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448) ***
http://www.ibm.com/support/docview.wss?uid=swg21976896
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Control Center (CVE-2015-5254) ***
http://www.ibm.com/support/docview.wss?uid=swg21981352
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM WebSphere MQ (CVE-2015-4872) ***
http://www.ibm.com/support/docview.wss?uid=swg21981838
---------------------------------------------
*** IBM Security Bulletin: Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2015-3194) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005657
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem models 840 and 900 (CVE-2015-3194) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005656
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2015-3194) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005657
---------------------------------------------


More information about the Daily mailing list