[CERT-daily] Tageszusammenfassung - Montag 25-07-2016

Mon Jul 25 18:04:08 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 22-07-2016 18:00 − Montag 25-07-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Gratis Entschlüsselungs-Tools nehmen es mit elf Erpressungs-Trojanern auf ***
---------------------------------------------
AVG und Trend Micro haben ihre kostenlosen Tools aktualisiert, mit denen Opfer von diversen Verschlüsselungs-Trojanern unter Umständen wieder Zugriff auf ihre Daten bekommen können.
---------------------------------------------
http://heise.de/-3277015


*** PowerWare Ransomware Masquerades as Locky to Intimidate Victims ***
---------------------------------------------
PowerWare ransomware spoofs Locky malware family in an attempt to scare victims into paying up.
---------------------------------------------
http://threatpost.com/ransomware-powerware-masquerades-as-locky-to-intimidate-victims/119437/


*** Cross-platform malware Adwind infects Mac ***
---------------------------------------------
We examine a cross-platform malware with a Mac payload and found the hackers behind it really didnt put that much effort into making it work on the Mac.Categories:  Mac Threat analysisTags: Applemacmalwarerat(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2016/07/cross-platform-malware-adwind-infects-mac/


*** Kovter becomes almost file-less, creates a new file type, and gets some new certificates ***
---------------------------------------------
Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter's persistence method and some updates on their latest malvertising campaigns. New persistence method Since June 2016,...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-file-less-creates-a-new-file-type-and-gets-some-new-certificates/


*** It Is Our Policy, (Sat, Jul 23rd) ***
---------------------------------------------
How many times have you heard someone say out loud our our security policy requires...?Many times we hear and are sometimes even threatened with the security policy. Security policy should set behavioral expectations and be the basis for every technical, administrative and physical control that is implemented. Unfortunately, solid security policies are often elusive for several key reasons.  I regularly get the question, How many security policiesshould I have? My response is often found by...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21293&rss


*** Nemucod dot dot..WSF ***
---------------------------------------------
The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension. It is a variation of what has been observed since last year (2015) - the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file,...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/07/23/nemucod/


*** Europol will Opfern von Internet-Erpressung helfen ***
---------------------------------------------
Mit der Website nomoreransom.org will die Europol Opfern von Krypto-Trojanern helfen, wieder Zugang zu ihren Daten zu bekommen.
---------------------------------------------
http://futurezone.at/digital-life/europol-will-opfern-von-internet-erpressung-helfen/211.768.332


*** Stealing Bitcoin With Math - HOPE XI ***
---------------------------------------------
by Filippo Valsorda Published July 23, 2016 in Programming 
Explaining Bitcoin and attacks old and new. 
WARNING: contains more than 15 math formulas.
---------------------------------------------
https://speakerdeck.com/filosottile/stealing-bitcoin-with-math-hope-xi


*** Bypassing UAC on Windows 10 using Disk Cleanup ***
---------------------------------------------
Matt Graeber (@mattifestation) and I recently dug into Windows 10, and discovered a rather interesting method of bypassing User Account Control [...]. Currently, there are a couple of public UAC bypass techniques, most of which require a privileged file copy using the IFileOperation COM object or WUSA extraction to take advantage of a DLL hijack. [...] The technique covered in this post differs from the other methods and provides a useful alternative as it does not rely on a privileged file...
---------------------------------------------
https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/


*** Researchers discover 110 snooping Tor nodes ***
---------------------------------------------
In a period spanning 72 days, two researchers from Northeastern University have discovered at least 110 "misbehaving" and potentially malicious hidden services directories (HSDirs) on the Tor anonymity network. What's an HSDir? An HSDir is a Tor node that receives descriptors for hidden services - servers configured to receive inbound connections only through Tor, meaning their IP address and network location remains hidden - and, upon request, directs users to...
---------------------------------------------
https://www.helpnetsecurity.com/2016/07/25/snooping-tor-nodes/


*** DSA-3625 squid3 - security update ***
---------------------------------------------
Several security issues have been discovered in the Squid caching proxy.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3625


*** DSA-3626 openssh - security update ***
---------------------------------------------
Eddie Harari reported that the OpenSSH SSH daemon allows userenumeration through timing differences when trying to authenticateusers. When sshd tries to authenticate a non-existing user, it will pickup a fixed fake password structure with a hash based on the Blowfishalgorithm. If real users passwords are hashed using SHA256/SHA512, thena remote attacker can take advantage of this flaw by sending largepasswords, receiving shorter response times from the server fornon-existing users.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3626


*** DSA-3627 phpmyadmin - security update ***
---------------------------------------------
Several vulnerabilities have been fixed in phpMyAdmin, the web-basedMySQL administration interface.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3627


*** [2016-07-25] Multiple vulnerabilities in Micro Focus (Novell) Filr appliance ***
---------------------------------------------
The Micro Focus (Novell) Filr Appliance contains several vulnerabilities that, when combined, allow an unauthenticated attacker to execute arbitrary system commands as the user "root" or allow an authenticated attacker to hijack user and administrator sessions.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160725-0_Micro_Focus_Filr_Appliance_Multiple_critical_vulnerabilities_v10.txt


*** Filr 2.0 - Security Update 2 ***
---------------------------------------------
Abstract: This patch provides a number of Security Updates for Filr, Search and MySQL 2.0.0 appliances including updated Java applets.Document ID: 5250090Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:Filr-2.0.0.465.HP.zip (204.82 MB)preinstall-filr20su2.zip (409 bytes)Search-2.0.0.414.HP.zip (24.96 MB)MySQL-2.0.0.195.HP.zip (24.2 MB)Products:Filr 2Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=3V-3ArYN85I~


*** Filr 1.2 - Security Update 3 ***
---------------------------------------------
Abstract: This patch provides a number of Security Updates for Filr, Search and MySQL 1.2 appliances including updated Java applets.Document ID: 5250470Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-1.2.0.416.HP.zip (11 kB)Filr-1.2.0.871.HP.zip (153.52 MB)Search-1.2.0.1008.HP.zip (11.04 kB)Products:Filr 1.2Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=BOTiHcBFfv0~


*** Bugtraq: CA20160721-01: Security Notice for CA eHealth ***
---------------------------------------------
CA20160721-01: Security Notice for CA eHealth
---------------------------------------------
http://www.securityfocus.com/archive/1/538982


*** Vuln: Objective Systems ASN1C CVE-2016-5080 Heap Based Buffer Overflow Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/91836


*** Vulnerability in Objective Systems ASN1C Compiler Affecting Cisco Products ***
---------------------------------------------
A vulnerability in the ASN1C compiler by Objective Systems affects Cisco ASR 5000 devices running StarOS and Cisco Virtualized Packet Core (VPC) systems. The vulnerability could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or potentially execute arbitrary code.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160721-asn1c


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the Linux kernel affects PowerKVM (CVE-2016-3044) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023969
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in ImageMagick affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023934
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in ntp affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023885
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in PCRE affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023886
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in lcms affects PowerKVM (CVE-2013-7455) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023876
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM Tivoli Storage Manager Administration Center (CVE-2016-4560) ***
http://www.ibm.com/support/docview.wss?uid=swg21985483
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM Tivoli Monitoring for Tivoli Storage Manager Server (CVE-2016-4560) ***
http://www.ibm.com/support/docview.wss?uid=swg21984949
---------------------------------------------