[CERT-daily] Tageszusammenfassung - Mittwoch 8-06-2016

Wed Jun 8 18:27:45 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 07-06-2016 18:00 − Mittwoch 08-06-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Microsoft Bounty Program expansion - .NET Core and ASP.NET RC2 Beta Bounty ***
---------------------------------------------
Today I have another exciting expansion of the Microsoft Bounty Program. Please visit https://aka.ms/BugBounty to find out more. As we approach release for .NET Core and ASP.NET, we would like to get even more feedback from the security research community. We are offering a bounty on the .NET Core and ASP.NET Core RC2 Beta Build which...
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2016/06/07/microsoft-bounty-program-expansion-net-core-and-asp-net-rc2-beta-bounty/


*** SWIFT May Ban Banks Without Strong Cybersecurity (June 3, 2016) ***
---------------------------------------------
The head of SWIFT says that banks without adequate cybersecurity measures in place could find themselves suspended from using the SWIFT financial transfer communication network...
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/18/45/202


*** Ransomware Leaves Server Credentials in its Code ***
---------------------------------------------
While SNSLocker isn't a stand-out crypto-ransomware in terms of routine or interface, its coarse and bland facade hid quite a surprise. After looking closer at its code, we discovered that this Ransomware contains the credentials for the access of its own server. We also found out that they used readily-available servers and payment systems. This...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/gADipA92iAA/


*** Phishers Abuse Hosting Temporary URLs ***
---------------------------------------------
Recently we told you how hackers use alternative domain names provided by web hosts to make their URLs look less suspicious. This time we'll show a similar trick used by phishers. Phishing web pages get blacklisted very fast. That's why hackers need to purchase many domains or compromise many websites so that they can point...
---------------------------------------------
https://blog.sucuri.net/2016/06/phishers-abuse-hosting-temporary-urls.html


*** Neutrino EK and CryptXXX, (Wed, Jun 8th) ***
---------------------------------------------
Introduction By Monday 2016-06-06, the pseudo-Darkleech campaign began using Neutrino exploit kit (EK) to send CryptXXX ransomware [1]. Until then, Id only seen Angler EK distribute CryptXXX. However, this is not the first time weve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK [2, 3, 4, 5]. It was documented as early as August 2015 [2]. This can be confusing, especially if youre expecting Angler EK. Campaigns can (and occasionally do) switch EKs. For an...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21141&rss


*** Millions of must be firewalled services are open to the entire internet - research ***
---------------------------------------------
15m telnet nodes, 4.5m printers TCP port 445... Millions of services that ought to be restricted are exposed on the open internet, creating a huge risk of hacker attack against databases and more.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/06/08/services_beyond_the_firewall_research_rapid7/


*** How to Prevent Ransomware in Industrial Control Systems ***
---------------------------------------------
Del Rodillas, our solution lead for SCADA & Industrial Control Systems, recently appeared in Electric Light & Power to discuss ransomware as an emerging threat for Operational Technology environments. With ransomware on everyone's mind these...
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/06/how-to-prevent-ransomware-in-industrial-control-systems/


*** Linkedln-Nutzer erhalten unechte Geschäftsrechnung ***
---------------------------------------------
Kriminelle versenden gezielt vermeintlich offene Unternehmensrechnungen an Nutzer/innen des Sozialen Netzwerks Linkedln. Darin führen sie die auf der Plattform veröffentlichten und richtigen Informationen, wie den Namen, die Berufsposition und das Unternehmen, an. Empfänger/innen sollen den beigefügten Dateianhang öffnen. Er verbirgt Schadsoftware.
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/linkedln-nutzer-erhalten-unechte-geschaeftsrechnung/


*** Google To Deprecate SSLv3, RC4 in Gmail IMAP/POP Clients ***
---------------------------------------------
Google will next week begin a gradual deprecation of unsafe crypto protocol SSLv3 and cipher RC4 in Gmail IMAP/POP clients.
---------------------------------------------
http://threatpost.com/google-to-deprecate-sslv3-rc4-in-gmail-imappop-clients/118533/


*** ENISA zeigt Möglichkeiten der forensischen Analyse bei Cloud-Vorfällen ***
---------------------------------------------
Als Hilfestellung - nicht nur - für Anbieter von Cloud-Diensten hat die europäische Sicherheitsbehörde ENISA ein Papier zum technischen Stand der Analyse von Sicherheitsvorfällen in der Cloud veröffentlicht.
---------------------------------------------
http://heise.de/-3231521


*** But have I really been pwned? Vetting your data ***
---------------------------------------------
The news has been full of leaked passwords for some popular services recently. But these numbers of hacked accounts can be exaggerated for effect, and sometimes blatantly wrong.Categories:  Criminals Threat analysis(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/threat-analysis/2016/06/but-have-i-really-been-pwned-vetting-your-data/


*** Cisco IOS XR Software LPTS Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160519-ios-xr


*** DSA-3597 expat - security update ***
---------------------------------------------
Two related issues have been discovered in Expat, a C library for parsingXML.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3597


*** Symantec Embedded Security: Critical System Protection and Symantec Data Center Security: Server Advanced, Multiple Security Issues ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2016&suid=20160607_00


*** DFN-CERT-2016-0918: GnuTLS: Eine Schwachstelle ermöglicht die Manipulation beliebiger Dateien ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0918/


*** Trihedral VTScada Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for several vulnerabilities in Trihedral Engineering Ltd.'s Trihedral VTScada.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-159-01


*** KMC Controls Conquest BACnet Router Vulnerabilities ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on May 5, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for authentication and cross-site request forgery vulnerabilities in KMC Controls Conquest BACnet routers through its web interface.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-126-01


*** Security Advisory - Several Vulnerabilities in Huawei Honor Routers ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160607-01-honorrouter-en


*** Security Advisory - Memory Leak Vulnerability in Some Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160608-01-mpls-en


*** Security Advisory: SQLite vulnerabilities CVE-2015-3414 and CVE-2015-3415 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/37/sol37236006.html?ref=rss


*** Security Advisory: SQLite vulnerability CVE-2015-3416 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16950.html?ref=rss


*** Bugtraq: [security bulletin] HPSBGN03623 rev.1 - HPE Universal CMDB, Remote Disclosure of Sensitive Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538623


*** Bugtraq: [security bulletin] HPSBGN03622 rev.1 - HPE UCMDB, Universal Discovery, and UCMDB Configuration Manager using Apache Commons Collection, Remote Code Executon ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538622


*** Bugtraq: [security bulletin] HPSBGN03621 rev.1 - HPE Universal CMDB using OpenSSL, Remote Disclosure of Sensitive Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/538621


*** IBM Security Bulletin: A vulnerability in the instance runAsUser function was found in IBM InfoSphere Streams (CVE-2016-2867) ***
---------------------------------------------
There is a potential vulnerability in IBM InfoSphere Streams when the instance runAsUser property is set. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2016-2867 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 4.0.1.1 and earlier IBM Streams Version 4.1.1.0 and earlier Refer to the following reference URLs for remediation and additional vulnerability details:Source
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21983444


*** IBM Security Bulletin:Multiple security vulnerabilities in Open Source Apache Tomcat affect IBM Cognos Business Viewpoint (CVE-2016-0714 , CVE-2015-5174) ***
---------------------------------------------
There are multiple vulnerabilities in Open Source Apace Tomcat that is used by IBM Cognos Business Viewpoint. These were disclosed in the 02/22/2016 X-Force Reports. IBM Cognos Business Viewpoint has addressed the applicable CVEs. CVE(s): CVE-2016-0714, CVE-2015-5174 Affected product(s) and affected version(s): IBM Cognos Business Viewpoint 10.1 FP1 IBM Cognos Business Viewpoint 10.1.1 FP2 Refer...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21984197


*** IBM Security Bulletin:InstallAnywhere generates installation executables which are vulnerable to an DLL-planting vulnerability (CVE-2016-4560) ***
---------------------------------------------
InstallAnywhere generates installation executables which are vulnerable to an DLL-planting vulnerability affect IBM Security AppScan Source CVE(s): CVE-2016-4560 Affected product(s) and affected version(s): IBM Security AppScan Source 8.7, 8.8, 9.0, 9.0.1, 9.0.2, 9.0.3 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21983037X-Force Database:...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21983037


*** IBM Security Bulletin: Vulnerabilities in IBM Domino Keyview PDF Filters (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0277) ***
---------------------------------------------
IBM Domino has four vulnerabilities in Keyview PDF filters. CVE(s): CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301 Affected product(s) and affected version(s): IBM Domino 9.0.1 FP5 and earlier releases. IBM Domino 9.0 IF4 and earlier releases. IBM Domino 8.5.3 FP6 IF12 and earlier releases. IBM Domino 8.5.2 FP4 IF3 and earlier releases. IBM Domino 8.5.1 FP5 IF3 and...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21983292


*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2016-2073) ***
---------------------------------------------
There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2016-2073 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21983372


*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2015-8710) ***
---------------------------------------------
There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2015-8710 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21983371


*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2016-2108, CVE-2016-2107). ***
---------------------------------------------
OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM Sterling Connect:Direct for UNIX. IBM Sterling Connect:Direct for UNIX has addressed the applicable CVEs. CVE(s): CVE-2016-2108, CVE-2016-2107 Affected product(s) and affected version(s): IBM Sterling Connect:Direct for Unix 4.1.0 IBM Sterling Connect:Direct for Unix 4.0.0 Refer to the following...
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21983909