[CERT-daily] Tageszusammenfassung - Dienstag 29-03-2016

Tue Mar 29 18:04:22 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 25-03-2016 18:00 − Dienstag 29-03-2016 18:00
Handler:     Robert Waldner
Co-Handler:  Alexander Riepl


*** Deutsche Hoster vermehrt im Fokus von Cyberkriminellen ***
---------------------------------------------
Immer stärker nutzen Cyberkriminelle die technisch hochentwickelten Internet-Infrastrukturen der ersten Welt. Immer beliebter werden bei ihnen deutsche Hoster zum Verteilen ihrer Schadsoftware.
---------------------------------------------
http://heise.de/-3151832


*** Basic Snort Rules Syntax and Usage ***
---------------------------------------------
In this series of lab exercises we will demonstrate various techniques in writing Snort rules, from basic rules syntax to writing rules aimed at detecting specific types of attacks. We will also examine some basic approaches ..
---------------------------------------------
http://resources.infosecinstitute.com/snort-rules-workshop-part-one/


*** TWSL2016-006: Multiple XSS Vulnerabilities reported for Zen Cart ***
---------------------------------------------
Today Trustwave released a vulnerability advisory in conjunction with Zen Cart. Researchers from the SpiderLabs Research team at Trustwave recently found multiple Cross-Site Scripting (XSS) vulnerabilities in the popular online open source shopping ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/TWSL2016-006--Multiple-XSS-Vulnerabilities-reported-for-Zen-Cart/


*** CVE-2016-1010 (??? - Flash up to 20.0.0.306) and Exploit Kits ***
---------------------------------------------
http://malware.dontneedcoffee.com/2016/03/flash-up-to-2000306.html


*** Neue Infektions-Masche: Erpressungs-Trojaner missbraucht Windows PowerShell ***
---------------------------------------------
Die neu entdeckte Ransomware PowerWare bemächtigt sich der Windows PowerShell, um Computer zu infizieren und Daten zu verschlüsseln.
---------------------------------------------
http://heise.de/-3151892


*** Every Tool in the Tool Box ***
---------------------------------------------
When I teach people about reverse engineering, I often hear the following statement: "I got the right answer, but I cheated to get it". They are typically talking about using dynamic analysis to get an answer versus statically analyzing ..
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/Every-Tool-in-the-Tool-Box/


*** DSA-3532 quagga - security update ***
---------------------------------------------
Kostya Kortchinsky discovered a stack-based buffer overflowvulnerability in the VPNv4 NLRI parser in bgpd in quagga, a BGP/OSPF/RIProuting daemon. A remote attacker can exploit this flaw to cause adenial of service (daemon crash), or potentially, execution of arbitrarycode, if bgpd is configured with BGP peers enabled for VPNv4.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3532


*** Improving Bash Forensics Capabilities ***
---------------------------------------------
Bash is the default user shell in most Linux distributions. In case of incidents affecting a UNIX server, they are chances that a Bash shell will be ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20887


*** Life After the Isolated Heap ***
---------------------------------------------
Over the past few months, Adobe has introduced a number of changes to the Flash Player heap with the goal of reducing the exploitability of certain types of vulnerabilities in Flash, especially use-after-frees. I wrote an exploit involving two bugs ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/03/life-after-isolated-heap.html


*** APPLE-SA-2016-03-28-1 OS X: Flash Player plug-in blocked ***
---------------------------------------------
http://prod.lists.apple.com/archives/security-announce/2016/Mar/msg00007.html


*** DSA-3533 openvswitch - security update ***
---------------------------------------------
Kashyap Thimmaraju and Bhargava Shastry discovered a remotelytriggerable buffer overflow vulnerability in openvswitch, a productionquality, multilayer virtual switch implementation. Specially craftedMPLS packets could overflow ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3533


*** "Collecting Serial Data for ICS Network Security Monitoring" ***
---------------------------------------------
Below is a postby SANS ICS515 - ICS Active Defense and Incident Response instructor Mark Bristow. Adversaries across the capability spectrum are increasingly targeting Industrial Control System (ICS) environments. Malware such as ..
---------------------------------------------
http://ics.sans.org/blog/2016/03/29/collecting-serial-data-for-ics-network-security-monitoring


*** Why PCI DSS cannot replace common sense and holistic risk assessment ***
---------------------------------------------
Cybersecurity compliance is not designed to eliminate data breaches or stop cybercrime.
---------------------------------------------
https://www.htbridge.com/blog/why-pci-dss-cannot-replace-common-sense-and-holistic-risk-assessment.html


*** Printers all over the US 'hacked' to spew anti-Semitic fliers ***
---------------------------------------------
Andrew 'Weev' Auernheimer, one of the two men who were prosecuted and convicted for harvesting e-mails and authentication IDs of 114,000 early-adopters of Apple's iPad from AT&T's ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/03/29/printers-us-hacked-anti-semitic-fliers/


*** Xen Security Advisory 172 (CVE-2016-3158, CVE-2016-3159) - broken AMD FPU FIP/FDP/FOP leak workaround ***
---------------------------------------------
There is a workaround in Xen to deal with the fact that AMD CPUs dont load the x86 registers FIP (and possibly FCS), FDP (and possibly FDS), and FOP from memory (via XRSTOR or FXRSTOR) when there is no pending unmasked exception. (See XSA-52.) However, this workaround does not cover all possible input cases.
---------------------------------------------
http://lists.xen.org/archives/html/xen-announce/2016-03/msg00001.html


*** Google-Entwickler: NPM-Malware könnte sich als Wurm verbreiten ***
---------------------------------------------
Wegen einiger Design-Prinzipien der Node-Paktverwaltung NPM könne sich ein schadhaftes Modul wie ein Wurm im gesamten System verbreiten, warnt ein Google-Entwickler. Gegen die Sicherheitslücke hilft vorerst nur Handarbeit.
---------------------------------------------
http://www.golem.de/news/google-entwickler-npm-malware-koennte-sich-als-wurm-verbreiten-1603-120011.html


*** Petya: Den Erpressungs-Trojaner stoppen, bevor er die Festplatten verschlüsselt ***
---------------------------------------------
Die Ransomware Petya zielt auf deutschsprachige Opfer und sorgt dafür, dass deren Rechner nicht mehr starten. Der Trojaner verschlüsselt ausserdem die Festplatten, das kann man aber verhindern, wenn man ihn rechtzeitig stoppt.
---------------------------------------------
http://heise.de/-3153388


*** Lücke in populärer Anrufer-ID-App Truecaller legt Nutzerdaten offen ***
---------------------------------------------
http://derstandard.at/2000033814462