[CERT-daily] Tageszusammenfassung - Montag 23-05-2016

Mon May 23 18:21:47 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 20-05-2016 18:00 − Montag 23-05-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Backdoor in Fake Joomla! Core Files ***
---------------------------------------------
We usually write a lot about obfuscation methods on Sucuri Labs and here on the blog. Sometimes we write about free tools to obfuscate your code that aren't that free and we also have an online tool to help decoding the malware you find. But sometimes the malware is not clearly encoded using base64, gzinflate, hex concatenation,... The post Backdoor in Fake Joomla! Core Files appeared first on Sucuri Blog.
---------------------------------------------
https://blog.sucuri.net/2016/05/unexpected-backdoor-fake-core-files.html


*** 60 percent of enterprise Android phones prone to QSEE vulnerability ***
---------------------------------------------
Duo Labs researchers found that 60 percent of enterprise Android phones are affected by a critical QSEE vulnerability.
---------------------------------------------
http://www.scmagazine.com/majority-of-enterprise-android-phones-vulnerable-to-critical-qsee-bug/article/497977/


*** The strange case of WinZip MRU Registry key, (Sun, May 22nd) ***
---------------------------------------------
When we want to know if a document (.doc, .pdf, whatever) has been opened by the user, in a Windows environment our information goldmine place is the Registry and particularly its MRUs keys. However, it seems this is not always the case. During the analysis of the Retefe case I wrote about in my previous diary, I came across a Registry behavior I did not expect, or at least I was not aware of, about how to verify if the file contained within the zip archive had been opened or not. Regarding...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21087&rss


*** ENISA- Europol issue joint statement ***
---------------------------------------------
ENISA and Europol issue joint statement on lawful criminal investigation that respects 21st Century data protection.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/enisa-europol-issue-joint-statement


*** Geldautomaten: Kriminelle erbeuten Millionen in zwei Stunden ***
---------------------------------------------
Kriminelle Kartenfälscher agieren global: Mit Hilfe von Kreditkarteninformationen einer südafrikanischen Bank erbeutete eine Bande in Japan in nur 2,5 Stunden Bargeld im Wert von mehr als 12 Millionen Euro.
---------------------------------------------
http://www.golem.de/news/geldautomaten-kriminelle-erbeuten-millionen-in-zwei-stunden-1605-121044-rss.html


*** National coordinators meet to prepare for ECSM launch ***
---------------------------------------------
National coordinators from across Europe gathered in Brussels earlier this month in preparation for the launch of this year's European Cyber Security Month.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/national-coordinators-meet-to-prepare-fro-ecsm-launch


*** Organizations unprepared for employee-caused security incidents ***
---------------------------------------------
While employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior, according to a new Ponemon Institute study. The study, Managing Insider Risk Through Training & Culture, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences...
---------------------------------------------
https://www.helpnetsecurity.com/2016/05/23/employee-caused-security-incidents/


*** When Hashing isn't Hashing ***
---------------------------------------------
Anyone working in application security has found themselves saying something like this a thousand times: "always hash passwords with a secure password hashing function." I've said this phrase at nearly all of the developer events I've spoken at, it's become a mantra of sorts for many of us that try to improve the security of applications. We tell developers to hash passwords, then we have to qualify it to explain that it isn't normal hashing.
---------------------------------------------
https://adamcaudill.com/2016/05/23/when-hashing-isnt-hashing/


*** Technical Report about the RUAG espionage case ***
---------------------------------------------
After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in...
---------------------------------------------
https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case


*** Hack von Rüstungskonzern: Schweizer Cert gibt Security-Tipps für Unternehmen ***
---------------------------------------------
Daran könnten sich andere Sicherheitsfirmen ein Beispiel nehmen: Das Schweizer Cert hat detailliert die Angriffsmethoden einer APT-Gruppe auf den Technikkonzern Ruag analysiert und gibt Unternehmen Tipps zum Schutz.
---------------------------------------------
http://www.golem.de/news/hack-von-ruestungskonzern-schweizer-cert-gibt-security-tipps-fuer-unternehmen-1605-121048-rss.html


*** After trio of hacks, SWIFT addresses information sharing concerns ***
---------------------------------------------
Following reports of a cyberattack last year in which hackers stole $9 million from an Ecuadorean bank, SWIFT stated it is taking steps to create more information sharing practices.
---------------------------------------------
http://www.scmagazine.com/after-trio-of-hacks-swift-addresses-information-sharing-concerns/article/497988/


*** Student convicted after finding encryption flaws in government network ***
---------------------------------------------
He found that the encrypted network often wasnt... but he lost patience when it looked as though nothing was being done about it.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/05/23/student-convicted-after-finding-encryption-flaws-in-government-network/


*** A recently patched Flash Player exploit is being used in widespread attacks ***
---------------------------------------------
It took hackers less than two weeks to integrate a recently patched Flash Player exploit into widely used Web-based attack tools that are being used to infect computers with malware.The vulnerability, known as CVE-2016-4117, was discovered earlier this month by security researchers FireEye. It was exploited in targeted attacks through malicious Flash content embedded in Microsoft Office documents.When the targeted exploit was discovered, the vulnerability was unpatched, which prompted a...
---------------------------------------------
http://www.cio.com/article/3073558/a-recently-patched-flash-player-exploit-is-being-used-in-widespread-attacks.html#tk.rss_security


*** Security Update Available for Adobe Connect (APSB16-17) ***
---------------------------------------------
A Security Bulletin (APSB16-17) has been published regarding a security update for Adobe Connect. Adobe recommends users update their product installations to the latest version using the instructions referenced in the security bulletin.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1355


*** TA16-144A: WPAD Name Collision Vulnerability ***
---------------------------------------------
Original release date: May 23, 2016 Systems Affected Windows, OS X, Linux systems, and web browsers with WPAD enabled Overview Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers [1]. In combination with the New generic Top Level Domain (gTLD) program's incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA16-144A


*** Bugzilla 4.4.11 and 5.0.2 Security Advisory ***
---------------------------------------------
A specially crafted bug summary could trigger XSS in dependency graphs.
---------------------------------------------
https://www.bugzilla.org/security/4.4.11/


*** DSA-3585 wireshark - security update ***
---------------------------------------------
Multiple vulnerabilities were discovered in the dissectors/parsers forPKTC, IAX2, GSM CBCH and NCP which could result in denial of service.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3585


*** SECURITY BULLETIN: Trend Micro InterScan Web Security Virtual Appliance (IWSVA) Multiple Remote Code Execution Vulnerabilities ***
---------------------------------------------
Trend Micro has released new builds of the Trend Micro InterScan Web Security Virtual Appliance. These updates resolve vulnerabilities in the product that could potentially allow a remote attacker to execute arbitrary code on vulnerable installations.
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114185.aspx


*** SECURITY BULLETIN: Trend Micro OfficeScan Path Traversal Vulnerability ***
---------------------------------------------
Trend Micro has released an update for OfficeScan (OSCE) 11.0 Service Pack (SP) 1 which resolves a vulnerability in the product that when certain conditions are met could be exploited to access files and directories located outside of the core product web root folder.
---------------------------------------------
https://esupport.trendmicro.com/solution/en-US/1114097.aspx


*** ZDI-16-353: BitTorrent API Cross Site Scripting Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of BitTorrent and uTorrent. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-353/


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-0283, CVE-2015-7417). ***
http://www.ibm.com/support/docview.wss?uid=swg21981914
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7484, CVE-2015-7474, CVE-2015-7485, CVE-2015-7486, CVE-2016-0219) ***
http://www.ibm.com/support/docview.wss?uid=swg21983720
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3193, CVE-2015-3195, CVE-2015-1794) ***
http://www.ibm.com/support/docview.wss?uid=swg21982608
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Marketing Platform (CVE-2016-0224, CVE-2016-0229, CVE-2016-0233) ***
http://www.ibm.com/support/docview.wss?uid=swg21980989
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways ***
http://www.ibm.com/support/docview.wss?uid=swg21982607
---------------------------------------------
*** IBM Security Bulletin: Vulnerability identified in IBM Domino Java Console (CVE-2016-0304) ***
http://www.ibm.com/support/docview.wss?uid=swg21983328
---------------------------------------------
*** IBM Security Bulletin: OpenSSL vulnerabilities in Node.js found on May 03, 2016 affect Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2016-2107, CVE-2016-2105) ***
http://www.ibm.com/support/docview.wss?uid=swg21983555
---------------------------------------------
*** IBM Security Bulletin: Multiple OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software ***
http://www.ibm.com/support/docview.wss?uid=swg21982949
---------------------------------------------
*** IBM Security Bulletin: One vulnerability in IBM Java SDK affect Application Delivery Intelligence 1.0.0 (CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023804
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: WebSphere Dashboard Framework (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21982528
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: Web Experience Factory (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21982527
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2016-3427) ***
http://www.ibm.com/support/docview.wss?uid=swg21983002
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems, IBM OS Images for AIX, and Windows. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21983647
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Image Construction and Composition Tool. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) ***
http://www.ibm.com/support/docview.wss?uid=swg21983644
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects Tivoli Provisioning Manager for OS Deployment, Tivoli Provisioning Manager for Images (CVE-2016-2842) ***
http://www.ibm.com/support/docview.wss?uid=swg21982159
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ***
http://www.ibm.com/support/docview.wss?uid=swg21981545
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in ApacheTomcat affect IBM Security SiteProtector System (CVE-2015-5174, CVE-2015-5345, CVE-2016-0706 and CVE-2016-0714) ***
http://www.ibm.com/support/docview.wss?uid=swg21983242
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3197 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21982697
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenStack affect IBM Spectrum Scale V4.2 and V4.1.1 (CVE-2015-8466 and CVE-2016-0738) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005833
---------------------------------------------