[CERT-daily] Tageszusammenfassung - Mittwoch 21-09-2016

Wed Sep 21 18:20:17 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 20-09-2016 18:00 − Mittwoch 21-09-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Spear Phishing: Deutsche Politiker mit Malware-Mails angegriffen ***
---------------------------------------------
Politiker aller Parteien waren im August Ziel von Spear-Phishing-Angriffen. Angebliche Nato-Informationen zum Putsch in der Türkei und zum Erdbeben in Italien sollten zum Klicken auf Malware verleiten.
---------------------------------------------
http://www.golem.de/news/spear-phishing-deutsche-politiker-mit-malware-mails-angegriffen-1609-123355-rss.html


*** Windows Events log for IR/Forensics ,Part 2, (Tue, Sep 20th) ***
---------------------------------------------
In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events Get-WinEvent The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21501&rss


*** ISAKMP Scanning and Potential Vulnerabilities ***
---------------------------------------------
Introduction As many of you are aware, we scan the Internet on a daily basis for many different protocols. We have added several new ones over time mostly depending on our own time available to engineer a scan for that protocol. Occasionally, we add one that is more topical and addresses a recent vulnerability or...
---------------------------------------------
http://blog.shadowserver.org/2016/09/20/isakmp-scanning-and-potential-vulnerabilities/


*** Mamba Ransomware Encrypts Hard Drives Rather Than Files ***
---------------------------------------------
A new ransomware strain called Mamba opts to encrypts hard drives rather than individual files and folders stored on the local disk.
---------------------------------------------
http://threatpost.com/mamba-ransomware-encrypts-hard-drives-rather-than-files/120730/


*** Should you trust your security software? ***
---------------------------------------------
The complaint that security is broken isn't new and even industry insiders are joining the chorus. Companies spent an estimated $75 billion last year on security products and yet cyber attacks and data breaches are still a common occurrence. Now, we're finding that security tools themselves have vulnerabilities that are putting organizations at risk. Given that vulnerabilities in software are the root cause of most attacks and security tools are inherently intrusive in order to...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/21/security-software/


*** macOS Sierra beseitigt fast 70 Sicherheitslücken ***
---------------------------------------------
Mit der neuen Version 10.12 hat Apple 68 Schwachstellen in macOS respektive OS X behoben, darunter kritische. Für ältere OS-X-Versionen liegt derzeit kein Sicherheits-Update vor.
---------------------------------------------
http://heise.de/-3328701


*** Considerations on the Traffic Light Protocol ***
---------------------------------------------
The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs). The TLP can be used in all forms of communication, whether written or oral. This Glossary Entry presents the TLP and its possible variants, and proposes some considerations on its use and its limitations.
---------------------------------------------
https://www.enisa.europa.eu/topics/national-csirt-network/glossary/considerations-on-the-traffic-light-protocol


*** Did You Really Lock that Door? ***
---------------------------------------------
One of my favorite books about information security is Ghost in the Wires, by Kevin Mitnick. Kevin, of course is one of the notorious early hackers whose exploits are brilliant and quite entertaining. If you have not already done so, add that book to your reading list. This post however is not a book review. I was reminded of Kevin's book the other evening when my son went dashing to the door in the middle of the night to make sure that he locked it. Normally, like all teenagers, he just...
---------------------------------------------
https://feeds.feedblitz.com/~/200516044/0/alienvault-blogs~Did-You-Really-Lock-that-Door


*** InfoArmor Uncovers Malicious Torrent Distribution Network ***
---------------------------------------------
InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet. The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code.
---------------------------------------------
https://www.infoarmor.com/infoarmor-uncovers-malicious-torrent-distribution-network/


*** Opportunistic Encryption: Bringing HTTP/2 to the unencrypted web ***
---------------------------------------------
Encrypting the web is not an easy task. Various complexities prevent websites from migrating from HTTP to HTTPS, including mixed content, which can prevent sites from functioning with HTTPS. Opportunistic Encryption provides an additional level of security to websites that have not yet moved to HTTPS and the performance benefits...
---------------------------------------------
https://blog.cloudflare.com/opportunistic-encryption-bringing-http-2-to-the-unencrypted-web/


*** Bugtraq: ESA-2016-093: RSA Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539432


*** DSA-3671 wireshark - security update ***
---------------------------------------------
Multiple vulnerabilities were discovered in the dissectors for H.225,Catapult DCT2000, UMTS FP and IPMI, which could result in denial ofservice or the execution of arbitrary code.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3671


*** Filr 2.0 - Hot Patch 3 ***
---------------------------------------------
Abstract: This patch provides a number of general bug fixes and security updates for Novell Filr, Search and MySQL 2.0.0 appliances including an updated Filr 2.0 Desktop client.Document ID: 5255170Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:preinstall-Search-20HP3.zip (24.95 MB)preinstall-MySQL-20HP3.zip (24.18 MB)preinstall-Filr-20HP3.zip (34.59 MB)Filr-2.0.0.474.HP.zip (155.89 MB)Search-2.0.0.417.HP.zip (10.67 MB)MySQL-2.0.0.197.HP.zip (1.44 kB)Products:Filr...
---------------------------------------------
https://download.novell.com/Download?buildid=LMP8JAI5Lrc~


*** Security Advisory - DoS Vulnerability in Multiple Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-02-firewall-en


*** Security Advisory - DoS Vulnerability in Multiple Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-01-firewall-en


*** Security Advisory - DOS Vulnerability in Video Driver of Huawei Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160921-01-smartphone-en


*** Apple Security Updates ***
---------------------------------------------
*** Safari 10 ***
https://support.apple.com/kb/HT207157
---------------------------------------------
*** macOS Sierra 10.12 ***
https://support.apple.com/kb/HT207170
---------------------------------------------
*** tvOS 10 ***
https://support.apple.com/kb/HT207142
---------------------------------------------
*** iTunes 12.5.1 for Windows ***
https://support.apple.com/kb/HT207158
---------------------------------------------
*** macOS Server 5.2 ***
https://support.apple.com/kb/HT207171
---------------------------------------------
*** iCloud for Windows 6.0 ***
https://support.apple.com/kb/HT207147
---------------------------------------------


*** Vuln: OpenStack Nova Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93068


*** ShoreTel Connect ONSITE Blind SQL Injection Vulnerability ***
---------------------------------------------
Topic: ShoreTel Connect ONSITE Blind SQL Injection Vulnerability Risk: Medium Text:ShoreTel Connect ONSITE Blind SQL Injection Vulnerability == vulnerability type: Unauthenticated Blin...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090154


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime Edition ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990374
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2119) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009255
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways ***
http://www-01.ibm.com/support/docview.wss?uid=swg21990046
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix ***
http://www.ibm.com/support/docview.wss?uid=swg21990236
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere MQ Invalid client protocol flows could cause denial of service (CVE-2016-0379) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21984565
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability CVE-2015-5174 ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988742
---------------------------------------------