[CERT-daily] Tageszusammenfassung - Montag 30-01-2017
Daily end-of-shift report
team at cert.at
Mon Jan 30 18:13:18 CET 2017
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 27-01-2017 18:00 − Montag 30-01-2017 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Dridex Returns With Windows UAC Bypass Method ***
---------------------------------------------
Dridex banking malware returns with a new bypass technique that allows the malware to execute without triggering a Windows UAC alert to the user.
---------------------------------------------
http://threatpost.com/dridex-returns-with-windows-uac-bypass-method/123420/
*** What Keeps My Honeypot Busy These Days, (Fri, Jan 27th) ***
---------------------------------------------
Sometimes, it isnt the new and sophisticated attacks that keep your honeypots (and with that: you) busy, but things that make you go that works?. Looking over my honeypot today, I had a couple experiences like this. First of all, the old TR-064 NTP Server exploit that became big news when the Mirai botnet adopted it. Since then, most of the servers that hosted the follow-up code no longer deliver. But this doesnt prevent thousands of existing bots to persistently attempt the exploit. In...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21995&rss
*** ATM "Shimmers" Target Chip-Based Cards ***
---------------------------------------------
Several readers have called attention to warnings coming out of Canada about a supposed new form of ATM skimming called "shimming." Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Heres a brief primer on shimming attacks, and why they succeed.
---------------------------------------------
https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/
*** Request for Packets and Logs - TCP 5358, (Sat, Jan 28th) ***
---------------------------------------------
pStarting Sunday (22 Jan 17), there was a huge spike this week against TCP 5358. If anyone has logs or packets (traffic) that might help identify what it is can submit them via our a href="https://isc.sans.edu/contact.html"contact/a page would be appreciated. This is a snapshot as to what was reported so far this week in DShield./p p width:500px" //p p[1] https://isc.sans.edu/contact.html/p p-----------br / Guy Bruneau a href="http://www.ipss.ca/"IPSS Inc./abr /
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21997&rss
*** Adblock Plus: Staatsanwaltschaft durchsucht Werbeblocker-Anbieter Eyeo ***
---------------------------------------------
Der Kölner Adblocker-Anbieter Eyeo hat nun auch Ärger mit der Justiz. Hintergrund dürfte der Streit über die Frage sein, wer für die Erstellung von Filterregeln in der Easylist verantwortlich ist.
---------------------------------------------
http://www.golem.de/news/adblock-plus-staatsanwaltschaft-durchsucht-werbeblocker-anbieter-eyeo-1701-125866-rss.html
*** XSender: The Source of All the Recent XMPP Spam ***
---------------------------------------------
In recent months, security researchers, hackers, and other dwellers of the cyber-criminal underground have noticed an uptick in XMPP (formerly Jabber) spam. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/xsender-the-source-of-all-the-recent-xmpp-spam/
*** Facebook: Sicheres Einloggen per USB-Stick ***
---------------------------------------------
Die Zwei-Faktor-Authentifizierung bei Facebook kann nun auch per Fido-USB-Sticks oder NFC-Tags erfolgen.
---------------------------------------------
https://futurezone.at/digital-life/facebook-sicheres-einloggen-per-usb-stick/243.548.385
*** A Shakeup in Russia's Top Cybercrime Unit ***
---------------------------------------------
A chief criticism I heard from readers of my book, Spam Nation: The Inside Story of Organized Cybercrime, was that it dealt primarily with petty crooks involved in petty crimes, while ignoring more substantive security issues like government surveillance and cyber war. But now it appears that the chief antagonist of Spam Nation is at the dead center of an international scandal involving the hacking of U.S. state electoral boards in Arizona and Illinois, the sacking of Russias top cybercrime...
---------------------------------------------
https://krebsonsecurity.com/2017/01/a-shakeup-in-russias-top-cybercrime-unit/
*** Überwachungskameras von Washington DC mit Ransomware infiziert ***
---------------------------------------------
Nur acht Tage vor Trumps Angelobung wurde das Netzwerk der Überwachungskameras in der US-Hauptstadt angegriffen und teilweise lahmgelegt.
---------------------------------------------
https://futurezone.at/digital-life/ueberwachungskameras-von-washington-dc-mit-ransomware-infiziert/243.696.394
*** Google auf dem Weg zur unabhängigen Root-CA ***
---------------------------------------------
Künftig will das Unternehmen über den Google Trust Service eigene SSL-/TLS-Zertifikate ausstellen. Diese sollen bei Google-Diensten und Angeboten des Google-Mutterkonzerns Alphabet zum Einsatz kommen.
---------------------------------------------
https://heise.de/-3610041
*** Averting ransomware epidemics in corporate networks with Windows Defender ATP ***
---------------------------------------------
Microsoft security researchers continue to observe ransomware campaigns blanketing the market and indiscriminately hitting potential targets. Unsurprisingly, these campaigns also continue to use email and the web as primary delivery mechanisms. Also, it appears that most corporate victims are simply caught by the wide nets cast by ransomware operators. Unlike cyberespionage groups, ransomware operators do...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/
*** Kritische Lücke in WebEx: Cisco stellt offensichtlich finale Sicherheitsupdates bereit ***
---------------------------------------------
Nach mehreren vermeintlich abgesicherten Version von WebEx hat Cisco nun eigenen Angaben zufolge vollwertige Sicherheitsupdates veröffentlicht. Einige Unklarheiten bleiben aber.
---------------------------------------------
https://heise.de/-3610749
*** [2017-01-30] XSS and CSRF vulnerabiliies in multiple Ubiquiti Networks products ***
---------------------------------------------
Many products of Ubiquiti Networks are affected by a cross site scripting vulnerability. Malicious JavaScript code can be executed in the browser of the user. Furthermore, different actions on the system can be triggered by CSRF attacks.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170130-0_Ubiquiti_Networks_XSS_CSRF_v10.txt
*** 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0 ***
---------------------------------------------
Microsoft is aware of a security vulnerability in the public version of ASP.NET Core MVC 1.1.0 where a malformed HTTP request could lead to a denial of service.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/4010983
*** Cryptkeeper Sets the same password "p" for everything independently of user input ***
---------------------------------------------
https://www.reddit.com/r/netsec/comments/5r16na/cryptkeeper_sets_the_same_password_p_for/
*** DSA-3775 tcpdump - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in tcpdump, a command-linenetwork traffic analyzer. These vulnerabilities might result in denialof service or the execution of arbitrary code.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3775
*** TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities ***
---------------------------------------------
The administration interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed via the redirect_url GET parameter is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted...
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
*** Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF ***
---------------------------------------------
SonicWALL SMA suffers from a XSS issue due to a failure to properly sanitize user-supplied input to several parameters. Attackers can exploit this weakness to execute arbitrary HTML and script code in a users browser session. The WAF was bypassed via form-based CSRF.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5392.php
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Samba affect IBM Spectrum Scale SMB protocol access method (CVE-2016-2126, 2016-2125) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009714
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in SSL affects IBM DataPower Gateways (CVE-2016-8610) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21997209
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-5597) ***
http://www.ibm.com/support/docview.wss?uid=swg21997764
---------------------------------------------
More information about the Daily
mailing list