[CERT-daily] Tageszusammenfassung - Donnerstag 6-07-2017
Daily end-of-shift report
team at cert.at
Thu Jul 6 18:23:06 CEST 2017
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 05-07-2017 18:00 − Donnerstag 06-07-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Decryptor Released for the Mole02 CryptoMix Ransomware Variant ***
---------------------------------------------
It is always great to be able to announce a free decryptor for victims who have had their files encrypted by a ransomware. This is the case today, where a decryptor for the Mole02 cryptomix variant was released. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-mole02-cryptomix-ransomware-variant/
*** Evolution of Conditional Spam Targeting Drupal Sites ***
---------------------------------------------
Last year we took a look at how attackers were infecting Drupal installations to spread their spam and keep their campaigns going by just including a malicious file in each visitor's session. It's quite common for attackers to evolve their techniques and add new variations of hidden backdoors to make it harder to get rid of the infection. These evasion and reinfection techniques can also make it difficult to modify the malicious code, which is what has exactly happened in this case, [...]
---------------------------------------------
https://blog.sucuri.net/2017/07/drupal-conditional-spam-evolved.html
*** New BTCWare Ransomware Decrypter Released for the Master Variant ***
---------------------------------------------
Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-btcware-ransomware-decrypter-released-for-the-master-variant/
*** Sicherheitsupdates: Cisco kämpft gegen statische und unverschlüsselte Zugangsdaten ***
---------------------------------------------
Der Netzwerkausrüster stopft zum Teil kritische Sicherheitslücken in seinem Elastic Services Controller und seinem Ultra Services Framework.
---------------------------------------------
https://heise.de/-3765238
*** M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013 ***
---------------------------------------------
Servers and infrastructure belonging to Intellect Service, the company behind the M.E.Doc accounting software, were grossly mismanaged, being left without updates since 2013, and getting backdoored on three separate occasions during the past three months. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoored-3-times-servers-left-without-updates-since-2013/
*** The MeDoc Connection ***
---------------------------------------------
The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was [...]
---------------------------------------------
http://blog.talosintelligence.com/2017/07/the-medoc-connection.html
*** Fritzbox-Lücke erlaubt delikate Einblicke ins lokale Netz ***
---------------------------------------------
Durch ein Informationsleck können Webseiten offenbar viele Details über das Heimnetz eines Fritzbox-Nutzers erfahren. Zu den abfischbaren Daten zählen die Netzwerknamen aller Clients, IP- und Mac-Adresssen und die eindeutige ID der Fritzbox.
---------------------------------------------
https://heise.de/-3764885
*** FIRST announces release of Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure ***
---------------------------------------------
The Forum of Incident Response and Security Teams announces the release of a set of guidelines and norms for vulnerability disclosure that affects multiple parties.
---------------------------------------------
https://www.first.org/newsroom/releases/20170706
*** APWG Global Phishing Survey 2016: Trends and Domain Name Use ***
---------------------------------------------
This report comprehensively examines a large data set of more than 250,000 phishing attacks detected in 2015 and 2016. By quantifying this cybercrime activity and understanding the patterns that lurk therein, we have learned more about what phishers have been doing, and how they have accomplished their schemes.
---------------------------------------------
https://apwg.org/resources/apwg-reports/domain-use-and-trends
https://docs.apwg.org/reports/APWG_Global_Phishing_Report_2015-2016.pdf
*** Gefälschte Anwaltsschreiben verbreiten Schadsoftware ***
---------------------------------------------
In gefälschten Anwaltsschreiben behaupten Kriminelle, dass Adressat/innen Schulden bei einem Unternehmen haben. Weiterführende Informationen zu der offenen Geldforderung sollen sich im Dateianhang der Nachricht finden. In Wahrheit verbirgt er Schadsoftware.
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-anwaltsschreiben-verbreiten-schadsoftware/
*** BadGPO - Using Group Policy Objects for Persistence and Lateral Movement ***
---------------------------------------------
[...] Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain.
---------------------------------------------
http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_052_Willi_GPO.pdf
*** ZDI-17-452: (0Day) Advantech WebOP Designer Project File Heap Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebOP Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-17-452/
*** Android Security Bulletin July 2017 ***
---------------------------------------------
https://source.android.com/security/bulletin/2017-07-01.html
*** BlackBerry powered by Android Security Bulletin July 2017 ***
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000045142
*** Petya Malware Variant (Update B) ***
---------------------------------------------
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-181-01A Petya Ransomware Variant that was published July 3, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk [...]
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01B
*** rsyslog: remote syslog PRI vulnerability CVE-2014-3634 ***
---------------------------------------------
rsyslog: remote syslog PRI vulnerability CVE-2014-3634. Security Advisory. Security Advisory Description. rsyslog before ...
---------------------------------------------
https://support.f5.com/csp/article/K42903299
*** DFN-CERT-2017-1171: LibTIFF: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1171/
*** Security Advisories for Drupal Third-Party Modules ***
---------------------------------------------
*** SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055 ***
https://www.drupal.org/node/2890357
---------------------------------------------
*** DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057 ***
https://www.drupal.org/node/2892404
---------------------------------------------
*** OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056 ***
https://www.drupal.org/node/2892400
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A Security vulnerability in IBM Java SDK affects IBM Tivoli System Automation for Multiplatforms (CVE-2017-1289). ***
http://www.ibm.com/support/docview.wss?uid=swg22005058
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002336
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg22002335
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000488
---------------------------------------------
*** Siemens Security Advisories ***
---------------------------------------------
*** SSA-804859 (Last Update 2017-07-06): Denial of Service Vulnerability in SIMATIC Logon ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-804859.pdf
---------------------------------------------
*** SSA-874235 (Last Update 2017-07-06): Intel Vulnerability in Siemens Industrial Products ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235.pdf
---------------------------------------------
*** SSA-275839 (Last Update 2017-07-06): Denial-of-Service Vulnerability in Industrial Products ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839.pdf
---------------------------------------------
*** SSA-931064 (Last Update 2017-07-06): Authentication Bypass in SIMATIC Logon ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-931064.pdf
---------------------------------------------
*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Nexus Series Switches Telnet CLI Command Injection Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-nss1
---------------------------------------------
*** Cisco Nexus Series Switches CLI Command Injection Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-nss
---------------------------------------------
*** Cisco FireSIGHT System Software Arbitrary Code Execution Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-FireSIGHT
---------------------------------------------
*** Cisco Wide Area Application Services Central Manager Information Disclosure Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-waas1
---------------------------------------------
*** Cisco Wide Area Application Services Core Dump Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-waas
---------------------------------------------
*** Cisco Ultra Services Framework Staging Server Arbitrary Command Execution Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-usf3
---------------------------------------------
*** Cisco Ultra Services Framework AutoVNF Log File User Credential Information Disclosure Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-usf2
---------------------------------------------
*** Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-usf1
---------------------------------------------
*** Cisco Ultra Services Framework UAS Unauthenticated Access Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-uas
---------------------------------------------
*** Cisco StarOS Border Gateway Protocol Process Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-staros
---------------------------------------------
*** Cisco Prime Network Privilege Escalation Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-prime
---------------------------------------------
*** Cisco Identity Services Engine Guest Portal Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ise2
---------------------------------------------
*** Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ise1
---------------------------------------------
*** Cisco IOS XR Software Multicast Source Discovery Protocol Session Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-iosxr
---------------------------------------------
*** Cisco IOS XR Software Incorrect Permissions Privilege Escalation Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ios
---------------------------------------------
*** Cisco Elastic Services Controller Unauthorized Access Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc2
---------------------------------------------
*** Cisco Elastic Services Controller Arbitrary Command Execution Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc1
---------------------------------------------
*** Cisco Prime Network Information Disclosure Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-cpn
---------------------------------------------
*** Cisco StarOS CLI Command Injection Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-asrcmd
---------------------------------------------
More information about the Daily
mailing list