[CERT-daily] Tageszusammenfassung - Donnerstag 1-06-2017

Thu Jun 1 18:17:21 CEST 2017

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 31-05-2017 18:00 − Donnerstag 01-06-2017 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Aufgepasst: Googles AMP wird zur Tarnung von Phishing-Angriffen missbraucht ***
---------------------------------------------
Russische Hacker benutzen Googles AMP-Dienst, um böse URLs als Google-Dienste zu tarnen. Es ist nur eine Frage der Zeit, bis das Schule macht.
---------------------------------------------
https://heise.de/-3731578


*** Cisco, Netgear Readying Patches for Samba Vulnerability ***
---------------------------------------------
Cisco is prepping fixes for two of its products affected by last weeks Samba vulnerability. Netgear has also pushed out a fix for NAS devices that were affected.
---------------------------------------------
http://threatpost.com/cisco-netgear-readying-patches-for-samba-vulnerability/125974/


*** Sharing Private Data with Webcast Invitations, (Thu, Jun 1st) ***
---------------------------------------------
Last week, at a customer, we received a forwarded emailin a shared mailbox. It was somebody from another department that shared an invitation for a webcast that could be interesting for you, guys!. This time, no phishing attempt, no malware, just a regular email sent from a well-known security vendor. A colleague was interested in the webcast and clicked on the registration link. He was redirected to a page and was surprised to see all the fields already prefilled with the personal details of [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22478&rss


*** Motorcycle Gang Busted For Hacking and Stealing Over 150 Jeep Wranglers ***
---------------------------------------------
An anonymous reader writes: "The FBI has arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California, which they later crossed the border into Mexico to have stripped down for parts," reports Bleeping Computer. What stands apart is how the gang operated. This involved gang members getting the Jeep Wrangler VIN (Vehicle Identification Number), accessing a proprietary Jeep database, and getting two codes needed to create a [...]
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/xYKBhycly0Q/motorcycle-gang-busted-for-hacking-and-stealing-over-150-jeep-wranglers


*** An Elegant Way to Ruin Your Company's Day - Introduction to Public AWS EBS Snapshots ***
---------------------------------------------
TL;DR Creating public (unencrypted) EBS Snapshots might not be a great idea. Even if you are going to share them "just for a second". A lot can be fished out of these snapshots: ssh keys, tls/ssl certificates, aws credentials, private source code and internal (extremely) valuable HR/Accounting/IT documents.
---------------------------------------------
https://www.nvteh.com/news/problems-with-public-ebs-snapshots


*** Credit Card Breach at Kmart Stores. Again. ***
---------------------------------------------
For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in comment: They were all used at Kmart locations. Ask to respond to rumors about a card breach, [...]
---------------------------------------------
https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-again/


*** NCSC releases factsheet Indicators of Compromise ***
---------------------------------------------
In order to observe malicious digital activities within an organisation, Indicators of Compromise (IoCs) are a valuable asset. With IoCs, organisations can gain quick insights at central points in the network into malicious digital activities. When your organisation observes these activities, it is important to know what you can do to trace back which system is infected. Obtain as much contextual information with an IoC as possible, so that you get a clear picture of what is happening and how
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/ncsc-releases-factsheet-indicators-of-compromise.html


*** WannaCry Development Errors Enable File Recovery ***
---------------------------------------------
Researchers at Kaspersky Lab have found a number of programming errors in the WannaCry ransomware code that put file recovery within reach of sysadmins.
---------------------------------------------
http://threatpost.com/wannacry-development-errors-enable-file-recovery/126002/


*** OneLogin suffers data breach, again ***
---------------------------------------------
OneLogin, a popular single sign-on service that allows users to access thousands of popular cloud-based apps with just one password, has suffered what seems to be a serious data breach. According to a short blog post by the company's Chief Information Security Officer Alvaro Hoyos, they discovered the breach when, on Wednesday, they detected unauthorized access to OneLogin data in their US data region.
---------------------------------------------
https://www.helpnetsecurity.com/2017/06/01/onelogin-data-breach/


*** [webapps] OV3 Online Administration 3.0 - Remote Code Execution ***
---------------------------------------------
OV3 Online Administration 3.0 - Remote Code Execution
---------------------------------------------
https://www.exploit-db.com/exploits/42096/?rss


*** Indicators Associated With WannaCry Ransomware (Update H) ***
---------------------------------------------
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01G Indicators Associated With WannaCry Ransomware that was published May 30, 2017, on the NCCIC/ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01H


*** Security Advisory - Multiple Security Vulnerabilities in HedEx product ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-01-hedex-en


*** DFN-CERT-2017-0945: Red Hat CloudForms Management Engine: Zwei Schwachstellen ermöglichen u.a. das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0945/


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier (CVE-2016-9977) ***
http://www.ibm.com/support/docview.wss?uid=swg22003981
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in expat, nss, bind , policycoreutils, sudo shipped with SmartCloud Entry Appliance ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025119
---------------------------------------------
*** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2016-6816, CVE-2016-6817, CVE-2016-8735 ) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009962
---------------------------------------------
*** IBM Security Bulletin: IBM Spectrum Protect (formerly Tivoli Storage Manager) Windows Client password exposure (CVE-2016-8939) ***
http://www.ibm.com/support/docview.wss?uid=swg22003738
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware ***
http://www.ibm.com/support/docview.wss?uid=swg22003673
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004078
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Storage FlashCopy Manager VMware (CVE-2016-6303, CVE-2016-2182, CVE-2016-2177, CVE-2016-2183, CVE-2016-6309, CVE-2016-7052, CVE-2016-2178, CVE-2016-6306) ***
http://www.ibm.com/support/docview.wss?uid=swg22000589
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the GSKit library affects IBM Cognos Metrics Manager ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004075
---------------------------------------------
*** IBM Security Bulletin: Multiple Security vulnerabilities in WebSphere Application Server Community Edition ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002267
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010243
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cognos Metrics Manager ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004074
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004077
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002135
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM RackSwitch Products ***
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5099592
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset Analyzer ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003418
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2017-3731, CVE-2016-7055) ***
http://www.ibm.com/support/docview.wss?uid=swg22003793
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libX11 affect IBM BladeCenter Advanced Management Module (AMM) ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099581
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BladeCenter Advanced Management Module (AMM) ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099579
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in cURL/libcurl affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099588
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects MegaRAID Storage Manager (CVE-2016-8610) ***
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5099575
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in dosfstools affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099593
---------------------------------------------
*** IBM Security Bulletin: IBM Development Package for Apache Spark update of IBM SDK Java Technology Edition ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003200
---------------------------------------------
*** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2017Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. ***
http://www.ibm.com/support/docview.wss?uid=swg22004036
---------------------------------------------