[CERT-daily] Tageszusammenfassung - Donnerstag 16-03-2017

Thu Mar 16 18:11:50 CET 2017

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 15-03-2017 18:00 − Donnerstag 16-03-2017 18:00
Handler:     Robert Waldner
Co-Handler:  n/a


*** Attackers target dozens of global banks with new malware ***
---------------------------------------------
Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or 'watering holes' to infect pre-selected targets with previously unknown malware.
---------------------------------------------
https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware


*** SEO Spam Campaign Exploiting WordPress REST API Vulnerability ***
---------------------------------------------
Just over a week ago, WordPress released version 4.7.3 to patch multiple security issues. Despite the automatic update feature provided by many hosting companies, there are still many WordPress websites that have not been updated. In fact, we are seeing quite a few sites that are still using versions 4.7 and 4.7.1, which are vulnerable to the WordPress REST API vulnerability patched in early February (version 4.7.2). This more serious vulnerability allows attackers to create, delete, and modify ..
---------------------------------------------
https://blog.sucuri.net/2017/03/seo-spam-via-wp-rest-api-vulnerability.html


*** Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001 ***
---------------------------------------------
Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.Download Drupal 8.2.7Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release.
---------------------------------------------
https://www.drupal.org/SA-2017-001


*** Ransomware operators are hiding malware deeper in installer packages ***
---------------------------------------------
We are seeing a wave of new NSIS installers used in ransomware campaigns. These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code. These changes are observed in installers that drop ransomware like Cerber, Locky, and others.
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/03/15/ransomware-operators-are-hiding-malware-deeper-in-installer-packages/


*** DFN-CERT-2017-0429/">Roundcube Webmail: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ***
---------------------------------------------
Ein entfernter, nicht authentifizierter Angreifer kann mit Hilfe einer Email, die ein speziell präpariertes SVG-Element enthält, einen Cross-Site-Scripting (XSS)-Angriff gegen Benutzer von Roundcube Webmail durchführen.
Der Hersteller stellt Roundcube Webmail 1.1.8 und 1.2.4 zur Behebung der Schwachstelle bereit.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0429/


*** Using Intels SGX to Attack Itself ***
---------------------------------------------
Researchers have demonstrated using Intels Software Guard Extensions to hide malware and steal cryptographic keys from inside SGXs protected enclave:Malware Guard Extension: Using SGX to Conceal Cache AttacksAbstract:In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine.
---------------------------------------------
https://www.schneier.com/blog/archives/2017/03/using_intels_sg.html


*** [2017-03-16] Authenticated Command Injection in multiple Ubiquiti Networks products ***
---------------------------------------------
The firmware of various Ubiquiti Networks devices contains a command injection vulnerability which can be exploited by luring an authenticated user to click on a malicious link or surf to a malicious website. Low privileged users can elevate their rights and use the vulnerability for further attacks.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenticated_command_injection_v10.txt


*** Moodle 2.7.19 release notes ***
---------------------------------------------
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
---------------------------------------------
https://docs.moodle.org/dev/Moodle_2.7.19_release_notes


*** NexusLogger: A New Cloud-based Keylogger Enters the Market ***
---------------------------------------------
NexusLogger is a cloud-based keylogger that uses the Microsoft .NET Framework and has a low level of sophistication. NexusLogger collects keystrokes, system information, stored passwords and will take screenshots. It also specifically seeks to harvest game credentials for UPlay, Minecraft, Steam, and Origin. ... All NexusLogger samples require communications with the nexuslogger[.]com domain via HTTPS, which makes it trivial for defenders to block.
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/


*** Penetration Testing Node.Js Applications - Part-2 ***
---------------------------------------------
This article covers the left-over vulnerabilities from Part-1. In this article, we will have an in-depth look at some uncommon flaws and how to find them while doing performing code review of node.js applications. 
---------------------------------------------
http://resources.infosecinstitute.com/penetration-testing-node-js-applications-part-2/


*** Vuln: Palo Alto Networks Terminal Services CVE-2017-6356 Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/96925


*** Alert (TA17-075A) HTTPS Interception Weakens TLS Security ***
---------------------------------------------
Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation. Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide.
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA17-075A


*** Code Review of Node.Js Applications: Uncommon Flaws ***
---------------------------------------------
This article covers the left-over vulnerabilities from Part-1. In this article, we will have an in-depth look at some uncommon flaws and how to find them while doing performing code review of node.js applications.
---------------------------------------------
http://resources.infosecinstitute.com/penetration-testing-node-js-applications-part-2/


*** (Twitter) Keep Calm and Revoke Access ***
---------------------------------------------
For the last 24 hours, the Twitter landscape has seen several official accounts hacked. ... How to protect against this kind of attack? First, do not link your Twitter account to untrusted or suspicious applications. ... Finally, the best advice is to visit the following link at regular interval: https://twitter.com/settings/applications. During your first visit, you could be surprised to find so many applications linked to your account!
---------------------------------------------
https://blog.rootshell.be/2017/03/15/keep-calm-revoke-access/


*** BSI warnt vor gefährdeten Cloud-Servern: über 20.000 deutsche ownCloud- und Nextcloud-Installationen veraltet ***
---------------------------------------------
Das BSI ist auf viele veraltete Installationen von ownCloud und Nextcloud gestoßen. Obwohl die Betroffenen Bescheid wissen, haben bislang die wenigsten reagiert.
---------------------------------------------
https://heise.de/-3656458


*** Microsoft To End Support For Windows Vista In Less Than a Month ***
---------------------------------------------
In less than a months time, Microsoft will put Windows Vista to rest once and for all. If youre one of the few people still using it, you have just a few weeks to find another option before time runs out. (I mean, nobody will uninstall it from your computer, but.) From a report on PCWorld: After April 11, 2017, Microsoft will no longer support Windows Vista: no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/9XgfNI5PoWc/microsoft-to-end-support-for-windows-vista-in-less-than-a-month


*** Warnung vor kaufhaus-guenther.de ***
---------------------------------------------
Kaufhaus Günther ist ein 'Online Kaufhaus'. Es wirbt mit Produkten für Haushalt, Technik und Möbel. Die verlangten Preise sind sehr günstig. Eine Bezahlung der Ware ist nur im Voraus möglich. Wer sie bezahlt, verliert Geld, denn kaufhaus-guenther.de ist ein Fake-Shop. Er liefert trotz Bezahlung keine Ware. Darüber hinaus droht ein Identitätsdiebstahl.
---------------------------------------------
https://www.watchlist-internet.at/fake-shops/warnung-vor-kaufhaus-guentherde/


*** DFN-CERT-2017-0479/">McAfee Advanced Threat Defence (ATD): Eine Schwachstelle ermöglicht das Ausspähen von Informationen ***
---------------------------------------------
Ein einfach authentisierter Angreifer im benachbarten Netzwerk mit erweiterten Privilegien kann die SQL-Abfragelogik der Advanced Threat Defense über speziell präparierte HTTP-Anfragen so manipulieren, dass unautorisierte Aktionen im Kontext der unterliegenden Datenbank möglich sind (SQL-Injection). Intel Security erwähnt die Möglichkeit, auf diese Weise Produktinformationen auszuspähen. Die Ausführung beliebigen SQL-Programmcodes ist ebenfalls denkbar, aber nicht bestätigt.
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0479/


*** Hackers Take Down Reader, Safari, Edge, Ubuntu Linux at Pwn2Own 2017 ***
---------------------------------------------
On the first day of Pwn2Own 2017 hackers poked holes in Adobe Reader, Apple Safari, Microsoft Edge, and Ubuntu Linux.
---------------------------------------------
http://threatpost.com/hackers-take-down-reader-safari-edge-ubuntu-linux-at-pwn2own-2017/124362/


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational ClearQuest ***
http://www-01.ibm.com/support/docview.wss?uid=swg21994995
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Netezza Host Management (CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21997019
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Expat component shipped with IBM Rational ClearCase (CVE-2016-0718, CVE-2015-1283, CVE-2016-4472, CVE-2015-2716) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21998042
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Expat component shipped with IBM Rational ClearQuest (CVE-2016-0718, CVE-2015-1283, CVE-2016-4472, CVE-2015-2716) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21998866
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Perl component shipped with IBM Rational ClearQuest (CVE-2015-8608, CVE-2015-8853, CVE-2016-2381) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21998868
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Perl component shipped with IBM Rational ClearCase (CVE-2015-8608, CVE-2015-8853, CVE-2016-2381) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21998046
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Liberty for Java for IBM Bluemix January 2017 CPU ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000092
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in cURL component shipped with IBM Rational ClearCase (CVE-2016-8624, CVE-2016-8625) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21996857
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect Rational Insight ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000124
---------------------------------------------
*** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect Rational Reporting for Development Intelligence ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000123
---------------------------------------------