[CERT-daily] Tageszusammenfassung - Freitag 19-05-2017

Daily end-of-shift report team at cert.at
Fri May 19 18:13:24 CEST 2017


=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 18-05-2017 18:00 − Freitag 19-05-2017 18:00
Handler:     Stephan Richter
Co-Handler:  n/a




*** How did the WannaCry Ransomworm spread? ***
---------------------------------------------
Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. How did it all happen?
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/




*** Who's responsible for fixing SS7 security issues? ***
---------------------------------------------
The WannaCry ransomware onslaught has overshadowed some of the other notable happenings this month, including the spectacular Google-themed phishing/spamming attack, and the news that attackers have managed to exploit vulnerabilities in the SS7 protocol suite to bypass German banks' two-factor authentication and drain their customers' bank accounts. According to the reports, the attackers were able to pull this scheme off by gaining access to the network of a foreign mobile network [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/05/19/ss7-security-issues/




*** Number of HTTPS phishing sites triples ***
---------------------------------------------
When, in January 2017, Mozilla and Google made Firefox and Chrome flag HTTP login pages as insecure, the intent was to make phishing pages easier to recognize, as well as push more website owners towards deploying HTTPS. But while the latter aim was achieved, and the number of phishing sites making use of HTTPS has increased noticeably, the move also had one unintended consequence: the number of phishing sites with HTTPS has increased, too.
---------------------------------------------
https://www.helpnetsecurity.com/2017/05/19/number-https-phishing-sites-triples/




*** Hintergrund: Chrome blockt ab sofort Zertifikate mit Common Name ***
---------------------------------------------
Wenn der seit Jahren etablierte, hauseigene Dienst plötzlich den HTTPS-Zugang verwehrt, liegt das vermutlich an einer Neuerung der aktuellen Chrome-Version: Google erzwingt den Einsatz der RFC-konformen "Subject Alt Names" und viele Admins müssen deshalb jetzt Hand anlegen.
---------------------------------------------
https://heise.de/-3717594




*** Bypassing Application Whitelisting with BGInfo ***
---------------------------------------------
TL;DR: BGinfo.exe older than version 4.22 can be used to bypass application whitelisting using vbscript inside a bgi file. This can run directly from a webdav server.
---------------------------------------------
https://msitpros.com/?p=3831




*** "Four Keys to Effective ICS Incident Response" ***
---------------------------------------------
While incident response in Information Technology (IT) and Operational Technology (OT) or Industrial Control Systems (ICS) may appear to be very similar, incident response in an ICS environment has different considerations and priorities. Many organizations leverage their existing IT incident response capabilities in an OT environment which may not be ideal for successful incident response [...]
---------------------------------------------
http://ics.sans.org/blog/2017/05/19/four-keys-to-effective-ics-incident-response




*** ETERNALBLUE vs Internet Security Suites and nextgen protections ***
---------------------------------------------
Due to the recent #wannacry ransomware events, we initiated a quick test in our lab. Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010). Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)!
---------------------------------------------
https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nextgen-protections/




*** Forensik-Tool soll gelöschte Notizen aus iCloud auslesen können ***
---------------------------------------------
Der Softwareanbieter Elcomsoft hat seine App "Phone Breaker" um eine Funktion erweitert, die den Umstand ausnutzt, dass Apple offenbar auch vom Nutzer eigentlich vernichtete Notizen länger aufbewahrt.
---------------------------------------------
https://heise.de/-3718361




*** MS17-010 (Ransomware WannaCry) Impact to Cisco Products ***
---------------------------------------------
The Cisco PSIRT Team is continuing to investigate the impact of this vulnerability on Cisco products that have not reached end of software maintenance support and that do not support automated or manual updates of the Microsoft patch for these vulnerabilities. Investigation is expected to be completed by Friday, May 19th.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170515




*** HPESBGN03748 rev.1 - HPE Cloud Optimizer, Remote Disclosure of Information ***
---------------------------------------------
A potential security vulnerability has been identified in HPE Cloud Optimizer. The vulnerability could be remotely exploited resulting in disclosure of information.
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03748en_us




*** Bugtraq: Nextcloud/Owncloud - Reflected Cross Site Scripting in error pages ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540569




*** DSA-3855 jbig2dec - security update ***
---------------------------------------------
Multiple security issues have been found in the JBIG2 decoder library,which may lead to denial of service, disclosure of sensitive informationfrom process memory or the execution of arbitrary code if a malformedimage file (usually embedded in a PDF document) is opened.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3855




*** Indicators Associated With WannaCry Ransomware (Update C) ***
---------------------------------------------
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01B Indicators Associated With WannaCry Ransomware that was published May 17, 2017, on the NCCIC/ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01C




*** McAfee Network Data Loss Prevention Multiple Bugs Let Remote Users Conduct Session Hijacking and Cross-Site Scripting Attacks and Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1038523




*** VMSA-2017-0009 ***
---------------------------------------------
VMware Workstation update addresses multiple security issues
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2017-0009.html




*** DFN-CERT-2017-0885: Red Hat JBoss Enterprise Application Platform, RESTEasy: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0885/




*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2125, CVE-2016-2126) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010052
---------------------------------------------
*** IBM Security Bulletin: IBM Cisco Switches and Directors vulnerable to Sweet32 Birthday attacks (CVE-2016-2183 CVE-2016-6329). ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010239
---------------------------------------------
*** IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002356
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Network Security Services (NSS) component affect SAN Volume Controller, Storwize family and FlashSystem V9000 products. ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010118
---------------------------------------------
*** IBM Security Bulletin: Open redirect vulnerability in IBM Business Process Manager (CVE-2017-1159) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000253
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affect IBM SONAS (CVE-2017-3731) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010136
---------------------------------------------


More information about the Daily mailing list