Tageszusammenfassung - Montag 11-11-2013

End-of-Shift report

Timeframe: Freitag 08-11-2013 18:00 − Montag 11-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a

New IE Zero-Day found in Watering Hole Attack

FireEye Labs has identified a new IE zero-day exploit hosted on a breached website based in the U.S. It´s a brand new IE zero-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution.

http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html FOLLOW-UP:

Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method

Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic Web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy.

http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html


No Patch Tuesday update for Microsoft zero-day vulnerability

Microsoft is preparing eight fixes for next weeks upcoming Nov. 12 Patch Tuesday, but an update to a recently discovered zero-day vulnerability is not one of them.

http://www.scmagazine.com/no-patch-tuesday-update-for-microsoft-zero-day-vulnerability/article/320227/


Case Study: Analyzing a WordPress Attack - Dissecting the webr00t cgi shell - Part I

November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.

http://blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html


CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest

The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered.

http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-emergence-connected-to-blackhole-exploit-kit-arrest/


October 2013 virus activity overview

November 5, 2013 Mid-autumn 2013 was marked by an upsurge in the number of encryption Trojans: hundreds of users whose systems were compromised by encoders contacted Doctor Webs support service in October. Also discovered were new malicious programs for Android, which has long been targeted by intruders. Viruses Statistics collected in October by Dr.Web CureIt! indicate that the downloader Trojan.LoadMoney.1 tops the list of detected threats.

http://news.drweb.com/show/?i=4052&lng=en&c=9


Supertrojaner BadBIOS: Unwahrscheinlich, aber möglich

Der Sicherheitsforscher Dragos Ruiu behauptet, auf seinen Rechnern wüte ein im BIOS verankerter Supertrojaner, der auch ohne Netzanschluss kommuniziert. Es mehren sich skeptische Stimmen - technisch unmöglich ist Malware wie BadBIOS jedoch nicht.

http://www.heise.de/security/meldung/Supertrojaner-BadBIOS-Unwahrscheinlich-aber-moeglich-2043114.html


Hintergrund: ENISA-Empfehlungen zu Krypto-Verfahren

Die oberste, europäische Sicherheitsbehörde, die ENISA gibt Empfehlungen zu Algorithmen und Schlüssellängen.

http://www.heise.de/security/artikel/ENISA-Empfehlungen-zu-Krypto-Verfahren-2043356.html


Learn to Pentest SAP with Metasploit As ERP Attacks Go Mainstream

This month, a security researcher disclosed that a version of the old banking Trojan 'Trojan.ibank' has been modified to look for SAP GUI installations, a concerning sign that SAP system hacking has gone into mainstream cybercrime.

https://community.rapid7.com/community/metasploit/blog/2013/11/11/learn-to-pentest-sap-with-metasploit-as-erp-attacks-go-mainstream


Erweiterungen für Googles Webbrowser Chrome nur noch aus offiziellem Store

Google will Windows-Anwender besser vor Malware schützen. Chrome-Versionen für andere Plattformen sind von der Maßnahme nicht betroffen.

http://www.heise.de/security/meldung/Erweiterungen-fuer-Googles-Webbrowser-Chrome-nur-noch-aus-offiziellem-Store-2043614.html


Horde Groupware Web Mail Edition 5.1.2 - CSRF Vulnerability

http://www.exploit-db.com/exploits/29519


Debian Security Advisory DSA-2793 libav

http://www.debian.org/security/2013/dsa-2793


Redaxo 4.5 CMS Vulnerabilities

http://cxsecurity.com/issue/WLB-2013110070


Bugtraq: Belkin WiFi NetCam video stream backdoor with unchangeable admin/admin credentials

http://www.securityfocus.com/archive/1/529722


D-Link Router 2760N Multiple XSS

http://cxsecurity.com/issue/WLB-2013110075


Security Bulletin: IBM WebSphere Portal vulnerable to URL Manipulation CVE-2013-5454 PM99205

https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_websphere_portal_vulnerable_to_url_manipulation_cve_2013_5454_pm99205?lang=en_us


Security Bulletin: Multiple vulnerabilities in Security AppScan Enterprise (CVE-2013-5453, CVE-2013-5450)

https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_multiple_vulnerabilities_in_security_appscan_enterprise_cve_2013_5453_cve_2013_5450?lang=en_us