End-of-Shift report
Timeframe: Montag 18-11-2013 18:00 − Dienstag 19-11-2013 18:00
Handler: Stephan Richter
Co-Handler: n/a
Am I Sending Traffic to a "Sinkhole"?, (Mon, Nov 18th)
It has become common practice to setup "Sinkholes" to capture traffic sent my infected hosts to command and control servers. These Sinkholes are usually established after a malicious domain name has been discovered and registrars agreed to redirect respective NS records to a specific name server configured by the entity operating the Sinkhole. More recently for example Microsoft gained court orders to take over...
http://isc.sans.edu/diary.html?storyid=17048
Google Completes Upgrade of its SSL Certificates to 2048-Bit RSA
Google announced today it has completed upgrading all of its SSL certificates to 2048-bit RSA or better, up from 1024.
http://threatpost.com/google-completes-upgrade-of-its-ssl-certificates-to-2048-bit-rsa/102959
Facebook URL redirection vulnerability patched
A Facebook URL redirection vulnerability discovered last week was patched just a day after a blog post detailing the bug went live.
http://www.scmagazine.com//facebook-url-redirection-vulnerability-patched/article/321528/
Winpmem - Mild mannered memory aquisition tool??, (Tue, Nov 19th)
There should be little argument that with todays threats you should always acquire a memory image when dealing with any type of malware. Modern desktops can have 16 gigabytes of RAM or more filled with evidence that is usually crutial to understanding what was happening on that machine. Failure to acquire that memory will make analyzing the other forensic artifacts difficult or in some cases impossible. Chad Tilbury (@chadtilbury) recently told me about a new memory acquisition tool that I want...
http://isc.sans.edu/diary.html?storyid=17054&rss
Old JBoss vuln in the wild, needs patching
Remote code execution, the usual thing JBoss sysadmins need to get busy hardening their systems, with a rising number of attacks against the system, according to Imperva.
http://go.theregister.com/feed/www.theregister.co.uk/2013/11/19/old_jboss_vuln_in_the_wild_needs_patching/
Cybercriminals spamvertise tens of thousands of fake "Sent from my iPhone" themed emails, expose users to malware
Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that's been "Sent from an iPhone". The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we've been monitor for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign. Detection rate for the spamvertised...
http://www.webroot.com/blog/2013/11/19/cybercriminals-spamvertise-tens-thousands-fake-sent-iphone-themed-emails-expose-users-malware/
A .BIT Odd
Like many security researchers, I see a lot of new malicious sites every week, far too many in fact. One thing that sets security researchers apart is that we can see a top-level domain (TLD) like .cc and recall instantly that it belongs to the Cocos Islands in the Indian Ocean, with a tiny population,...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rFeNuxSPHUg/
Vuln: Chainfire SuperSU CVE-2013-6775 Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/bid/63715
Vuln: Multiple Android Superuser Packages CVE-2013-6769 Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/bid/63712
Opera Unspecified Vulnerabilities
https://secunia.com/advisories/55720
Network Security Services (NSS) Multiple Vulnerabilities
https://secunia.com/advisories/55557
Vuln: MIT Kerberos 5 CVE-2013-6800 Remote Denial of Service Vulnerability
http://www.securityfocus.com/bid/63770
Elastix Multiple Cross-Site Scripting Vulnerabilities
https://secunia.com/advisories/55739
Splunk Test Scripts Let Remote Authenticated Users Execute Arbitrary Shell Scripts on the Target System
http://www.securitytracker.com/id/1029316