End-of-Shift report
Timeframe: Dienstag 19-11-2013 18:00 − Mittwoch 20-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
New variant of Android ransomware "Fake Defender" surfaces
Symantec researchers believe the malicious app is a variant of "Fake Defender," malware used in earlier ransomware scams.
http://www.scmagazine.com/new-variant-of-android-ransomware-fake-defender-surfaces/article/311547/
Google Extends Scope of External Bug Bounty
Google has expanded the bounds of its Patch Rewards Program to include open source components of Android, Apache, Sendmail, OpenVPN and other services.
http://threatpost.com/google-extends-scope-of-external-bug-bounty/102962
TrustKeeper Scan Engine Update - November 14, 2013
It's time again for another TrustKeeper Scan Engine update. This release contains over 30 new tests vulnerabilities in Cisco ASA/IOS, JIRA, jQuery, Microsoft Windows, Oracle Database/MySQL, and more. This release also contains default credential checks for both WordPress and Cisco ASA SSL VPN (aka: AnyConnect).
http://blog.spiderlabs.com/2013/11/trustkeeper-scan-engine-update-november-14-2013.html
VU#295276: Adobe ColdFusion is vulnerable to cross-site scripting via the logviewer directory
Adobe ColdFusion 10 update 11 and possibly earlier versions contains a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML content (including script) within the /logviewer/ directory.
The vulnerability requires using a relative path, although there is no directory traversal vulnerability.
http://www.kb.cert.org/vuls/id/295276
Understanding Google´s Blacklist Cleaning Your Hacked Website and Removing From Blacklist
Today we found an interesting case where Google was blacklisting a client´s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight toRead More
http://blog.sucuri.net/2013/11/understanding-googles-blacklist-cleaning-your-hacked-website-and-removing-from-blacklist.html
Searching live memory on a running machine with winpmem, (Wed, Nov 20th)
Winpmem may appear to be a simple a memory acquisition tool, but it is really much more. One of my favorite parts of Winpmem is that it has the ability to analyze live memory on a running computer. Rather than dumping the memory and analyzing it in two seperate steps you can search for memory on a running system.
http://isc.sans.edu/diary.html?storyid=17063
Netflixers Beware: Angler Exploit Kit Targets Silverlight Vulnerability
Developers behind the Angler Exploit Kit have added a new exploit over the last week that leverages a vulnerability in Microsoft´s Silverlight framework.
http://threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverlight-vulnerability/102968
Mobile threats in October 2013
In 2013, Russian anti-virus company Doctor Web started using a new system to collect statistics, so that it could promptly obtain information about the malicious applications that are threatening Google Android. An analysis of the data collected in October showed that the Dr.Web resident monitor under Android detected malware about 11 million times, and over 4 million threats to Android were detected by the scanner. These figures correspond to data obtained in September 2013.
http://news.drweb.com/show/?i=4061&lng=en&c=9
Repeated attacks hijack huge chunks of Internet traffic, researchers warn
Man-in-the-middle attacks divert data on scale never before seen in the wild.
http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-internet-traffic-researchers-warn/
US police department pays $750 Cryptolocker Trojan ransom demand
A US police department was so determined to get back important files that had been encrypted by the rampaging Cryptolocker Trojan it decided to pay the sizable ransom being demanded by the criminals.
http://news.techworld.com/security/3489937/us-police-department-pays-750-cryptolocker-trojans-ransom-demand/
Backup the best defense against (Cri)locked files
Crilock also known as CryptoLocker - is one notorious ransomware that´s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions.
http://blogs.technet.com/b/mmpc/archive/2013/11/19/backup-the-best-defense-against-cri-locked-files.aspx
JBoss Attacks Up Since Exploit Code Disclosure
Researchers at Imperva have detected a surge in attacks against webservers running JBoss Application Server since the public disclosure of exploit code last month.
http://threatpost.com/jboss-attacks-up-since-exploit-code-disclosure/102971
[webapps] - Ruckus Wireless Zoneflex 2942 Wireless Access Point - Authentication Bypass
http://www.exploit-db.com/exploits/29709
nginx URI Parsing Flaw Lets Remote Users Bypass Security Restrictions
http://www.securitytracker.com/id/1029363
PayPal Billsafe Cross Site Scripting
http://cxsecurity.com/issue/WLB-2013110142
EMC Document Sciences xPression XSS / CSRF / Redirect / SQL Injection
http://cxsecurity.com/issue/WLB-2013110139