End-of-Shift report
Timeframe: Montag 25-11-2013 18:00 − Dienstag 26-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
Rätselhafte Entführungen im Internet
Geheimdienste müssen gar nicht direkt am Kabel lauschen. Der Netzwerkdienstleister Renesys berichtet von einer deutlichen Zunahme von seltsamen Routing-Vorfällen, bei denen Netzwerkverkehr über andere Länder, manchmal sogar Kontinente umgeleitet wird.
http://www.heise.de/security/meldung/Raetselhafte-Entfuehrungen-im-Internet-2053503.html
The Need for Incident Response
On an average day in the UK more than 100 .co.uk domain websites are hacked according to the statistics in the Zone-h.org online database. Website hacks are increasing the volume of targeted attacks today.
http://www.fireeye.com/blog/corporate/2013/11/the-need-for-incident-response.html
Fake tech support scam is trouble for legitimate remote help company
Fraud victims mistake legitimate tech company for fraudsters.
http://arstechnica.com/information-technology/2013/11/fake-tech-support-scam-is-trouble-for-legitimate-remote-help-company/
VBScript Malware SOYSOS Deletes CAD Files
Cybercriminals can do just as much damage deleting users´ data as stealing it because file deletion can result in both data or monetary loss. One example would be CryptoLocker, which became notorious for combining the two - demanding money with the threat of data destruction. We recently came across a malware, detected as VBS_SOYSOS, that deletes important image files including .DWG files.
http://blog.trendmicro.com/trendlabs-security-intelligence/vbscript-malware-soysos-deletes-cad-files/
Surge in "BlackShades" infections exposes machines worldwide to RAT
Over the last two months, attackers have opted to spread the malware via the Neutrino exploit kit, researchers found.
http://www.scmagazine.com/surge-in-blackshades-infections-exposes-machines-worldwide-to-rat/article/322617/
A Look At A Silverlight Exploit
Recently, independent security researchers found that the Angler Exploit Kit had added Silverlight to their list of targeted software, using CVE-2013-0074. When we analyzed the available exploit, we found that in addition to CVE-2013-0074, a second vulnerability, CVE-2013-3896, in order to bypass ASLR.
http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-a-silverlight-exploit/
[Honeypot Alert] More PHP-CGI Scanning (apache-magika.c)
In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI.
http://blog.spiderlabs.com/2013/11/honeypot-alert-more-php-cgi-scanning-apache-magikac.html
New Exploit Kit Atrax Boasts Tor Connectivity, Bitcoin Extraction
Yet another commercial crimekit has been spotted making the rounds on the underground malware forums that uses the anonymity network Tor to stealthily communicate with its command and control servers.
http://threatpost.com/new-exploit-kit-atrax-boasts-tor-connectivity-bitcoin-extraction
The internet mystery that has the world baffled
For the past two years, a mysterious online organisation has been setting the worlds finest code-breakers a series of seemingly unsolveable problems. But to what end? Welcome to the world of Cicada 3301.
http://www.telegraph.co.uk/technology/internet/10468112/The-internet-mystery-that-has-the-world-baffled.html
Das Stuxnet-Duo: Bösartige Geschwister
Der deutsche Experte Ralph Langner hat nach drei Jahren Analyse ein abschließendes Papier zu Stuxnet vorgelegt. Demnach besteht die Cyber-Waffe aus zwei Schädlingen, von denen nur die zweite richtig bekannt wurde - zu Unrecht, meint Langner.
http://www.heise.de/security/meldung/Das-Stuxnet-Duo-Boesartige-Geschwister-2053847.html
Analysis: Online banking faces a new threat
Neverquest supports just about every possible trick on online bank attacks. In light of Neverquest´s self-replication capabilities, the number of users attacked could increase over a short period of time.
http://www.securelist.com/en/analysis/204792315/Online_banking_faces_a_new_threat
Nachholbedarf bei IT-Sicherheit: EU-Parlamentarier tappten in Hotspot-Falle
Alle EU-Parlamentarier sollen jetzt dringend ihre Passwörter ändern, fordert eine Mail der IT-Abteilung. Sie bestätigt, dass durch Angriffe im ungesicherten Parlaments-WLAN Zugangspasswörter ausspioniert wurden.
http://www.heise.de/security/meldung/Nachholbedarf-bei-IT-Sicherheit-EU-Parlamentarier-tappten-in-Hotspot-Falle-2054051.html
How To Combat Online Surveillance
Governments have transformed the internet into a surveillance platform, but they are not omnipotent. They´re limited by material resources as much as the rest of us. We might not all be able to prevent the NSA and GCHQ from spying on us, but we can at least create more obstacles and make surveilling us more expensive. The more infrastructure you run, the safer the communication will be.
http://theoccupiedtimes.org/?p=12362
Why Crimekit Atrax will attract attention
CSIS researchers have observed an introduction of a new commercial crimekit being sold on several underground web forums. The kit is dubbed 'Atrax' and is both a cheap kit - costs less than $250 for the main platform - as well as it utilizes the TOR protocol for stealthy communication with C&Cs from where it is intended to get instructions, updates and new modules.
https://www.csis.dk/en/csis/blog/4103
Blackhole and Cool Exploit Kits Nearly Extinct
When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the Cool exploit kit, another alleged creation of Paunch, has essentially disappeared, as well.
http://threatpost.com/blackhole-and-cool-exploit-kits-nearly-extinct/103034
IBM WebSphere Application Server Java Multiple Vulnerabilities
https://secunia.com/advisories/55870
WordPress Contact Form 7 3.5.2 Shell Upload
http://cxsecurity.com/issue/WLB-2013110177
WordPress Pinboard Shell Upload
http://cxsecurity.com/issue/WLB-2013110175
TPLINK WR740N / WR740ND Cross Site Request Forgery
http://cxsecurity.com/issue/WLB-2013110181
NETGEAR ReadyNAS Perl Code Evaluation
http://cxsecurity.com/issue/WLB-2013110179
Vuln: HP LoadRunner Virtual User Generator CVE-2013-4837 Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/63475
Bugtraq: Open-Xchange Security Advisory 2013-11-25
http://www.securityfocus.com/archive/1/530008