Tageszusammenfassung - Dienstag 26-11-2013

End-of-Shift report

Timeframe: Montag 25-11-2013 18:00 − Dienstag 26-11-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a

Rätselhafte Entführungen im Internet

Geheimdienste müssen gar nicht direkt am Kabel lauschen. Der Netzwerkdienstleister Renesys berichtet von einer deutlichen Zunahme von seltsamen Routing-Vorfällen, bei denen Netzwerkverkehr über andere Länder, manchmal sogar Kontinente umgeleitet wird.

http://www.heise.de/security/meldung/Raetselhafte-Entfuehrungen-im-Internet-2053503.html


The Need for Incident Response

On an average day in the UK more than 100 .co.uk domain websites are hacked according to the statistics in the Zone-h.org online database. Website hacks are increasing the volume of targeted attacks today.

http://www.fireeye.com/blog/corporate/2013/11/the-need-for-incident-response.html


Fake tech support scam is trouble for legitimate remote help company

Fraud victims mistake legitimate tech company for fraudsters.

http://arstechnica.com/information-technology/2013/11/fake-tech-support-scam-is-trouble-for-legitimate-remote-help-company/


VBScript Malware SOYSOS Deletes CAD Files

Cybercriminals can do just as much damage deleting users´ data as stealing it because file deletion can result in both data or monetary loss. One example would be CryptoLocker, which became notorious for combining the two - demanding money with the threat of data destruction. We recently came across a malware, detected as VBS_SOYSOS, that deletes important image files including .DWG files.

http://blog.trendmicro.com/trendlabs-security-intelligence/vbscript-malware-soysos-deletes-cad-files/


Surge in "BlackShades" infections exposes machines worldwide to RAT

Over the last two months, attackers have opted to spread the malware via the Neutrino exploit kit, researchers found.

http://www.scmagazine.com/surge-in-blackshades-infections-exposes-machines-worldwide-to-rat/article/322617/


A Look At A Silverlight Exploit

Recently, independent security researchers found that the Angler Exploit Kit had added Silverlight to their list of targeted software, using CVE-2013-0074. When we analyzed the available exploit, we found that in addition to CVE-2013-0074, a second vulnerability, CVE-2013-3896, in order to bypass ASLR.

http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-a-silverlight-exploit/


[Honeypot Alert] More PHP-CGI Scanning (apache-magika.c)

In the past 24 hours, one of the WASC Distributed Web Honeypot participant's sensors picked up continued scanning for CVE-2012-1823 which is a vulnerability within PHP-CGI.

http://blog.spiderlabs.com/2013/11/honeypot-alert-more-php-cgi-scanning-apache-magikac.html


New Exploit Kit Atrax Boasts Tor Connectivity, Bitcoin Extraction

Yet another commercial crimekit has been spotted making the rounds on the underground malware forums that uses the anonymity network Tor to stealthily communicate with its command and control servers.

http://threatpost.com/new-exploit-kit-atrax-boasts-tor-connectivity-bitcoin-extraction


The internet mystery that has the world baffled

For the past two years, a mysterious online organisation has been setting the worlds finest code-breakers a series of seemingly unsolveable problems. But to what end? Welcome to the world of Cicada 3301.

http://www.telegraph.co.uk/technology/internet/10468112/The-internet-mystery-that-has-the-world-baffled.html


Das Stuxnet-Duo: Bösartige Geschwister

Der deutsche Experte Ralph Langner hat nach drei Jahren Analyse ein abschließendes Papier zu Stuxnet vorgelegt. Demnach besteht die Cyber-Waffe aus zwei Schädlingen, von denen nur die zweite richtig bekannt wurde - zu Unrecht, meint Langner.

http://www.heise.de/security/meldung/Das-Stuxnet-Duo-Boesartige-Geschwister-2053847.html


Analysis: Online banking faces a new threat

Neverquest supports just about every possible trick on online bank attacks. In light of Neverquest´s self-replication capabilities, the number of users attacked could increase over a short period of time.

http://www.securelist.com/en/analysis/204792315/Online_banking_faces_a_new_threat


Nachholbedarf bei IT-Sicherheit: EU-Parlamentarier tappten in Hotspot-Falle

Alle EU-Parlamentarier sollen jetzt dringend ihre Passwörter ändern, fordert eine Mail der IT-Abteilung. Sie bestätigt, dass durch Angriffe im ungesicherten Parlaments-WLAN Zugangspasswörter ausspioniert wurden.

http://www.heise.de/security/meldung/Nachholbedarf-bei-IT-Sicherheit-EU-Parlamentarier-tappten-in-Hotspot-Falle-2054051.html


How To Combat Online Surveillance

Governments have transformed the internet into a surveillance platform, but they are not omnipotent. They´re limited by material resources as much as the rest of us. We might not all be able to prevent the NSA and GCHQ from spying on us, but we can at least create more obstacles and make surveilling us more expensive. The more infrastructure you run, the safer the communication will be.

http://theoccupiedtimes.org/?p=12362


Why Crimekit Atrax will attract attention

CSIS researchers have observed an introduction of a new commercial crimekit being sold on several underground web forums. The kit is dubbed 'Atrax' and is both a cheap kit - costs less than $250 for the main platform - as well as it utilizes the TOR protocol for stealthy communication with C&Cs from where it is intended to get instructions, updates and new modules.

https://www.csis.dk/en/csis/blog/4103


Blackhole and Cool Exploit Kits Nearly Extinct

When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six weeks later, it now appears that Blackhole is almost gone and the Cool exploit kit, another alleged creation of Paunch, has essentially disappeared, as well.

http://threatpost.com/blackhole-and-cool-exploit-kits-nearly-extinct/103034


IBM WebSphere Application Server Java Multiple Vulnerabilities

https://secunia.com/advisories/55870


WordPress Contact Form 7 3.5.2 Shell Upload

http://cxsecurity.com/issue/WLB-2013110177


WordPress Pinboard Shell Upload

http://cxsecurity.com/issue/WLB-2013110175


TPLINK WR740N / WR740ND Cross Site Request Forgery

http://cxsecurity.com/issue/WLB-2013110181


NETGEAR ReadyNAS Perl Code Evaluation

http://cxsecurity.com/issue/WLB-2013110179


Vuln: HP LoadRunner Virtual User Generator CVE-2013-4837 Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/63475


Bugtraq: Open-Xchange Security Advisory 2013-11-25

http://www.securityfocus.com/archive/1/530008