End-of-Shift report
Timeframe: Mittwoch 27-11-2013 18:00 − Donnerstag 28-11-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
Fake 'October´s Billing Address Code' (BAC) form themed spam campaign leads to malware
Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned 'casual social engineering' campaigns.
http://www.webroot.com/blog/2013/11/27/fake-octobers-billing-address-code-bac-form-themed-spam-campaign-leads-malware/
Sharik Back for More After Php.Net Compromise
Sharik is a Trojan which injects itself into legitimate processes and adds registry entries for an added level of persistence. The infection also sends information about the victims PC to a remote server. The threat can also receive commands from a known CnC server to download further malicious files.
http://research.zscaler.com/2013/11/sharik-back-for-more-after-phpnet.html
ATM Traffic + TCPDump + Video = Good or Evil?, (Wed, Nov 27th)
I was working with a client recently, working through the move of a Credit Union branch. In passing, he mentioned that they were looking at a new security camera setup, and the vendor had mentioned that it would need a SPAN or MIRROR port on the switch set up. At that point my antennae came online - SPAN or MIRROR ports set up a session where all packets from one switch ports are "mirrored" to another switch port.
http://isc.sans.edu/diary.html?storyid=17111
Microsoft Security Advisory (2914486): Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege - Version: 1.0
Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability.
http://technet.microsoft.com/en-ca/security/advisory/2914486
THOUSANDS of Ruby on Rails sites leave logins lying around
A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism.
http://www.theregister.co.uk/2013/11/28/thousands_of_ror_sites_leave_logins_lying_around/
FakeAV + Ransomware = Windows Expert Console
During the last months we have been talking mainly about police virus infections, and more recently about CryptoLocker, the new major ransomware family. However that doesn´t mean that our good 'old friends' known as FakeAV aren´t around.
http://pandalabs.pandasecurity.com/fakeav-ransomware-windows-expert-console/
Linux Worm Targeting Hidden Devices
Symantec has discovered a new Linux worm that appears to be engineered to target the 'Internet of things'. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras.
http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
You have a Skype voicemail. PSYCHE! Its just some fiendish Trojan-flinging spam
A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns.
Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan.
http://www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_zeus_trojan/
Microsoft Cybersecurity Report: Top 10 Most Wanted Enterprise Threats
The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). The "encounter rate" is defined as the percentage of computers running Microsoft real-time security software that report detecting malware - typically resulting in a blocked installation of malware.
http://blogs.technet.com/b/security/archive/2013/11/25/microsoft-cybersecurity-report-top-10-most-wanted-enterprise-threats.aspx?Redirected=true
Quassel IRC Backlog Access Bypass Vulnerabilities
https://secunia.com/advisories/55640
DSA-2804 drupal7
http://www.debian.org/security/2013/dsa-2804
DSA-2803 quagga
http://www.debian.org/security/2013/dsa-2803
HP Service Manager and ServiceCenter Unspecified Flaw Lets Remote Users Execute Arbitrary Code
http://www.securitytracker.com/id/1029400
Subversion mod_dontdothat Path Validation Flaw Lets Remote Users Bypass Security Restrictions
http://www.securitytracker.com/id/1029402
Yahoo Open Redirect Vulnerability or "Designing vulnerabilities"
http://cxsecurity.com/issue/WLB-2013110200
ownCloud Unspecified Security Bypass Vulnerability
https://secunia.com/advisories/55792