End-of-Shift report
Timeframe: Montag 23-12-2013 18:00 − Freitag 27-12-2013 18:00
Handler: Matthias Fraidl
Co-Handler: n/a
Hintergrund: Erfolgreicher Angriff auf Linux-Verschlüsselung
Linux Unified Key Setup (LUKS) ist das Standardverfahren für die Komplettverschlüsselung der Festplatte unter Linux; viele Systeme, darunter Ubuntu 12.04 LTS, setzen dabei LUKS im CBC-Modus ein. Jakob Lell demonstriert, dass diese Kombination anfällig für das Einschleusen einer Hinterür ist.
http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Verschluesselung-2072199.html
Protection metrics - November results
In our October results, we talked about a trio of families related to Win32/Sefnit. Our November results showed progress against Sefnit and the installers and downloaders of Sefnit (Win32/Rotbrow and Win32/Brantall). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent.
http://blogs.technet.com/b/mmpc/archive/2013/12/23/protection-metrics-november-results.aspx
Turkey: Understanding high malware encounter rates in SIRv15
In our most recent version of the Security Intelligence Report, we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware.
http://blogs.technet.com/b/mmpc/archive/2013/12/23/turkey-understanding-high-malware-encounter-rates-in-sirv15.aspx
Popular Registrar Namecheap Fixes DNS Hijack Bug
The domain registrar and Web-hosting company Namecheap has fixed a cross site request forgery vulnerability in its DNS setup page.
http://threatpost.com/popular-registrar-namecheap-fixes-dns-hijack-bug/103281
What a successful exploit of a Linux server looks like
Like most mainstream operating systems these days, fully patched installations of Linux provide a level of security that requires a fair amount of malicious hacking to overcome. Those assurances can be completely undone by a single unpatched application, as Andre' DiMino has demonstrated when he documented an Ubuntu machine in his lab being converted into a Bitcoin-mining, denial-of-service-spewing, vulnerability-exploiting hostage under the control of attackers.
http://arstechnica.com/security/2013/12/anatomy-of-a-hack-what-a-successful-exploit-of-a-linux-server-looks-like/
Turkey Tops World in Per Capita Malware Encounters
Microsoft claims that Turkish machines encounter more malware than computers in any other country in the world.
http://threatpost.com/turkey-tops-world-in-per-capita-malware-encounters/103290
New Trojan.Mods mines bitcoins
Russian anti-virus company Doctor Web is warning users about a new Trojan.Mods modification that has been dubbed Trojan.Mods.10. This Trojans authors followed the major trend of December 2013 and added a bitcoin miner to the set of Trojan.Mods.10's features. You may recall that Trojan.Mods programs were found in large numbers in the wild in spring 2013 and were primarily designed to intercept browsers DNS queries and redirect users to malignant sites.
http://news.drweb.com/show/?i=4176&lng=en&c=9
New CryptoLocker Spreads Via Removable Drives
We recently came across a CryptoLocker variant that had one notable feature - it has propagation routines.
Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants.
http://blog.trendmicro.com/trendlabs-security-intelligence/new-cryptolocker-spreads-via-removable-drives/
OpenSSL mit kaputter Hintertür
Die von der NSA als Hintertür entworfene Zufallszahlenfunktion Dual EC findet sich auch in der offenen Krypto-Bibliothek OpenSSL. Allerdings war sie dort funktionsunfähig, ohne dass es jemand bemerkt hätte.
http://www.heise.de/security/meldung/OpenSSL-mit-kaputter-Hintertuer-2072370.html
Big Data and security analytics collide
Big Data will become "The next big thing" - a critical re-evaluation and re-tooling of our analytical abilities. This is not about being able to query more data, but being able to query all data.
http://www.scmagazine.com/big-data-and-security-analytics-collide/article/326869/
Infection found on "feedburner.com"
Recently we have seen the websites of MySQL and PHP.net being compromised. We have also blogged about Google Code being used as a drop site for holding malicious code. These instances clearly suggest that attackers are targeting popular websites and using them in their attacks as they are less likely to be blocked by URL filters. This time we found that Google acquired "FeedBurner", which provides custom RSS feeds and management tools to users is hosting an infected page.
http://research.zscaler.com/2013/12/infection-found-on-feedburnercom.html
Hackers who breached php.net exposed visitors to highly unusual malware
Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that's highly unusual, if not unique.
http://arstechnica.com/security/2013/12/hackers-who-breached-php-net-exposed-users-to-highly-unusual-malware/
Python Multiple Vulnerabilities
https://secunia.com/advisories/56234
Puppet Enterprise Multiple Vulnerabilities
https://secunia.com/advisories/56251
Novell Client Bug Lets Local Users Crash the System
http://www.securitytracker.com/id/1029533
Cisco IOS XE VTY Authentication security bypass
http://xforce.iss.net/xforce/xfdb/89901
cPanel WHM XML and JSON APIs Arbitrary File Disclosure Vulnerability
https://secunia.com/advisories/56207
VMware Patches Privilege Vulnerability in ESX, ESXi
http://threatpost.com/vmware-patches-privilege-vulnerability-in-esx-esxi/103286
Zimbra 8.0.2 and 7.2.2 Collaboration Server LFI Exploit
http://cxsecurity.com/issue/WLB-2013120155
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
http://cxsecurity.com/issue/WLB-2013120156
RT: Request Tracker 4.0.10 SQL Injection
http://cxsecurity.com/issue/WLB-2013040083
Bugtraq: Song Exporter v2.1.1 RS iOS - File Include Vulnerabilities
http://www.securityfocus.com/archive/1/530489