Tageszusammenfassung - Dienstag 9-07-2013

End-of-Shift report

Timeframe: Montag 08-07-2013 18:00 − Dienstag 09-07-2013 18:00 Handler: Matthias Fraidl Co-Handler: n/a

Root SSH Key Shipping with Emergency Alert System Devices Exposed

Firmware images for devices at the core of the Emergency Alert System are shipping with a compromised root SSH key, researchers at IOActive said.

http://threatpost.com/root-ssh-key-shipping-with-emergency-alert-system-devices-exposed/


Novel ransomware tactic locks users PCs, demands that they participate in a survey to get the unlock code

>From managed ransomware as a service 'solutions' to DIY ransomware generating tools, this malicious market segment is as hot as ever with cybercriminals continuing to push new variants, and sometimes, literally introducing novel approaches to monetize locked PCs. http://blog.webroot.com/2013/07/08/novel-ransomware-tactic-locks-users-pcs-demands-that-they-participate-in-a-survey-to-get-the-unlock-code/

RSA Authentication Manager Lets Local Users View the Administrative Account Password

When the RSA Authentication Manager Software Development Kit (SDK) is used to develop a custom application that connects with RSA Authentication Manager and the trace logging is set to verbose, the administrative account password used by the custom application is written in clear text to trace log file.

http://www.securitytracker.com/id/1028742


WordPress Search N Save XSS & Path Disclosure

These are Cross-Site Scripting and Full path disclosure vulnerabilities. These XSS holes are in ZeroClipboard.swf, which is used in the plugin.

http://cxsecurity.com/issue/WLB-2013070060


Oracle Java Applet Preloader Click-2-Play Warning Bypass

The vulnerability is caused by a design error in the Java click-2-play security warning when the preloader is used, which can be exploited by remote attackers to load a malicious applet (e.g. taking advantage of a Java memory corruption vulnerability) without any user interaction

http://cxsecurity.com/issue/WLB-2013070067


Doctor Web: June virus activity review

Despite summer being a holiday season, threats to IT security persisted in June. At the very beginning of the month, Doctor Webs virus analysts discovered a new version of a dangerous Trojan targeting Linux servers, while in the middle of June, another wave of Trojan encoders swept across desktops. Also found was a host of new threats to mobile devices.

http://news.drweb.com/show/?i=3708&lng=en&c=9


Spamvertised 'Export License/Invoice Copy' themed emails lead to malware

We've just intercepted a currently circulating malicious spam campaign consisting of tens of thousands of fake 'Export License/Invoice Copy' themed emails, enticing users into executing the malicious attachment. Once the socially engineered users do so, their PCs automatically become part of the botnet operated by the cybercriminals behind the campaign.

http://blog.webroot.com/2013/07/09/spamvertised-export-licenseinvoice-copy-themed-emails-lead-to-malware/


Exploit Code Released For Android Security Hole

Pau Oliva Fora, a security researcher for the firm Via Forensics, published a small, proof of concept module that exploits the flaw in the way Android verifies the authenticity of signed mobile applications. The flaw was first disclosed last week by Jeff Forristal, the Chief Technology Officer at Bluebox Security, ahead of a presentation at the Black Hat Briefings in August.

https://securityledger.com/2013/07/exploit-code-released-for-android-security-hole/


[2013-07-09] Denial of service vulnerability in Apache CXF

It is possible to execute Denial of Service attacks on Apache CXF, exploiting the fact that the streaming XML parser does not put limits on things like the number of elements, number of attributes, the nested structure of the document received, etc. The effects of these attacks can vary from causing high CPU usage, to causing the JVM to run out of memory.

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130709-0_Apache_CXF_Denial_of_Service_v10.txt


HP storage: more possible backdoors

LeftHand, StoreVirtual remote reset suggests factory account Technion, the blogger who recently turned up an undocumented back door in HPs StoreOnce, has turned up similar issues in other HP products - publicised on support forums by the company, but unnoticed at the time.

http://www.theregister.co.uk/2013/07/09/hp_storage_more_possible_backdoors/


Hard drive-wiping malware that hit South Korea tied to military espionage

The hackers responsible for a malware attack in March that simultaneously wiped data from tens of thousands of South Korean computers belong to the same espionage group that has targeted South Korean and US military secrets for four years, researchers said.

http://arstechnica.com/security/2013/07/hard-drive-wiping-malware-that-hit-s-korea-tied-to-military-espionage/


Vuln: MongoDB Remote Privilege Escalation Vulnerability

MongoDB is prone to a remote privilege-escalation vulnerability. An attacker can exploit this issue to gain elevated privileges within the application and obtain unauthorized access to the sensitive information. MongoDB 2.4.0 through 2.4.4 and 2.5.0 are vulnerable; other versions may also be affected.

http://www.securityfocus.com/bid/61007


US-Behörde zerstört eigene Hardware aus Angst vor Viren

PCs, Bildschirme, Kameras, Mäuse und Tastaturen - eine US-Behörde wollte ihre gesamte IT-Ausstattung verschrotten, weil sie einen massiven Virenbefall befürchtete. Dabei waren wohl nur sechs Rechner betroffen.

http://www.heise.de/security/meldung/US-Behoerde-zerstoert-eigene-Hardware-aus-Angst-vor-Viren-1913796.html


Mail-Adressen bei T-Online lassen sich kapern

Gelingt es einem Angreifer, sein Opfer in spe auf eine speziell präparierte Internetseite zu locken, kann er dessen Mailadresse bei T-Online dauerhaft übernehmen.

http://www.heise.de/security/meldung/Mail-Adressen-bei-T-Online-lassen-sich-kapern-1914004.html


OTRS / OTRS ITSM Unspecified Script Insertion and SQL Injection Vulnerabilities

Some vulnerabilities have been reported in OTRS and OTRS ITSM, which can be exploited by malicious users to conduct script insertion and SQL injection attacks.

https://secunia.com/advisories/52623