End-of-Shift report
Timeframe: Dienstag 16-12-2014 18:00 − Mittwoch 17-12-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
Schadcode nutzt Monate alte WordPress-Lücke aus
Der Schädling namens SoakSoak hat hunderttausende Webseiten über das Plug-in Slider Revolution befallen und spioniert die Server aus. In einigen Fällen werden auch Besucher per Drive-By-Download infiziert.
http://www.heise.de/security/meldung/Schadcode-nutzt-Monate-alte-WordPress-Luecke-aus-2498327.html
Firefox, IE11 zero-day bugs possibly targeted in SoakSoak WordPress malware attacks
Attackers exploiting a bug in the Slider Revolution plugin to compromise WordPress websites with malware may also be targeting zero-day vulnerabilities in Firefox and Internet Explorer 11.
http://www.scmagazine.com/firefox-ie11-zero-day-bugs-possibly-targeted-in-soaksoak-wordpress-malware-attacks/article/388681/
Some Memory Forensic with Forensic Suite (Volatility plugins), (Tue, Dec 16th)
In previous diaries we have talked about memory forensics and how important it is. In this diary I will talk about a new volatility plugins called Forensic Suite written by Dave Lasalle. The suite has 14 plugins and they cover different area of memory forensics The Forensics Suite can be obtain from:
http://downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.zip . In this diary I will talk about some of the plugins Firefox history: To test this plugin first I browsed the...
https://isc.sans.edu/diary.html?storyid=19071&rss
URL flaw discovered for airline mobile boarding passes
A URL flaw that impacts mobile boarding passes for airlines, such as Southwest and Delta, was discovered on Tuesday.
http://www.scmagazine.com/url-flaw-discovered-for-airline-mobile-boarding-passes/article/388666/
Impact of Linux bug grinch spans servers, workstations, Android devices and more
Alert Logic discovered the bug, which is susceptible to exploitation due to the default installation process used by Linux.
http://www.scmagazine.com/impact-of-linux-bug-grinch-spans-servers-workstations-android-devices-and-more/article/388689/
Comparing OpenBSD with FreeBSD - securitywise
OpenBSD and FreeBSD are both great OS that I admire and use. OpenBSD is considered more secure since it is its main goal, but FreeBSD can be tweaked to be pretty well hardened as well. Depending on the forums or to who we ask, we will have different opinions. But what are the facts? Which OS is more secure and why?
http://networkfilter.blogspot.co.at/2014/12/security-openbsd-vs-freebsd.html
SSL Labs end of year 2014 updates
>
From the SSL/TLS perspective, 2014 was quite an eventful year. The best way to describe what we at SSL Labs did is we kept running to stay in the same place. What I mean by this is that we spent a lot of time reacting to high profile vulnerabilities: Hearbleed, the ChangeCipherSpec protocol issue in OpenSSL, POODLE (against SSL 3 in October and against TLS in December), and others. Ultimately, this has been a very successful year for us, with millions of assessments carried out.
http://blog.ivanristic.com/2014/12/ssl-labs-end-of-year-updates.html
Top 5 malware attacks: 35 reused components
CyActive identified the top five malware that returned the highest ROI for hackers with the least effort per dollar - achieved by recycling code and using the same methods from previous malware attack...
http://www.net-security.org/malware_news.php?id=2932
Protecting the underground electronic communications infrastructure
ENISA has released a new report on the Protection of Underground Electronic Communications Infrastructure. This report - targeted at Member States (MS), public institutions, owners of underground comm...
http://www.net-security.org/secworld.php?id=17763
The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire
In this paper, we discuss an attacker model that accounts for the hijacking of network ownership information stored in Regional Internet Registry (RIR) databases. We show that such threats emerge from abandoned Internet resources (e.g., IP address blocks, AS numbers). When DNS names expire, attackers gain the opportunity to take resource ownership by re-registering domain names that are referenced by corresponding RIR database objects.
http://arxiv.org/abs/1412.5052
How the FBI Unmasked Tor Users
Kevin Poulson has a good article up on Wired about how the FBI used a Metasploit variant to identify Tor users....
https://www.schneier.com/blog/archives/2014/12/how_the_fbi_unm.html
Fast Flux Networks Working and Detection, Part 1
Introduction In this series of articles, we will learn about a not-so-new type of attack, but one of the most difficult attacks to control. Yes, we will lean about the demon Fast Flux!! In this article, we will learn about what exactly Fast Flux is, types of Fast Flux, and [...]The post Fast Flux Networks Working and Detection, Part 1 appeared first on InfoSec Institute.
http://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/
What's New in Exploit Kits in 2014
Around this time in 2013, the most commonly used exploit kit - the Blackhole Exploit Kit - was shut down after its creator, Paunch, was arrested by law enforcement. Since then, a variety of exploit kits has emerged and have been used by cybercriminals. The emergence of so many replacements has also meant that there...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/N44vwrIcGrM/
Researchers warn of new OphionLocker ransomware
OphionLocker doesnt diverge much from previous ransomware schemes, although it does generate a unique hardware ID based on the first hard drives serial number, the motherboards serial number and other information.
www.scmagazine.com/ophionlocker-discovered-in-the-wild-update-provided-on-torrentlocker/article/388699/
Certified pre-pw0ned Android Smartphones: Coolpad Firmware Backdoor, (Wed, Dec 17th)
Researchers at Palo Alto found that many ROM images used for Android smart phones manufactured by Coolpad contain a backdoor, giving an attacker full control of the device. Palo Alto named the backdoor Coolreaper. With Android, it is very common for manufacturers to install additional applications. But these applications are installed on top of the Android operating system. In this case, Coolpad integrated additional functionality into the firmware of the device. This backdoor was then used by
https://isc.sans.edu/diary.html?storyid=19075&rss
BSI-Sicherheitsbericht: Erfolgreiche Cyber-Attacke auf deutsches Stahlwerk
Bei einem bislang unbekannten Angriff beschädigten die Angreifer einen Hochofen schwer. Doch neben den gezielten Angriffen auf Industrieanlagen bilanziert das BSI auch eine steigende Gefahr für Endanwender.
http://www.heise.de/security/meldung/BSI-Sicherheitsbericht-Erfolgreiche-Cyber-Attacke-auf-deutsches-Stahlwerk-2498990.html
Meet FlashFlood, the lightweight script that causes websites to falter
Bringing big database-driven sites to their knees just got a little easier.
http://feeds.arstechnica.com/~r/arstechnica/security/~3/ir5Zy4m-thY/
iCloud-Daten: Forensik-Software verspricht umfangreichen Zugriff
Die vermutlich auch für den iCloud-Promi-Hack genutzte Forensik-Software "Phone Breaker" erweitert die Möglichkeiten, bei Apples Cloud-Dienst gespeicherte Nutzerdaten auszulesen. Unterstützung zum Fremdzugriff auf iCloud Drive soll folgen.
http://www.heise.de/security/meldung/iCloud-Daten-Forensik-Software-verspricht-umfangreichen-Zugriff-2499262.html
Cisco ISB8320-E High-Definition IP-Only DVR Remote Unauthenticated Access Vulnerability
CVE-2014-8006
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8006
Symantec Web Gateway OS Authenticated Command Injection
Revisions None Severity CVSS2Base ScoreImpactExploitabilityCVSS2 VectorSymantec Web Gateway Operating System Command Injection - Low...
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2014&suid=20141216_00
IBM Business Process Manager cross-site scripting
http://xforce.iss.net/xforce/xfdb/98418
IBM WebSphere Process Server, IBM WebSphere Enterprise Service Bus, IBM Business Process Manager information disclosure
http://xforce.iss.net/xforce/xfdb/98488
IBM Business Process Manager security bypass
http://xforce.iss.net/xforce/xfdb/95724
HP Security Bulletins
[security bulletin] HPSBMU03221 rev.1 - HP Connect-IT running SSLv3, Remote Disclosure of Information
http://www.securityfocus.com/archive/1/534259
[security bulletin] HPSBMU03217 rev.1 - HP Vertica Analytics Platform running Bash Shell, Remote Code Execution
http://www.securityfocus.com/archive/1/534262
[security bulletin] HPSBOV03226 rev.1 - HP TCP/IP Services for OpenVMS, BIND 9 Resolver, Multiple Remote Vulnerabilities
http://www.securityfocus.com/archive/1/534261
[security bulletin] HPSBOV03225 rev.1 - HP OpenVMS running POP, Remote Denial of Service (DoS)
http://www.securityfocus.com/archive/1/534260
Patches for Novell Products
https://download.novell.com/Download?buildid=3dJODsdcDKE~
https://download.novell.com/Download?buildid=STisn28FRWs~
https://download.novell.com/Download?buildid=q4S96klvwhE~
https://download.novell.com/Download?buildid=Mh8CRo1Ljh8~
https://download.novell.com/Download?buildid=nlOmW2y333Q~
https://download.novell.com/Download?buildid=anuuh6CDWX8~
DSA-3105 heirloom-mailx - security update
Two security vulnerabilities were discovered in Heirloom mailx, animplementation of the mail command:
https://www.debian.org/security/2014/dsa-3105
DSA-3104 bsd-mailx - security update
It was discovered that bsd-mailx, an implementation of the mailcommand, had an undocumented feature which treats syntactically validemail addresses as shell commands to execute.
https://www.debian.org/security/2014/dsa-3104
SSA-134508 (Last Update 2014-12-16): Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC in TIA Portal
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-134508.pdf
iWifi For Chat 1.1 Denial Of Service
Topic: iWifi For Chat 1.1 Denial Of Service Risk: Medium Text:Document Title: iWifi for Chat v1.1 iOS - Denial of Service Vulnerability References (Source): ==
http://w...
http://cxsecurity.com/issue/WLB-2014120110
iUSB 1.2 Arbitrary Code Execution
Topic: iUSB 1.2 Arbitrary Code Execution Risk: High Text:Document Title: iUSB v1.2 iOS - Arbitrary Code Execution Vulnerability References (Source): ==
http://www....
http://cxsecurity.com/issue/WLB-2014120109
Bugtraq: [REVIVE-SA-2014-002] Revive Adserver 3.0.6 and 3.1.0 fix multiple vulnerabilities
http://www.securityfocus.com/archive/1/534264
Security Advisory-Multiple Vulnerabilities in Huawei eSpace Desktop Product
Dec 17, 2014 16:09
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-406589.htm
Schneider Electric ProClima Command Injection Vulnerabilities
This advisory provides mitigation details for command injection vulnerabilities in Schneider Electrics ProClima software package.
https://ics-cert.us-cert.gov//advisories/ICSA-14-350-01
Bird Feeder <= 1.2.3 CSRF & XSS
https://wpvulndb.com/vulnerabilities/7727
DB Backup <= 4.5 - Path Traversal File Access
https://wpvulndb.com/vulnerabilities/7726