End-of-Shift report
Timeframe: Donnerstag 27-02-2014 18:00 − Freitag 28-02-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
Are Automated Update Services the Next Surveillance Frontier?
Automated update services that provide users with security patches and feature enhancements are also a potential hunting ground for intelligence agencies and law enforcement surveillance activity.
http://threatpost.com/are-automated-update-services-the-next-surveillance-frontier/104558
DDoS and BCP 38, (Thu, Feb 27th)
Quite often on many lists we will hear the term Best Current Practice (BCP) 38 bandied about and further recommendations to implement [1] [2][3][4] (See NANOG Mailing list archive) . Some will say "it will aid in DDoS mitigation" and even others will even state "All Internet Service Providers (ISP) should implement this." Now before the philosophical discussions ensue in the comments, it might be a good idea to discuss, technically, what it is? And perhaps what it can do?
http://isc.sans.edu/diary.html?storyid=17735&rss
Oversharing, (Fri, Feb 28th)
When ISC reader Michael contacted us about "odd UDP traffic from all over" that he was suddenly seeing in his firewall log, we at first assumed that his Internet connection had "inherited" a dynamic IP address that had before been used by a rampant file sharing user, and that Michael was now seeing the "after glow". We still asked for a PCAP (tcpdump) file though, and when we looked at what Michael sent back, we saw to our surprise...
http://isc.sans.edu/diary.html?storyid=17737&rss
Highly Effective Joomla Backdoor with Small Profile
It feels like every day we're finding gems, or what appear to be gems to us. We try to balance the use of the term, but I can't lie, these are truly gems. The things they are doing, and by they I mean the attackers, are in some instance ingenious. I think you'll agree that...
http://blog.sucuri.net/2014/02/highly-effective-joomla-backdoor-with-small-profile.html
Tilon/SpyEye2 intelligence report
Tilon, son of Silon, or... SpyEye2 evolution of SpyEye? The malware family commonly known as Tilon has been around for several years now. While several public analysis reports have described the malware; no one has thus far linked it with the well-known SpyEye malware family. In light of the recent news of the guilty plea...
http://blog.fox-it.com/2014/02/25/tilonspyeye2-intelligence-report/
Malicious Proxy Auto-Config redirection
Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit, Zbot or Banker. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user's banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection,...
http://blogs.technet.com/b/mmpc/archive/2014/02/28/malicious-proxy-auto-config-redirection.aspx
Notorious "Gameover" malware gets itself a kernel-mode rootkit...
Zeus, also known as Zbot, is a malware family that we have written about many times on Naked Security...
http://nakedsecurity.sophos.com/2014/02/27/notorious-gameover-malware-gets-itself-a-kernel-mode-rootkit/
[2014-02-28] Authentication bypass (SSRF) and local file disclosure in Plex Media Server
The Plex Media Server proxy functionality fails to properly validate pre-authentication user requests. This allows unauthenticated attackers to make the Plex Media Server execute arbitrary HTTP requests and hence bypass all authentication and execute commands with administrative privileges. Furthermore, because of insufficient input validation, arbitrary local files can be disclosed without prior authentication including passwords and other sensitive information.
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140228-1_Plex_Media_Server_Authentication_bypass_local_file_disclosure_v10.txt
[2014-02-28] Privilege escalation vulnerability in MICROSENS Profi Line Modular Industrial Switch Web Manager
Attackers are able to elevate privileges during login from read-only user rights to full read/write or debug access rights by simply changing result values of the affected CGI script. This allows attackers to reconfigure the device.
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140228-0_MICROSENS_profi_line_modular_privilege_escalation_v10.txt
VU#534284: Synology DiskStation Manager VPN module hard-coded password vulnerability
Synology DiskStation Manager 4.3-3810 update 1 and possibly earlier versions contain a VPN server module which contains a hard-coded password which cannot be changed. According to the original forum post...
http://www.kb.cert.org/vuls/id/534284
Moodle 2.6.1 Cross Site Scripting
Topic: Moodle 2.6.1 Cross Site Scripting Risk: Low Text:# == # Title ...| Moodle 2.6.1 # Version .| (Feb 27 2014) moodle-latest-26.zip # Date ....| 27.02.2014...
http://cxsecurity.com/issue/WLB-2014020247
Cisco IPS MainApp SNMP Denial of Service Vulnerability
A vulnerability in the SNMP code of Cisco Intrusion Prevention System (IPS) Software could allow an unauthenticated, remote attacker to cause the MainApp process to become unresponsive. This creates a denial of service (DoS) condition because the Cisco IPS sensor is not able to execute several critical tasks including alert notification, event store management, and sensor authentication. The Cisco IPS web server will also be unavailable while the MainApp process is unresponsive. Additionally, due to this general system failure, other processes such as the Analysis Engine may not function properly.
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2103
Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability
A vulnerability in the web framework of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface on the affected system.
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2104
Schneider Electric Floating License Manager Vulnerability
Schneider Electric had become aware of an "unquoted service path" vulnerability in the Schneider Electric Floating License Manager, produced a patch that mitigates this vulnerability, and notified NCCIC/ICS-CERT.
http://ics-cert.us-cert.gov/advisories/ICSA-14-058-01
Schneider Electric OFS Buffer Overflow Vulnerability
Schneider Electric has reported to NCCIC/ICS-CERT a Stack Buffer Overflow vulnerability supplied with the Schneider Electric OPC Factory Server (OSF).
http://ics-cert.us-cert.gov/advisories/ICSA-14-058-02