End-of-Shift report
Timeframe: Mittwoch 12-03-2014 18:00 − Donnerstag 13-03-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
Decoding Domain Generation Algorithms (DGAs) Part III - ZeusBot DGA Reproduction
At this point, you can go ahead and close the two parent processes (since we are not interested in their functionality, for the sake of simply finding the DGA). So we know that we are interested in discovering how this traffic is generated. So let's try to find out where it originates. Earlier, using API Monitor, we saw that explorer was using several functions within WinINet.dll:...
http://vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html
F-Secure im Interview: "Wir erkennen Staatstrojaner und wollen das nicht ändern"
Von Regierungen erstellte Malware muss nicht immer so schlecht sein wie 0zapftis, der bayerische Staatstrojaner. Für F-Secures Virenforscher Mikko Hypponen ist entscheidend, dass Anti-Malwareunternehmen auch künftig uneingeschränkt arbeiten können, wie er im Gespräch mit Golem.de sagte.
http://www.golem.de/news/f-secure-im-interview-wir-erkennen-staatstrojaner-und-wollen-das-nicht-aendern-1403-105133-rss.html
WordPress XML-RPC PingBack Vulnerability Analysis
There were news stories this week outlining how attackers are abusing the XML-PRC "pingback" feature of WordPress blog sites to launch DDoS attacks on other sites. This blog post will provide some analysis on this attack and additional information for websites to protect themselves. Not A New Vulnerabilty The vulnerability in WordPresss XML-RPC API is not new. Here is data from the WordPress bug tracker from 7 years ago. While the vulnerability itself is not new,...
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/MklfK5l9jYY/wordpress-xml-rpc-pingback-vulnerability-analysis.html
A Detailed Examination of the Siesta Campaign
Executive Summary FireEye recently looked deeper into the activity discussed in TrendMicro's blog and dubbed the "Siesta" campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this...
http://www.fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-examination-of-the-siesta-campaign.html
LightsOut EK Targets Energy Sector
Late last year, the story broke that threat actors were targeting the energy sector with Remote Access Tools and Intelligence gathering malware. It would seem that the attackers responsible for this threat are back for more. This particular APT struck late February between 2/24-2/26. The attack began as a compromise of a third party law firm which includes an energy law practice known as
http://feedproxy.google.com/~r/zscaler/research/~3/S2HhvPupa_0/lightsout-ek-targets-energy-sector.html
Trojan.Skimer.19 threatens banks
March 4, 2014 Malware infecting the electronic innards of ATMs is not exactly a common phenomenon, so whenever such new kinds of programs emerge, they inevitably draw the attention of security specialists. Doctor Webs virus analysts got hold of a sample of Trojan.Skimer.19 which can infect ATMs. According to Doctor Web, banking system attacks involving Trojan.Skimer.19 persist to this day. Similar to its predecessors, the Trojan has its main payload incorporated into a dynamic link library...
http://news.drweb.com/show/?i=4267&lng=en&c=9
Trojan.Rbrute hacks Wi-Fi routers
March 5, 2014 Doctor Webs security researchers examined Trojan.Rbrute malware, which is designed to crack Wi-Fi router access passwords using brute force and change the DNS server addresses specified in the configuration of these devices. Criminals use this malicious program to spread the file infector known as Win32.Sector. When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a...
http://news.drweb.com/show/?i=4271&lng=en&c=9
Anatomy of a Control Panel Malware Attack, Part 1
Recently we've discussed how Control Panel (CPL) malware has been spreading in Latin America. In the past, we've analyzed in some detail how CPL malware works as well as the overall picture of how this threat spreads. In this post, we shall examine in detail how they spread, and how they relate with other malicious sites.
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/v3D2zLGXolU/
Ethical hacker backer hacked, warns of email ransack
Switches registrars, tightens security after upsetting incident The IT security certification body that runs the Certified Ethical Hacker programme has itself been hacked.
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/13/ethical_hacker_cert_org_pwned/
Samsung: Galaxy-Geräte haben eine Backdoor im Modem-Prozessor
In mehreren Smartphones und Tablets aus Samsungs Galaxy-Modellreihe wurde eine Backdoor im Modem-Prozessor entdeckt. Diese könnte von Angreifern dazu verwendet werden, auf die Daten auf dem Smartphone oder Tablet zuzugreifen oder auch Daten zu verändern, um so Schadsoftware zu verbreiten. (Smartphone, Samsung)
http://www.golem.de/news/samsung-galaxy-geraete-haben-eine-backdoor-im-modem-prozessor-1403-105124-rss.html
Google hackt Mac OS X für den guten Zweck
Das Sicherheitsteam des Suchmaschinen-Riesen hat einen brisanten Angriff auf Mac OS X demonstriert: Beim Aufruf einer Webseite mit Safari wurde Code als root ausgeführt. Das Schau-Hacken fand in einer neuen Kategorie des Wettbewerbs Pwn2Own statt.
http://www.heise.de/security/meldung/Google-hackt-Mac-OS-X-fuer-den-guten-Zweck-2141483.html
Metasploit Weekly Update: Theres a Bug In Your Brain
The most fun module this week, in my humble opinion, is from Rapid7's own Javascript Dementer, Joe Vennix. Joe wrote up this crafty implementation of a Safari User-Assisted Download and Run Attack, which is not technically a vulnerability or a bug or anything -- it's a feature that ends up being a kind of a huge risk. Here's how it goes:...
https://community.rapid7.com/community/metasploit/blog/2014/03/13/metasploit-weekly-update
TCIPG Seminar: Dynamic Data Attacks on Real-Time Power System Operations
With increasing dependence on modern information and communication technology, a future smart grid is potentially more vulnerable to coordinated cyber attacks launched by an adversary. In this talk, we consider several possible attack mechanisms aimed at disrupting real-time operations of a power grid. In particular, we are interested in dynamic attack strategies on the power system state estimation that lead to infeasible real-time dispatch and disrupt the real-time market operation.
http://tcipg.org/news/TCIPG-Seminar-2014-Mar-7-Tong
Security update available for Adobe Shockwave Player
Adobe has released a security update for Adobe Shockwave Player 12.0.9.149 and earlier versions on the Windows and Macintosh operating systems. This update addresses a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system.
http://helpx.adobe.com/security/products/shockwave/apsb14-10.html
Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4057, CVE-2013-4058 and CVE-2013-4059)
Security vulnerabilities exist in various versions of IBM InfoSphere Information Server or constituent products. See the individual descriptions for details. CVE(s): CVE-2013-4057, CVE-2013-4058, and CVE-2013-4059 Affected product(s) and affected version(s): IBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_multiple_security_vulnerabilities_exist_in_ibm_infosphere_information_server_cve_2013_4057_cve_2013_4058_and_cve_2013_4059?lang=en_us
Bugtraq: PowerArchiver: Uses insecure legacy PKZIP encryption when AES is selected (CVE-2014-2319)
http://www.securityfocus.com/archive/1/531440
SA-CONTRIB-2014-031 - Webform Template - Access Bypass
Advisory ID: DRUPAL-SA-CONTRIB-2014-031Project: Webform Template (third-party module)Version: 7.xDate: 2014-March-12Security risk: Less criticalExploitable from: RemoteVulnerability: Access BypassDescriptionThis module enables you to copy webform config from one node to another.The module doesnt respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform...
https://drupal.org/node/2216607
SA-CONTRIB-2014-030 - SexyBookmarks - Information Disclosure
Advisory ID: DRUPAL-SA-CONTRIB-2014-030Project: SexyBookmarks (third-party module)Version: 6.xDate: 2014-March-12Security risk: Moderately criticalExploitable from: RemoteVulnerability: Information DisclosureDescriptionThe SexyBookmarks module is a port of the WordPress SexyBookmarks plug-in. The module adds social bookmarking using the Shareaholic service.The module discloses the private files location when Drupal 6 is configured to use private files.This vulnerability is mitigated by the fact...
https://drupal.org/node/2216269
Mitsubishi Electric Automation MC-WorX Suite Unsecure ActiveX Control
This advisory is a follow-up to the original alert, titled ICS-ALERT-13-259-01 Mitsubishi MC-WorX Suite Unsecure ActiveX Control,a published September 16, 2013, on the NCCIC/ICS‑CERT web site (this was originally incorrectly identified as MC-WorkX, the correct product name is MC-WorX).
http://ics-cert.us-cert.gov/advisories/ICSA-14-051-02
Cisco Intelligent Automation for Cloud Cryptographic Implementation Issues
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0694
GNUpanel 0.3.5_R4 Cross Site Request Forgery / Cross Site Scripting
Topic: GNUpanel 0.3.5_R4 Cross Site Request Forgery / Cross Site Scripting Risk: Medium Text:# Exploit Title :GNUpanel 0.3.5_R4 - Multiple Vulnerabilities # Vendor Homepage :
http://wp.geeklab.com.ar/gl-en/gnupanel...
http://cxsecurity.com/issue/WLB-2014030098
Proxmox Mail Gateway 3.1 Cross Site Scripting
Topic: Proxmox Mail Gateway 3.1 Cross Site Scripting Risk: Low Text:I. VULNERABILITY - Multiplus XSS in Proxmox Mail Gateway 3.1 II. BACKGROUND - Proxmox Mail G...
http://cxsecurity.com/issue/WLB-2014030097