End-of-Shift report
Timeframe: Montag 21-07-2014 18:00 − Dienstag 22-07-2014 18:00
Handler: Stephan Richter
Co-Handler: n/a
Retefe Bankentrojaner
Die meisten [...] Bankentrojaner basieren auf technisch betrachtet ziemlich komplexen Softwarekomponenten: Verschlüsselte Konfigurationen, Man-in-the-Browser-Funktionalität, Persistenz- und Updatemechanismen, um einige zu nennen. Im letzten halben Jahr hat sich eine gänzlich neue Variante behauptet, welche erst im Februar 2014 einen Namen erhielt: Retefe.
http://securityblog.switch.ch/2014/07/22/retefe-bankentrojaner/
IBM Fixes Code Execution, Cookie-Stealing Vulnerabilities in Switches
IBM recently patched a handful of vulnerabilities in some of its KVM switches that if exploited, could have given an attacker free reign over any system attached to it.
http://threatpost.com/ibm-fixes-code-execution-cookie-stealing-vulnerabilities-in-switches/107339
Mobile App Wall of Shame: CNN App for iPhone
The CNN App for iPhone is one of the most popular news applications available for the iPhone. At present, it is sitting at #2 in the iTunes free News app category and #165 among all free apps. Along with providing news stories, alerts and live video, it also includes iReport functionality, allowing...
http://research.zscaler.com/2014/07/cnn-app-for-iphone.html
OWASP Zed Attack Proxy, (Mon, Jul 21st)
Affectionately know as ZAP the OWASP Zed Attack Proxy in an excellent web application testing tool. It finds its way into the hands of experienced penetration testers, newer security administrators, vulnerability assessors, as well as auditors and the curious. One of the reasons for its popularity is the ease of use and the extensive granular capability to examine transactions. While some may know ZAP as a fork or successor to the old Paros proxy,it is so much more. Roughly 20% of the code base...
https://isc.sans.edu/diary.html?storyid=18421&rss
Old and Persistent Malware
User error is the best reason to explain why Excel spreadsheets infected with the Laroux macro virus have been published on the China Securities Regulatory Commission website (csrc.gov.cn). The commission regulates China's financial markets and provides an online law library on their website where visitors can download various files and texts. Two of the files available in the library contain the MSEXcel.Laroux virus.
https://blogs.cisco.com/security/old-and-persistent-malware/
FakeNet Malware Analysis
FakeNet is a tool that aids in the dynamic analysis of malicious software. The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware's network activity from within a safe environment.
http://www.ehacking.net/2014/07/fakenet-malware-analysis.html
Cisco-Routerlücke: Der mysteriöse Vorab-Patch
Die kritische Sicherheitslücke, die neun Router und Kabelmodems von Cisco verwundbar für Angriffe aus dem Netz macht, ist bei deutschen Providern vor Jahren mit einem Update geschlossen worden. Allerdings bleibt unklar, warum Cisco den Fix erst jetzt öffentlich machte.
http://www.heise.de/security/meldung/Cisco-Routerluecke-Der-mysterioese-Vorab-Patch-2264271.html
App "telemetry", (Tue, Jul 22nd)
ISC reader James had just installed "Foxit Reader" on his iPhone, and had answered "NO" to the "In order to help us improve Foxit Mobile PDF, we would like to collect anonymous usage data..." question, when he noticed his phone talking to China anyway. The connected-to site was alog.umeng.com, 211.151.151.7. Umeng is an "application telemetry" and online advertising company. Below is what was sent (some of the ids are masked or have been obfuscated) I
https://isc.sans.edu/diary.html?storyid=18425&rss
Massive Malware Infection Breaking WordPress Sites
The last few days has brought about a massive influx of broken WordPress websites. What makes it so unique is that the malicious payload is being blindly injected which is causing websites to break. While we're still researching, we do want to share share some observations: This infection is aimed at websites built on the...
http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html
Privacy Badger Extension Blocks Tracking Through Social Icons
Online tracking has been a thorny problem for years, and as Web security companies, browser vendors and users have become more aware of the problem and smarter about how to defend themselves, ad companies and trackers have responded in kind. The advent of social networks has made it far easier for tracking companies to monitor user behavior across...
http://threatpost.com/privacy-badger-extension-blocks-tracking-through-social-icons/107348
[webapps] - MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabilities
http://www.exploit-db.com/exploits/34128
Apache Multiple Flaws Let Remote Users Deny Service or Execute Arbitrary Code
http://www.securitytracker.com/id/1030615
Tenable Nessus Access Control Flaw in Web UI Lets Remote Users Obtain Potentially Sensitive Information
http://www.securitytracker.com/id/1030614
Apache Scoreboard / Status Race Condition
Topic: Apache Scoreboard / Status Race Condition Risk: Medium Text:Hi there, --[ 0. Sparse summary Race condition between updating ...
http://cxsecurity.com/issue/WLB-2014070114
HPSBMU03071 rev.1 - HP Autonomy IDOL, Running OpenSSL, Remote Unauthorized Access, Disclosure of Information
A potential security vulnerability has been identified with HP Autonomy IDOL. The vulnerability could be exploited to allow remote unauthorized access and disclosure of information.
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04370307
Moodle rubric/advanced grading cross-site scripting
Moodle rubric/advanced grading cross-site scripting
http://xforce.iss.net/xforce/xfdb/94724
OleumTech WIO Family Vulnerabilities
Security researchers Lucas Apa and Carlos Mario Penagos Hollman of IOActive have identified multiple vulnerabilities in OleumTech's WIO family including the sensors and the DH2 data collector. The researchers have coordinated the vulnerability details with NCCIC/ICS-CERT and OleumTech in hopes the vendor would develop security patches to resolve these vulnerabilities. While ICS-CERT has had many discussions with both OleumTech and IOActive this past year, there has not been consensus...
http://ics-cert.us-cert.gov/advisories/ICSA-14-202-01
Bugtraq: Web Login Bruteforce in Symantec Endpoint Protection Manager 12.1.4023.4080
http://www.securityfocus.com/archive/1/532857