End-of-Shift report
Timeframe: Donnerstag 14-08-2014 18:00 − Montag 18-08-2014 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
Microsoft zieht Updates zurück
Mit insgesamt vier der am letzten Patchday veröffentlichten Updates für Windows gibt es offenbar Probleme. Microsoft hat jetzt reagiert und warnt davor, sie einzuspielen.
http://www.heise.de/security/meldung/Microsoft-zieht-Updates-zurueck-2294179.html
Suspicious Login Message Faked, Distributes Backdoor
Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users. I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/hhVGnlO7Tzs/
ZDI-14-295: AlienVault OSSIM av-centerd Util.pm remote_task Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault OSSIM. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-14-295/
ZDI-14-294: AlienVault OSSIM av-centerd Util.pm get_license Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault OSSIM. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-14-294/
Siemens OpenSSL Vulnerabilities (Update B)
This updated advisory is a follow-up to the updated advisory titled ICSA-14-198-03A Siemens OpenSSL Vulnerabilities that was published July 23, 2014, on the NCCIC/ICS-CERT web site. This updated advisory provides mitigation details for vulnerabilities in the Siemens OpenSSL cryptographic software library affecting several Siemens industrial products.
https://ics-cert.us-cert.gov//advisories/ICSA-14-198-03B
Siemens SIMATIC S7-1500 CPU Denial of Service
Siemens produced a new firmware version that mitigates a denial of service vulnerability in SIMATIC S7-1500 CPU.
https://ics-cert.us-cert.gov//advisories/ICSA-14-226-01
7 Places to Check for Signs of a Targeted Attack in Your Network
Targeted attacks are designed to circumvent existing policies and solutions within the target network, thus making their detection a big challenge. As we've stressed in our previous entry about common misconceptions about targeted attacks, there is no one-size-fits-all solution against it; enterprises need to arm themselves with protection that can provide sensors where needed, as well as IT...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/NhRVtViIRDU/
Security: Lücken in Update-Servern gefährden Millionen Router
Über mehrere Schwachstellen in den Auto Configuration Servern von Providern könnten Angreifer manipulierte Firmware an Millionen Router verteilen. Außerdem gibt es Fehler im dazugehörigen Kommunikationsprotokoll.
http://www.golem.de/news/security-luecken-in-update-servern-gefaehrden-millionen-router-1408-108607-rss.html
Internet Explorer: Veraltete ActiveX-Steuerelemente werden später blockiert
Microsoft verschiebt das Blockieren veralteter Versionen von Java und Co. auf September. Der Grund sind Beschwerden einiger Admins.
http://www.heise.de/security/meldung/Internet-Explorer-Veraltete-ActiveX-Steuerelemente-werden-spaeter-blockiert-2293115.html
Kein Mailversand: Spamhaus listet Web.de, GMX und 1&1
Spamhaus hat heute versehentlich die Mailserver von United Internet gelistet. Der Mailversand ist für einige Stunden nicht möglich gewesen. (Spam, E-Mail)
http://www.golem.de/news/mailserver-spamhaus-listet-web-de-gmx-und-1-1-1408-108616-rss.html
VB2014 preview: Optimized mal-ops. Hack the ad network like a boss
Researchers Vadim Kotov and Rahul Kashyap to discuss how advertisements are the new exploit kits.In the weeks running up to VB2014 (the 24th Virus Bulletin International Conference), we will look at some of the research that will be presented at the event. In the second of this series, we look at the paper Optimized mal-ops. Hack the ad network like a boss, from Vadim Kotov and Rahul Kashyap, two researchers from Bromium."We conclude that ad networks could be leveraged to aid, or even be
http://www.virusbtn.com/blog/2014/08_15.xml?rss
Ebola fear used as bait, leads to malware infection
Summary: Ebola news is bait for attackers to steal login credentials and install Trojan.Zbot, W32.Spyrat, and Backdoor.Breut malware.
http://www.symantec.com/connect/blogs/ebola-fear-used-bait-leads-malware-infection
FinFisher & Co. machen harmlose Katzenvideos zur Waffe für Cyber-Attacken
Ein Forscher hat im Detail beschrieben, wie Angreifer mit Zugriff auf die Netzwerkinfrastruktur eines Internet-Providers Trojaner in den Traffic der Nutzer einschleusen können, ohne dass die Opfer etwas bemerken.
http://www.heise.de/security/meldung/FinFisher-Co-machen-harmlose-Katzenvideos-zur-Waffe-fuer-Cyber-Attacken-2293549.html
Part 1: Is your home network unwittingly contributing to NTP DDOS attacks?, (Sun, Aug 17th)
For the last year or so, I have been investigating UDP DDOS attacks. In this diary I would like to spotlight a somewhat surprising scenario where a manufacturer's misconfiguration on a popular consumer device combined with a design decision in a home gateway router may make you an unwitting accomplice in amplified NTP reflection DDOS attacks. This is part 1 of the story. I will publish the conclusion Tuesday August 19th. Background Today almost every house has consumer broadband services.
https://isc.sans.edu/diary.html?storyid=18547&rss
Web Server Attack Investigation - Installing a Bot and Reverse Shell via a PHP Vulnerability, (Sat, Aug 16th)
With Windows malware getting so much attention nowadays, its easy to forget that attackers also target other OS platforms. Lets take a look at a recent attempt to install an IRC bot written in Perl by exploiting a vulnerability in PHP. The Initial Probe The web server received the initial probe from 46.41.128.231, an IP address that at the time was not flagged as malicious on various blacklists: HEAD / HTTP/1.0 The connection lacked the headers typically present in an HTTP request, which is why...
https://isc.sans.edu/diary.html?storyid=18543&rss
ZeroLocker wont come to your rescue
In recent times weve been seeing a lot of file-encrypting ransomware activity. One of the new ones weve seen pop up in the last couple weeks is called ZeroLocker. Theres indication the C&C configuration contains some errors which would prevent...
https://securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/