End-of-Shift report
Timeframe: Mittwoch 03-09-2014 18:00 − Donnerstag 04-09-2014 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
Paper: Prosecting the Citadel botnet - revealing the dominance of the Zeus descendent: part one
Aditya K. Sood and Rohit Bansal dissect botnet primarily used for financial fraud.It is unlikely that anyone still thinks that cybercrime is performed by 16-year-old kids who write short pieces of code that wreak havoc all over the world, but if you do still hold that belief, it wont hurt to take a look behind the scenes of a modern botnet operation. Todays botnets show how cybercrime has become a professional industry in which many tactics seen in the legitimate e-commerce and IT service
http://www.virusbtn.com/blog/2014/09_03.xml
[webapps] - vBulletin 4.0.x - 4.1.2 (search.php, cat param) - SQL Injection Exploit
http://www.exploit-db.com/exploits/34526
WordPress Plugins Bogged Down with CSRF, XSS Vulnerabilities
A handful of bugs, mostly XSS and CSRF vulnerabilities, have been plaguing at least eight different Wordpress plugins as of late.
http://threatpost.com/wordpress-plugins-bogged-down-with-csrf-xss-vulnerabilities/108058
CERT/CC Enumerates Android App SSL Validation Failures
The CERT Coordination Center at Carnegie Mellon today released a list of Android applications hosted on Google Play and Amazon that it says fail to validate SSL certificates over HTTPS.
http://threatpost.com/certcc-enumerates-android-app-ssl-validation-failures/108067
Splunk Enterprise 6.0.6 addresses two vulnerabilities
Description Splunk Enterprise version 6.0.6 addresses the following vulnerabilities: OpenSSL TLS protocol downgrade attack (SPL-88587, CVE-2014-3511) Reflective cross-site scripting (XSS) referer header vulnerability (SPL-85360) At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk ..
http://www.splunk.com/view/SP-CAAANE2
Identifying Firewalls from the Outside-In. Or, "Theres Gold in them thar UDP ports!", (Thu, Sep 4th)
In a penetration test, often the key to bypassing a security control is as simple as knowing identifying the platform its implemented on. In other words, its a lot easier to get past something if you know what it is. For instance, quite often youll be probing a set of perimeter addresses, and if there are no vulnerable hosts NAT-ed out for you, you might start ..
https://isc.sans.edu/diary.html?storyid=18617
Mozilla Firefox <v32 Secret Leak PoC
Depending on a variety of factors, problems like that may leak secrets across web origins, or more prosaically, may help attackers bypass security measures such as ASLR. This code is a proof of concept for versions prior to 32.
http://cxsecurity.com/issue/WLB-2014090017
heap overflow in procmails formail utility
prcomails formail utility is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when parsing addresses with unbalanced quotes. By sending an overly long argument, a remote attacker could overflow a buffer ..
http://xforce.iss.net/xforce/xfdb/95688
Kostenloses G-Data-Tool schützt vor BadUSB-Angriffen
Der G Data USB Keyboard Guard kontrolliert neu an den PC angeschlossene Tastaturen. Der Anwender kann damit entscheiden, ob er diese tatsächlich benutzen will oder ob er einen Angriff befürchtet und das Gerät lieber aussperrt.
http://www.heise.de/newsticker/meldung/Kostenloses-G-Data-Tool-schuetzt-vor-BadUSB-Angriffen-2329545.html/from/rss09?wt_mc=rss.ho.beitrag.rdf
Akamai warnt vor Linux-Server-Botnet
Mit einer Sicherheitswarnung mit "Risikofaktor: Hoch" warnt Netzwerk-Spezialist Akamai vor einem Botnetz aus Linux-Servern, das verteilte DoS-Attacken durchführt, um andere Server in die Knie zu zwingen.
http://www.heise.de/security/meldung/Akamai-warnt-vor-Linux-Server-Botnet-2344811.html
zAnti - Android Penetration Testing Toolkit (Free!)
zANTI is a comprehensive network diagnostics toolkit that enables complex audits and penetration tests at the push of a button. It provides cloud-based reporting that walks you through simple guidelines to ensure network safety. zANTI offers a comprehensive range of fully customizable scans to reveal everything from authentication, backdoor and brute-force attempts to database, DNS and protocol-specific attacks - including rogue access points.
http://hack-tools.blackploit.com/2014/09/zanti-android-penetration-testing.html
New file-encrypting ransomware called CryptoGraphic Locker
A new file-encrypting ransomware was discovered today by BartBlaze called CryptoGraphic Locker. Just like other encrypting ransomware, this infection will scan your your data files and encrypt them so that they are unusable. The infection will then display a ransom note that requires you to purchase ..
http://www.bleepingcomputer.com/forums/t/546749/new-file-encrypting-ransomware-called-cryptographic-locker/
Apple OS X: Security Through Obscurity is becoming an Absurdity
Today's blog on a new Mac malware is a reminder that attackers go where the money is. Apple usage within the enterprise is growing rapidly, with 52 percent of newly issued computers being Macs according to Forrester. Forrester also ..
http://www.fireeye.com/blog/corporate/2014/09/apple-os-x-security-through-obscurity-is-becoming-an-absurdity.html
Forced to Adapt: XSLCmd Backdoor Now on OS X
Introduction FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd - OSX.XSLCmd - which is designed to compromise Apple OS X systems. This ..
http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html
VU#855836: Arris Touchstone cable modem information leakage vulnerabiliity
Arris Touchstone DG950A cable modem enables SNMP public access by default. Description CWE-200 - Information ExposureThe Arris Touchstone DG950A cable modem running software version 7.10.131 was found to expose sensitive ..
http://www.kb.cert.org/vuls/id/855836
Semalt botnet hijacked nearly 300k computers
The "Semalt" botnet is quickly spreading across the Internet, Incapsula researchers warn. The botnet is named after a Ukrainian startup that poses as a legitimate online SEO service, and it currently numbers around 290,000 malware infected machines that continually spam millions of websites in a large-scale, referrer spam campaign.
http://www.net-security.org/malware_news.php?id=2857