End-of-Shift report
Timeframe: Montag 05-01-2015 18:00 − Mittwoch 07-01-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
Debunking Myths Around Industrial Control Systems Cybersecurity
General awareness for the need to improve cybersecurity in industrial control systems (ICS) has increased significantly in recent years, but there are still plenty of misconceptions. A recent incident that can be used to highlight...
http://researchcenter.paloaltonetworks.com/2015/01/debunking-myths-around-industrial-control-systems-cybersecurity/
Who's Attacking Whom? Realtime Attack Trackers
It seems nearly every day were reading about Internet attacks aimed at knocking sites offline and breaking into networks, but its often difficult to visualize this type of activity. In this post, well take a look at multiple services for tracking online attacks and attackers around the globe and in real-time.
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/qZhz3RO9frg/
l+f: SSH mit Alu-Hut
Wer der NSA das Leben schwer machen will, kann das Fernwartungsprotokoll mit einigen Handgriffen auf der Kommandozeile abhärten.
http://www.heise.de/security/meldung/l-f-SSH-mit-Alu-Hut-2512471.html
Inside Cryptowall 2.0 Ransomware
An analysis of Cryptowall 2.0 reveals that the ransomware relies on complex encryption routines and sandbox detection capabilities to survive. It also uses Tor for command and control, and can execute on 32- and 64-bit systems.
http://threatpost.com/inside-cryptowall-2-0-ransomware/110228
New Variant of Emotet Banking Malware targets German Users
A new Spam email campaign making the rounds in Germany are delivering a new variant of a powerful banking malware, a financial threat designed to steal users' online banking credentials, according to security researchers from Microsoft. The malware, identified as Emotet, was first spotted last June by security vendors at Trend Micro. The most standout features of Emotet is its network...
http://thehackernews.com/2015/01/emotet-banking-malware.html
Linux DDoS Trojan hiding itself with an embedded rootkit
At the end of September 2014, a new threat for the Linux operating system dubbed XOR.DDoS forming a botnet for distributed denial-of-service attacks was reported ... In this blog post, we will describe the installation steps, the rootkit itself, and the communication protocol for getting attack commands.
https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/
AOL Advertising Network Abused to Distribute Malware
Security researchers have uncovered a malvertising campaign used to distribute malware to visitors of The Huffington Post website, as well as several other sites, through malicious advertisements served over the AOL advertising network. At the end of last year, Cyphort Labs, security firm specialized in detecting malware threats, came across some malicious advertisements that were being
http://thehackernews.com/2015/01/aol-advertising-network-abused-to_6.html
SPARTA - Network Infrastructure Penetration Testing Tool
SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analysing results.
http://hack-tools.blackploit.com/2015/01/sparta-network-infrastructure.html
Malformed AndroidManifest.xml in Apps Can Crash Mobile Devices
Every Android app comprises of several components, including something called the AndroidManifest.xml file or the manifest file. This manifest file contains essential information for apps, "information the system must have before it can run any of the app's code." We came across a vulnerability related to the manifest file that may cause an affected device...
http://blog.trendmicro.com/trendlabs-security-intelligence/malformed-androidmanifest-xml-in-apps-can-crash-mobile-devices/
Interview with NYU-Poly's Professor Justin Cappos: Security Lessons From Retail Breaches
In our discussion, Professor Cappos has a lot to say about weaknesses with our current approach to password-based security as well as new technologies that can be applied to credit card transactions. ... Cappos offers some very practical advice on securing systems.
http://blog.varonis.com/conversation-nyu-polys-professor-justin-cappos-data-security-lessons-tips-companies/
Is now the time to deploy embedded hypervisors for BYOD security?
The operating systems deployed on smartphones and tables, such as Apple IOS or Google Android, are designed as single-user platforms that dont offer much of the security or virtualization technology ... There are a number of approaches that seem viable to address the challenge including the following: ... Making enterprise or personal applications execute in a virtual machine that could either have sharply curtailed access to the device and the data it contains
http://www.zdnet.com/article/is-now-the-time-to-deploy-embedded-hypervisors-for-byod-security/
Spam Nation, book review: Inside todays cybercrime ecosystem
In Spam Nation, Krebs tells the tale of the Pharma Wars, in which duelling Russian spam kings squabble over territory, hacking each others systems, paying police to investigate each other. The even larger story is the economic conditions that fuel all this. Who clicks on these ads?
http://www.zdnet.com/article/spam-nation-book-review-inside-todays-cybercrime-ecosystem/
Twitter AnomalyDetection tool goes open source
Twitter has opened up suspicious activity tracker AnomalyDetection to developers. The social media giant said on Tuesday the tool, dubbed AnomalyDetection, is used by the firms team to detect unusual traffic events including traffic spikes and surges, as well as the presence of spam bots.
http://www.zdnet.com/article/twitter-anomalydetection-tool-goes-open-source/
CVE-2014-7911 - A Deep Dive Analysis of Android System Service Vulnerability and Exploitation
In this post we discuss CVE-2014-7911 and the various techniques that can be used to achieve privilege escalation. We also examine how some of these techniques can be blocked using several security mechanisms.
http://researchcenter.paloaltonetworks.com/2015/01/cve-2014-7911-deep-dive-analysis-android-system-service-vulnerability-exploitation/
The Connections Between MiniDuke, CosmicDuke and OnionDuke
In September, we blogged about CosmicDuke leveraging timely, political topics to deceive the recipient into opening the malicious document. After a more detailed analysis of the files we made two major discoveries.
https://www.f-secure.com/weblog/archives/00002780.html
DNS-Blacklist AHBL stellt Betrieb ein
Die DNS-Blacklist Abusive Hosts Blocking List (AHBL) stellt ihre Dienste endgültig ein. Wer sie befragt, erhält grundsätzlich einen Treffer als Antwort. Administratoren von Mailservern müssen jetzt handeln.
http://www.heise.de/newsticker/meldung/DNS-Blacklist-AHBL-stellt-Betrieb-ein-2513094.html
US-Cert warnt vor weiteren UEFI-BIOS-Lücken
Durch neue Lücken kann man die Schutzmechanismen abermals austricksen. Angreifer könnten so tief im System ein Bootkit verankern, dem kein Virenscanner etwas anhaben kann. Wieder sollen BIOS-Updates helfen.
http://www.heise.de/security/meldung/US-Cert-warnt-vor-weiteren-UEFI-BIOS-Luecken-2512913.html
JSA10663 - Out of Cycle Security Bulletin: Multiple vulnerabilities in NTP
Product Affected: Junos OS, NSM Series devices, NSMXpress and NSM server software. | Problem: NTP.org has published a security advisory for six vulnerabilities resolved in ntpd (NTP daemon) that have been assigned four CVE IDs. In the worst case, some of these issues may allow remote unauthenticated attackers to execute code with the privileges of ntpd or cause a denial of service condition.
http://kb.juniper.net/InfoCenter/index/content&id=JSA10663
Open-Xchange XHTML File Input Validation Flaw Permits Cross-Site Scripting Attacks
http://www.securitytracker.com/id/1031488
Mantis BugTracker 1.2.17 XSS / DoS / Redirect
Topic: Mantis BugTracker 1.2.17 XSS / DoS / Redirect Risk: Medium Text:Mantis BugTracker 1.2.17 multiple security vulnerabilities. ****************************************************************...
http://cxsecurity.com/issue/WLB-2015010024
Open-Xchange Server 6 / OX AppSuite 7.6.1 Cross Site Scripting
Topic: Open-Xchange Server 6 / OX AppSuite 7.6.1 Cross Site Scripting Risk: Low Text:Product: Open-Xchange Server 6 / OX AppSuite Vendor: Open-Xchange GmbH Internal reference: 35512 (Bug ID) Vulnerability ty...
http://cxsecurity.com/issue/WLB-2015010020
DFN-CERT-2015-0005/ - ISC BIND: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff
Eine Schwachstelle in BIND ermöglicht einem entfernten, nicht authentifizierten Angreifer einen Denial-of-Service-Zustand zu bewirken. Die Schwachstelle wird mit einem Update auf Version 9.9.6P1 für die SUSE Linux Enterprise 11 SP3 Produkte Software Development Kit, Server, Server für VMware und Desktop behoben.
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0005/
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM QRadar SIEM (CVE-2014-3567, CVE-2014-3568, CVE-2014-3508, CVE-2014-3511)
OpenSSL vulnerabilities were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by IBM QRadar SIEM. IBM QRadar SIEM has addressed the applicable CVEs. CVE(s): CVE-2014-3567 , CVE-2014-3568 , CVE-2014-3511 and CVE-2014-3508 ...
http://www-01.ibm.com/support/docview.wss?uid=swg21691210
IBM Security Bulletin: Connect:Enterprise For UNIX and Connect:Enterprise clients are affected by the POODLE and OpenSSL vulnerabilities (CVE-2014-3566, CVE-2014-3567)
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in Connect:Enterprise For UNIX, Connect:Enterprise Command Line Client, Connect:Enterprise HTTP Option, and...
http://www.ibm.com/support/docview.wss?uid=swg21690537
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM InfoSphere Master Data Management (CVE-2014-3511, CVE-2014-3507, CVE-2014-3506, CVE-2014-3505 )
OpenSSL vulnerabilities were disclosed on August 6th, 2014 by the OpenSSL Project. OpenSSL is used by IBM InfoSphere Master Data Management. IBM InfoSphere Master Data Management has addressed the applicable CVEs provided by OpenSSL. CVE(s):...
http://www-01.ibm.com/support/docview.wss?uid=swg21691162
EMC Documentum Web Development Kit cross-site scripting
http://xforce.iss.net/xforce/xfdb/99632
EMC Documentum Web Development Kit weak security
http://xforce.iss.net/xforce/xfdb/99636
Apache Traffic Server HttpTransact Boundary Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1031499
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Operational Decision Manager, WebSphere ILOG JRules and WebSphere Business Events (CVE-2014-6506, CVE-2014-6511, CVE-2014-6457, CVE-2014-6558, CVE-2014-3065)
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6 and 7 that is used by IBM Operational Decision Manager (ODM), IBM ILOG JRules and IBM WebSphere Business Events (WBE). These issues were disclosed as part of the IBM...
http://www-01.ibm.com/support/docview.wss?uid=swg21693686
DFN-CERT-2015-0012 - Xen: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff
Eine Use-after-Free-Schwachstelle in Xen ermöglicht einem lokalen, nicht authentifizierten Angreifer Denial-of-Service-Angriffe durchzuführen.
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0012/
DFN-CERT-2015-0013 - Exiv2: Eine Schwachstelle ermöglicht Denial-of-Service-Angriffe
Ein entfernter, nicht authentisierter Angreifer kann durch einen langen 'IKEY INFO Tag' Wert in einer AVI-Datei einen Absturz der Anwendung verursachen.
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0013/
ZDI-15-006: ManageEngine Desktop Central MSP StatusUpdateServlet fileName File Upload Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-15-006/