Tageszusammenfassung - Mittwoch 4-11-2015

End-of-Shift report

Timeframe: Dienstag 03-11-2015 18:00 − Mittwoch 04-11-2015 18:00 Handler: Stephan Richter Co-Handler: n/a

Return of the EXIF PHP Joomla Backdoor

Our Remediation and Research teams are in constant communication and collaboration. It's how we stay ahead of the latest threats, but it also presents an opportunity to identify interesting threats that aren't new but may be reoccuring. Such as today's post, in which we explore a case we shared close to two years ago where...

http://feedproxy.google.com/~r/sucuri/blog/~3/VZAI0vVYGjI/exif-php-joomla-backdoor.html

Researchers map out hard-to-kill, multi-layered spam botnet

A dropper component sent to the Akamai researchers led them to the discovery of a spamming botnet that consists of at least 83,000 compromised systems. The botnet is multi-layered, decentralized, a...

http://feedproxy.google.com/~r/HelpNetSecurity/~3/B72jnhO-1Ds/secworld.php

Nach Hack des Support-Forums: Mysteriöser vBulletin-Patch erschienen

Nach einem Angriff auf das offizielle Support-Forum der Forensoftware vBulletin ist ein Sicherheitsupdate erschienen. Ob dies die Lücke stopft, die bei dem Angriff ausgenutzt wurde, ist nicht ganz klar.

http://heise.de/-2869989

Internet Wide Scanners Wanted, (Wed, Nov 4th)

In our data, we often find researchers performing internet wide scans. To better identify these scans, we would like to add a label to these IPs identifying them as part of a research project. If you are part of such a project, or if you know of a project, please let me know. You can submit any information as a comment or via our contact form. If the IP addresses change often, then a URLs with a parseable list would be appreciated to facilitate automatic updates. Johannes B. Ullrich, Ph.D.

https://isc.sans.edu/diary.html?storyid=20337&rss

GovRAT, the malware-signing-as-a-service platform in the underground

Security Experts at InfoArmor discovered GovRAT, a malware-signing-as-a-service platform that is offered to APT groups in the underground. In the past, I have explained why digital certificates are so attractive for crooks and intelligence agencies, one of the most interesting uses is the signature of malware code in order to fool antivirus. Naturally, digital certificates...

http://securityaffairs.co/wordpress/41714/cyber-crime/govrat-platform.html

Confusing Convenience for Security: SSH Keys

Secure Shell (SSH) keys are a common part of accessing Unix systems, and you need to put some focus specifically on your organization's use of SSH keys.

http://blog.beyondtrust.com/confusing-convenience-for-security-ssh-keys

Security Fixes in Firefox 42

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox42

VU#391604: ZTE ZXHN H108N R1A routers contains multiple vulnerabilities

Vulnerability Note VU#391604 ZTE ZXHN H108N R1A routers contains multiple vulnerabilities Original Release date: 03 Nov 2015 | Last revised: 03 Nov 2015 Overview ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities. Description CWE-200: Information Exposure - CVE-2015-7248 Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN...

http://www.kb.cert.org/vuls/id/391604

Alcatel-Lucent Home Device Manager Spoofing

Topic: Alcatel-Lucent Home Device Manager Spoofing Risk: Low Text: ## # # SWISSCOM CSIRT ADVISORY - https://www.swisscom.ch/en/about/sustainability/digital- #switze...

https://cxsecurity.com/issue/WLB-2015110029

DSA-3391 php-horde - security update

It was discovered that the web-based administration interface in theHorde Application Framework did not guard against Cross-Site RequestForgery (CSRF) attacks. As a result, other, malicious web pages couldcause Horde applications to perform actions as the Horde user.

https://www.debian.org/security/2015/dsa-3391

DSA-3392 freeimage - security update

Pengsu Cheng discovered that FreeImage, a library for graphic imageformats, contained multiple integer underflows that could lead to adenial of service: remote attackers were able to trigger a crash bysupplying a specially crafted image.

https://www.debian.org/security/2015/dsa-3392

Bugtraq: [security bulletin] HPSBGN03425 rev.1 - HP ArcSight SmartConnectors, Remote Disclosure of Information, Local Escalation of Privilege

http://www.securityfocus.com/archive/1/536827

Bugtraq: [security bulletin] HPSBGN03386 rev.2 - HP Central View Fraud Risk Management, Revenue Leakage Control, Dealer Performance Audit, Credit Risk Control, Roaming Fraud Control, Subscription Fraud Prevention, Remote Disclosure of Information,

http://www.securityfocus.com/archive/1/536824

Security Advisory - Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone

http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-460347.htm

Security Notice - Statement on Venustech Revealing Heap Overflow Vulnerability in Huawei Smart Phone

http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/hw-460363.htm

Bugtraq: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp [REVISED]

http://www.securityfocus.com/archive/1/536833

Cisco Security Advisories

Cisco Web Security Appliance Certificate Generation Command Injection Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-wsa

Cisco Email Security Appliance Email Scanner Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-esa2