End-of-Shift report
Timeframe: Mittwoch 04-11-2015 18:00 − Donnerstag 05-11-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
A Technical Look At Dyreza
Inside the core of Dyreza - a look at its malicious functions and their implementation.Categories: Malware AnalysisTags: dyrezamalware(Read more...)
https://blog.malwarebytes.org/intelligence/2015/11/a-technical-look-at-dyreza/
Malicious spam with links to CryptoWall 3.0 - Subject: Domain [name] Suspension Notice, (Thu, Nov 5th)
Introduction Since Monday 2015-10-26, weve noticed a particular campaign sending malicious spam (malspam) with links to download CryptoWall 3.0 ransomware. This campaign has been impersonating domain registrars. Conrad Longmore blogged about it last week [1], and Techhelplist.com has a good write-up on the campaign [2]. Several other sources have also discussed this wave of malspam [3, 4, 5, 6, 7, 8 to name a few]. For this diary, well take a closer look at the emails and associated CryptoWall
https://isc.sans.edu/diary.html?storyid=20333&rss
CryptoWall 4.0 Released with a New Look and Several New Features
The fourth member of the CryptoWall family of ransomware, CryptoWall 4.0, has just been released, complete with new features and a brand new look. We recently reported that CryptoWall 3.0 has allegedly caused over $325 million in annual damages. CryptoWall first emerged in April 2014. Its first major upgrade was dubbed CryptoWall 2.0, and first emerged in October...
http://securityaffairs.co/wordpress/41718/cyber-crime/cryptowall-4-0-released.html
SSL-Zertifikate: Microsoft will sich schon nächstes Jahr von SHA-1 trennen
Die Firma überlegt ob der neuen Qualität von Angriffen auf den Hash-Algorithmus, diesen schon Mitte 2016 auf die verbotene Liste zu setzen. Google und Mozilla gehen ähnliche Wege.
http://heise.de/-2880134
Mabouia: The first ransomware in the world targeting MAC OS X
Rafael Salema Marques, a Brazilian researcher, published a PoC about the existence of Mabouia ransomware, the first ransomware that targets MAC OS X. Imagine this scenario: You received a ransom warning on your computer stating that all your personal files had been locked. In order to unlock the files, you would have to pay $500.
http://securityaffairs.co/wordpress/41755/cyber-crime/mabouia-ransomware-mac-os-x.html
Meet the Android rooting adware that cannot be removed
Researchers have identified a new strain of malicious adware that is impossible for affected Android device owners to uninstall.
http://feedproxy.google.com/~r/SCMagazineHome/~3/Prm6r3X3tzk/
No C&C server needed: Russia menaced by offline ransomware
Harder to take down, nyet? Miscreants have cooked up a new strain of ransomware that works offline and so might be more resistant to law enforcement takedown efforts as a result.
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/offline_ransomware_menaces_russia/
Thousands of legitimate iOS apps discovered containing ad library backdoors
More than 2,000 iOS apps stocked in Apples legitimate App Store reportedly contained backdoored versions of an ad library, which could have allowed for surveillance without users knowledge.
http://feedproxy.google.com/~r/SCMagazineHome/~3/nxOb5Ac0sYo/
The Omnipresence of Ubiquiti Networks Devices on the Public Web
There are ongoing in the wild attacks against Ubiquiti Networks devices. Attackers are using default credentials to gain access to the affected devices via SSH. The devices are infected by a botnet client that is able to infect other devices.Further information about these attacks is available at:Krebs on Security:
http://krebsonsecurity.com/2015/06/crooks-use-hacked-routers-to-aid-cyberheists/Imperva/Incapsula Research:
https://www.incapsula.com/blog/ddos-botnet-soho-router.htmlCARISIRT
http://blog.sec-consult.com/2015/11/the-omnipresence-of-ubiquiti-networks.html
vBulletin Exploits in the Wild
The vBulletin team patched a serious object injection vulnerability yesterday, that can lead to full command execution on any site running on an out-of-date vBulletin version. The patch supports the latest versions, from 5.1.4 to 5.1.9. The vulnerability is serious and easy to exploit; it was used to hack and deface the main vBulletin.com website. As aRead More The post vBulletin Exploits in the Wild appeared first on Sucuri Blog.
http://feedproxy.google.com/~r/sucuri/blog/~3/NNlPrHaDARs/vbulletin-exploits-in-the-wild.html
TalkTalk, Script Kids & The Quest for "OG"
So youve got two-step authentication set up to harden the security of your email account (you do, right?). But when was the last time you took a good look at the security of your inboxs recovery email address? That may well be the weakest link in your email security chain, as evidenced by the following tale of a IT professional who saw two of his linked email accounts recently hijacked in a bid to steal his Twitter identity.Earlier this week, I heard from Chris Blake, a longtime KrebsOnSecurity...
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/im8m6Imwfsk/
Connecting the Dots in Cyber Threat Campaigns, Part 2: Passive DNS
This is the second part of our series on "connecting the dots", where we investigate ways to link attacks together to gain a better understanding of how they are related. In Part 1, we looked...
http://feedproxy.google.com/~r/PaloAltoNetworks/~3/7x_ynKHJKns/
Xen Project 4.5.2 Maintenance Release Available
I am pleased to announce the release of Xen 4.5.2. Xen Project Maintenance releases are released roughly every 4 months, in line with our Maintenance Release Policy. We recommend that all users of the 4.5 stable series update to this point release.
https://blog.xenproject.org/2015/11/05/xen-project-4-5-2-maintenance-release-available/
Open-Xchange Input Validation Flaw in Printing Dialogs Lets Remote Conduct Cross-Site Scripting Attacks
http://www.securitytracker.com/id/1034018
Bugtraq: [KIS-2015-10] Piwik <= 2.14.3 (DisplayTopKeywords) PHP Object Injection Vulnerability
http://www.securityfocus.com/archive/1/536839
Bugtraq: [KIS-2015-09] Piwik <= 2.14.3 (viewDataTable) Autoloaded File Inclusion Vulnerability
http://www.securityfocus.com/archive/1/536838
MIT Kerberos Multiple Bugs Let Remote Users Cause the Target Service to Crash
http://www.securitytracker.com/id/1034084
[2015-11-05] Insecure default configuration in Ubiquiti Networks products
Ubiquiti Networks products have remote administration enabled by default (WAN port). Additionally these products use the same certificates and private keys for administration via HTTPS.
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20151105-0_Ubiquiti_Networks_Insecure_Default_Configuration_v10.txt
Citrix XenServer Multiple Security Updates
A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a guest VM to compromise ...
http://support.citrix.com/article/CTX202404
IBM Security Bulletins
IBM Security Bulletin: IBM WebSphere MQ is affected by multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 5, 6 & 7
http://www.ibm.com/support/docview.wss?uid=swg21968485
IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to Denial of Service Attack. (CVE-2014-0230)
http://www.ibm.com/support/docview.wss?uid=swg21970036
IBM Security Bulletin: Openstack Nova vulnerability affects IBM Cloud Manager with OpenStack (CVE-2015-2687)
http://www.ibm.com/support/docview.wss?uid=isg3T1022691
IBM Security Bulletin: Vulnerability in OpenSSL affects IBM DB2 LUW (CVE-2015-0204)
http://www.ibm.com/support/docview.wss?uid=swg21968869
IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931)
http://www.ibm.com/support/docview.wss?uid=swg21969911
PowerHA SystemMirror privilege escalation vulnerability (CVE-2015-5005)
http://www.ibm.com/support/
IBM Security Bulletin: IBM Maximo Asset Management could allow an authenticated user to change work orders that the user should not have access to change (CVE-2015-7395 )
http://www.ibm.com/support/docview.wss?uid=swg21969072
IBM Security Bulletin: Vulnerabilities in the Linux Kernel affect PowerKVM
http://www.ibm.com/support/docview.wss?uid=isg3T1022785
IBM Security Bulletin: Vulnerabilities in Python affect PowerKVM (CVE-2013-5123, CVE-2014-8991)
http://www.ibm.com/support/docview.wss?uid=isg3T1022786
IBM Security Bulletin: Vulnerability in OpenSLP affects PowerKVM (CVE-2015-5177)
http://www.ibm.com/support/docview.wss?uid=isg3T1022876
IBM Security Bulletin: Vulnerability in Python-httplib2 affects PowerKVM (CVE-2013-2037)
http://www.ibm.com/support/docview.wss?uid=isg3T1022877
IBM Security Bulletin: Vulnerability in lcms affects PowerKVM (CVE-2015-4276)
http://www.ibm.com/support/docview.wss?uid=isg3T1022834
IBM Security Bulletin: Vulnerability in Libcrypt++ affects PowerKVM (CVE-2015-2141)
http://www.ibm.com/support/docview.wss?uid=isg3T1022879
IBM Security Bulletin: Vulnerability in lighttpd affects PowerKVM (CVE-2015-3200)
http://www.ibm.com/support/docview.wss?uid=isg3T1022837
IBM Security Bulletin:Vulnerabilities in wpa_supplicant may affect PowerKVM (CVE-2015-1863 and CVE-2015-4142)
http://www.ibm.com/support/docview.wss?uid=isg3T1022832
IBM Security Bulletin: Vulnerabilities in libXfont affect PowerKVM (CVE-2015-1802, CVE-2015-1803, CVE-2015-1804)
http://www.ibm.com/support/docview.wss?uid=isg3T1022787
IBM Security Bulletin: Vulnerability in Mozilla NSS affects PowerKVM (CVE-2015-2730)
http://www.ibm.com/support/docview.wss?uid=isg3T1022790
IBM Security Bulletin: Information disclosure vulnerability could expose user personal data in IBM WebSphere Commerce (CVE-2015-5015)
http://www.ibm.com/support/docview.wss?uid=swg21969174
IBM Security Bulletin: IBM Flex System Manager is affected by a vulnerability from FSM's use of strongswan: (CVE-2015-4171)
http://www.ibm.com/support/docview.wss?uid=isg3T1022817
IBM Security Bulletin: IBM Netezza Host Management is vulnerable to a BIND 9 utility issue (CVE-2015-5722)
http://www.ibm.com/support/docview.wss?uid=swg21966952