End-of-Shift report
Timeframe: Mittwoch 18-11-2015 18:00 − Donnerstag 19-11-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
GovCERT.ch zu den DDoS-Erpressungen
Die Kollegen aus der Schweiz haben ausführlich zu den aktuellen Erpressungsversuchen (DD4BC/Armada Collective) gebloggt und auch eine Zusammenfassung über Mitigations-Massnahmen geschrieben.
http://www.cert.at/services/blog/20151119115219-1633.html
BSI veröffentlicht Bericht zur Lage der IT-Sicherheit in Deutschland 2015
Der Bericht zur Lage der IT-Sicherheit in Deutschland beschreibt und analysiert die aktuelle IT-Sicherheitslage, die Ursachen von Cyber-Angriffen sowie die verwendeten Angriffsmittel und -methoden. Daraus abgeleitet thematisiert der Lagebericht Lösungsansätze zur Verbesserung der IT-Sicherheit in Deutschland. Der Lagebericht verdeutlicht, dass die Anzahl der Schwachstellen und Verwundbarkeiten in IT-Systemen weiterhin auf einem hohen Niveau liegt und ...
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2015/Lage_der_IT-Sicherheit_in_Deutschland_2015_19112015.html
ARRIS Cable Modem has a Backdoor in the Backdoor
While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether its going to fix it yet.
https://w00tsec.blogspot.co.at/2015/11/arris-cable-modem-has-backdoor-in.html
BSI veröffentlicht Sicherheitsstudie zu TrueCrypt
Im Auftrag des Bundesamtes für Sicherheit in der Informationstechnik (BSI) untersuchte das Fraunhofer-Institut für Sichere Informationstechnologie SIT die Verschlüsselungssoftware TrueCrypt auf Sicherheitslücken.
...
Die Sicherheitsexperten kommen zu dem Ergebnis, dass TrueCrypt weiterhin für die Verschlüsselung von Daten auf Datenträgern geeignet ist.
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2015/Sicherheitsanalyse_TrueCrypt_19112015.html
ZDI-15-570: SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SQLite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/U5RlY6kAls0/
Encrypt - Moderately Critical - Weak Encryption - SA-CONTRIB-2015-166
This module enables you to encrypt data within Drupal using a user-configurable encryption method and key provider. The module did not sufficiently validate good configurations and api usage resulting in multiple potential weaknesses ...
https://www.drupal.org/node/2618362
Actors using exploit kits - How they change tactics, (Thu, Nov 19th)
Introduction Exploit kits (EKs) are used by criminals to infect unsuspecting users while they are browsing the web. EKs are hosted on servers specifically dedicated to the EK. How are the users computers directed to an EK? It happens through compromised websites. Threat actors compromise legitimate websites, and pages from these compromised servers have injected script that connects the users computer to an EK server.
https://isc.sans.edu/diary.html?storyid=20391&rss
NVIDIA Driver Windows Control Panel Unquoted Search Path Lets Local Users Gain Elevated Privileges
The NVIDIA Control Panel executable Smart Maximize Helper (nvSmartMaxApp.exe) uses an unquoted path when launching process threads. A local user can place a specially crafted program in certain locations in the search path to cause arbitrary code to be executee with elevated privileges during Windows startup.
http://www.securitytracker.com/id/1034175
NVIDIA 3D Driver for Windows Named Pipe Access Control Flaw Lets Remote Authenticated Users Gain Elevated Privileges
The 3D Driver's 'Vision service' (nvSCPAPISvr.exe) creates a named pipe without proper access controls. A local user or a remote authenticated user can create a specially crafted run key entry to execute arbitrary command line statements with the privileges of the target user.
In a Windows Domain environment, a remote authenticated user with access to a domain-joined system can exploit this flaw within the joined domain.
http://www.securitytracker.com/id/1034173
Microsoft Security Intelligence Report: Strontium
The Microsoft Security Intelligence Report (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide. The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM - a group that uses zero-day exploits to collect the sensitive information of high-value targets in government and political organizations.
http://blogs.technet.com/b/mmpc/archive/2015/11/18/microsoft-security-intelligence-report-strontium.aspx
NVIDIA NVAPI and Kernel Mode Driver Bugs Let Local Users Deny Service, Obtain Potentially Sensitive Information, and Gain Elevated Privielges
The NVAPI support layer of NVIDIA GPU graphics drivers does not properly validate user-supplied input. In addition, an integer overflow may occur in the kernel mode driver. A local user can exploit these vulnerabilities to potentially sensitive information, deny service, or execute arbitrary code on the target system with elevated privileges.
http://www.securitytracker.com/id/1034176
Open-Xchange Guard 2.0 Cross Site Scripting
Topic: Open-Xchange Guard 2.0 Cross Site Scripting Risk: Low Text:Product: Open-Xchange Guard Vendor: Open-Xchange GmbH Internal reference: 41466 (Bug ID) Vulnerability type: Cross-Site-Sc...
https://cxsecurity.com/issue/WLB-2015110166
Edgy online shoppers face Dyre Christmas as malware mutates
Bank-plundering code now hunts Windows 10 and its Edge browser VXers have cooked up Windows 10 and Edge support for the nasty Dyre or Dyreza banking trojan.
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/19/edgy_online_shoppers_face_dyre_christmas/
Windows Sandbox Attack Surface Analysis
TL;DR; I've released my tools I use internally to test out sandboxed code and determine the likely attack surface exposed to an attacker if a sandboxed process is compromised. You can get the source code from
https://github.com/google/sandbox-attacksurface-analysis-tools. This blog post will describe a few common use cases so that you can use them to do your own sandbox analysis.
http://googleprojectzero.blogspot.co.at/2015/11/windows-sandbox-attack-surface-analysis.html
Bugtraq: CVE-2015-8131: Kibana CSRF vulnerability
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack.
We have been assigned CVE 2015-8131 for this issue.
CVSS Score: 4.0
Remediation: We recommend that all Kibana users upgrade to either 4.1.3, 4.2.1, or a later version.
http://www.securityfocus.com/archive/1/536935
Russian financial cybercrime: how it works
The Russian-language cybercrime market is known all over the world. Kaspersky Lab experts have been monitoring the Russian hacker underground since its emergence. In this review we analyze how financial cybercrime works.
http://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/
VMSA-2015-0008
vCenter Server, vCloud Director, Horizon View information disclosure issue
VMware products that use Flex BlazeDS may be affected by a flaw in the processing of XML External Entity (XXE) requests. A specially crafted XML request sent to the server could lead to unintended information be disclosed. ... The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-3269 to this issue.
http://www.vmware.com/security/advisories/VMSA-2015-0008.html
Cisco Unified Interaction Manager Cross-Site Scripting Vulnerability
A vulnerability in the web chat interface of Cisco Unified Interaction Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the chat on the affected system.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20150818-CVE-2015-6255
IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)
An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by WebSphere Application Server and WebSphere Application Server Hypervisor Edition. This vulnerability does not affect the IBM HTTP Server or versions of WebSphere Application Server prior to Version 7.0.
http://www.ibm.com/support/docview.wss?uid=swg21970575