End-of-Shift report
Timeframe: Donnerstag 19-11-2015 18:00 − Freitag 20-11-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
Trojanized adware family abuses accessibility service to install whatever apps it wants
Shedun does not exploit a vulnerability in the service, instead it takes advantage of the service's legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.
https://blog.lookout.com/blog/2015/11/19/shedun-trojanized-adware/
Tibbo AggreGate Platform Vulnerabilities
This advisory provides mitigation details for vulnerabilities in the Tibbo AggreGate SCADA/HMI package.
https://ics-cert.us-cert.gov/advisories/ICSA-15-323-01
When Hunting BeEF, Yara rules.
BeEF, The Browser Exploitation Framework, is a penetration-testing tool focusing on web browsers. You can think of it as the Metasploit for web browsers security testing. In fact, it offers several modules that may allow the attacker to, for example, steal web login credentials, switch on microphone and camera, etc.
https://isc.sans.edu/diary/When+Hunting+BeEF%2C+Yara+rules./20395
HTTP Evasions Explained - Part 8 - Borderline Robustness
This is part eight in a series which explains the evasions done by HTTP Evader. This part looks into the excessive and inconsistent robustness attempts done by the browser vendors and how this can be used to evade firewalls.
http://noxxi.de/research/http-evader-explained-8-borderline-robustness.html
Nmap 7 Released!
I encounter many folks at security conferences who havent heard about all the modern Nmap capabilities and still just use it as a simple port scanner. Folks who dont use (or at least know about) NSE, Ncat, Nping, Zenmap, Ndiff, version detection and IPv6 scanning are really missing out!
http://seclists.org/nmap-announce/2015/6
contrast-rO0
A lightweight Java agent for preventing attacks against object deserialization like those discussed by @breenmachine and the original researchers @frohoff and @gebl, affecting WebLogic, JBoss, Jenkins and more.
https://github.com/Contrast-Security-OSS/contrast-rO0
Metasploit module: Chkrootkit Local Privilege Escalation
Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. CVE: CVE-2014-0476
https://cxsecurity.com/issue/WLB-2015110179
ArcSight Management Center and ArcSight Logger vulnerable to cross-site scripting
ArcSight Management Center and ArcSight Logger contain a cross-site scripting vulnerability.
http://jvn.jp/en/jp/JVN51046809/
IBM Security Bulletin: IBM i Access for Windows affected by vulnerabilities CVE-2015-2023 and CVE-2015-7422
IBM i Access for Windows is affected by vulnerabilities CVE-2015-2023 and CVE-2015-7422. These vulnerabilities affect the Windows system running the IBM i Access for Windows product.
http://www.ibm.com/support/docview.wss?uid=nas8N1020996
IBM Security Bulletin: Multiple vulnerabilities in current releases of IBM WebSphere Real Time
Java SE issues disclosed in the Oracle October 2015 Critical Patch Update, plus CVE-2015-5006
http://www.ibm.com/support/docview.wss?uid=swg21970978