End-of-Shift report
Timeframe: Montag 07-12-2015 18:00 − Mittwoch 09-12-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
Email Tracking for Dummies
Recently, I was involved in an incident handling mission to find how some confidential emails were being tracked. Let's imagine a first scenario: Alice sends a mail to Bob. Bob reads Alice's email and Alice gets notified. Nothing special, this is a standard feature offered by most commercial messaging ..
https://blog.rootshell.be/2015/12/07/email-tracking-for-dummies/
Another Brick in the FrameworkPoS
FrameworkPoS is a well-documented family of malware that targets Point of Sale (PoS) systems and has been attributed to at least one high profile retail breach. The malware author(s) have continued to improve upon the original malware, releasing ..
https://www.trustwave.com/Resources/SpiderLabs-Blog/Another-Brick-in-the-FrameworkPoS/
EU verschärft Regeln zur Cybersicherheit
Internetkonzerne müssen schwere Hackerangriffe künftig den Behörden melden - derstandard.at/2000027140552/EU-verschaerft-Regeln-zur-Cybersicherheit
http://derstandard.at/2000027140552
Bitcoin Extortionist Copycats on the Rise, Experts Say
Experts believe that the success tied to a recent spate of DDoS for hire groups may be because many are copycat collectives operating with a shorter lifespan.
http://threatpost.com/bitcoin-extortionist-copycats-on-the-rise-experts-say/115582/
Citrix NetScaler Service Delivery Appliance Multiple Security Updates
http://support.citrix.com/article/CTX202482
Day 2: UK research network Janet still being slapped by DDoS attack
DNS services appear to be targeted, switching may work Members of UKs academic community from freshers to senior academics are facing more connection issues today as a persistent and continuous DDoS attack against the academic computer network Janet continues to stretch resources.
www.theregister.co.uk/2015/12/08/uk_research_network_janet_ddos/
The German Underground: Buying and Selling Goods via Droppers
We have frequently talked about how the Deep Web is used as a venue for the illegal trade in weapons and drugs. This part of the cybercrime underground includes a German-speaking community. Our new research examines these sites in some detail.
http://blog.trendmicro.com/trendlabs-security-intelligence/the-german-underground-buying-and-selling-goods-via-droppers/
Authentifikation von McAfees Enterprise Security Manager löchrig
Angreifer können sich mit einem speziellen Nutzernamen und einem beliebigen Passwort beim Enterprise Security Manager von McAfee anmelden. Gefixte Versionen stehen bereit.
http://heise.de/-3036068
Security Updates Available for Adobe Flash Player (APSB15-32)
A security bulletin (APSB15-32) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow ..
https://blogs.adobe.com/psirt/?p=1302
MS15-DEC - Microsoft Security Bulletin Summary for December 2015 - Version: 1.0
https://technet.microsoft.com/en-us/library/security/MS15-DEC
Apple Patches Everything, (Tue, Dec 8th)
And to not be outdone by Microsoft and Adobe, Apple just released patches for: iOS 9.2 A total of 50 vulnerabilities (CVE IDs) are addressed. About 10 of them affect WebKit and may lead to arbitrary code execution by visiting a malicious ..
https://isc.sans.edu/diary.html?storyid=20465
Cisco Wireless Residential Gateway Stored Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151208-wrg
ZDI-15-624: Wireshark PCAPNG if_filter Arbitrary Free Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Wireshark. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://www.zerodayinitiative.com/advisories/ZDI-15-624/
Adobe, Microsoft Each Plug 70+ Security Holes
Adobe and Microsoft today independently issued software updates to plug critical security holes in their software. Adobe released a patch that fixes a whopping 78 security vulnerabilities in its Flash Player software. Microsoft pushed a dozen patch bundles to address at least 71 flaws in various versions of the Windows operating system and associated software.
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/RuUekEfVS0g/
XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability
This advisory provides mitigations details for a cross-site scripting vulnerability in XZERES's 442SR turbine generator operating system.
https://ics-cert.us-cert.gov/advisories/ICSA-15-342-01
LOYTEC Router Information Exposure Vulnerability
This advisory provides mitigations details for a password file vulnerability in LOYTEC's LIP-3ECTB routers.
https://ics-cert.us-cert.gov/advisories/ICSA-15-342-02
Pacom 1000 CCU GMS System Cryptographic Implementation Vulnerabilities
This advisory was originally posted to the US-CERT secure Portal library on December 3, 2015, and is being released to the ICS-CERT web site. This advisory provides mitigation details for crypto implementation flaws in the Pacom GMS system.
https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03
Rockwell Automation Micrologix 1100 and 1400 PLC Systems Vulnerabilities (Update A)
This updated advisory is a follow-up to the original advisory titled ICSA-15-300-03 Rockwell Automation MicroLogix 1100 and 1400 PLC Systems Vulnerabilities that was published October 27, 2015, on the NCCIC/ICS-CERT web site. This advisory provides mitigation details for vulnerabilities in the Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 programmable logic controller (PLC) systems.
https://ics-cert.us-cert.gov/advisories/ICSA-15-300-03A
Analyzing Bartalex - A Prolific Malware Distributor
Bartalex is a name that continues to appear in a cyberthief�s arsenal as one of the most popular mechanisms for distributing banking Trojans, ransomware, RATs, and other malware. The SANS ISC recently published a very interesting technical analysis of Bartalex. With this post, we hope to add a little more color and supplement what you already know about this prolific malware distributor.
https://blog.phishlabs.com/bartalex
Blog of News Site 'The Independent' Hacked, Leads to TeslaCrypt Ransomware
The blog page of one of the leading media sites in the United Kingdom, 'The Independent' has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed The Independent about this security incident and are working with them to contain the ..
http://blog.trendmicro.com/trendlabs-security-intelligence/blog-of-news-site-the-independent-hacked-leads-to-teslacrypto-ransomware/
Enforcing USB Storage Policy with PowerShell, (Wed, Dec 9th)
In a previous diary, I presented the CIRCLean (USB sanitizer) developed by the Luxembourg CERT (circl.lu). This tool is very useful to sanitize suspicious USBsticks but it lacks of control and enforcement. Nevertheless, ..
https://isc.sans.edu/diary.html?storyid=20469
Epic failure of Phone House & Dutch telecom providers to protect personal data: How I could access 12+ million records #phonehousegate
On September 11, 2015 I visited Media Markt in Utrecht Hoog Catherijne, a well-known electronics shop in The Netherlands. Since summer 2014, the biggest independent Dutch phone retail company Phone House also operates (white labeled) from within Media Markt locations as a store-in-a-store ..
http://sijmen.ruwhof.net/weblog/608-personal-data-of-dutch-telecom-providers-extremely-poorly-protected-how-i-could-access-12-million-records
Verschlüsselungstrojaner: Neue TeslaCrypt-Version grassiert
Ransomware ist der absolute Renner in der Crimeware-Szene. Seit einigen Tagen gibt es vermehrt Hinweise auf Infektionen durch eine neue Version des Verschlüsselungstrojaners TeslaCrypt, der Dateien verschlüsselt und mit der Endung .vvv versieht.
http://heise.de/-3037099
Audit und Web-Client: Kritik an SSL/TLS-Zertifizierungsstelle Lets Encrypt
Die Tätigkeit von Let's Encrypt als Zertifizierungsstelle wurde noch nicht der vorgeschriebenen Sicherheitsprüfung unterzogen. Trotzdem stellt die CA schon Zertifikate aus.
http://heise.de/-3031849
POS Security: What You Need To Know
October 1, 2015 marked the deadline set by credit card issuers to shift liability for fraudulent activity from card issuers or payment processors to the party that is the least Europay-Mastercard-Visa (EMV) compliant during a fraudulent ..
https://www.alienvault.com/open-threat-exchange/blog/pos-security-what-you-need-to-know
Cisco Prime Collaboration Assurance Default Account Credential Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-pca