End-of-Shift report
Timeframe: Freitag 06-03-2015 18:00 − Montag 09-03-2015 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
Attackers concealing malicious macros in XML files
XML files are harmless text files right? Wrong! The group behind the malicious Microsoft Office document campaigns have started to utilize Microsoft Office XML formats to hide malicious macros. This week, our spam traps were flooded with spam with XML...
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-malicious-macros-in-XML-files/
Samba Remote Code Execution Vulnerability - CVE-2015-0240
The Samba team reported CVE-2015-0240 last February 23, 2015. This vulnerability is very difficult to exploit and we are not aware of successful exploitation. However, it is quite interesting from the point for view of detection. There are two important facts: The vulnerability resides in the Netlogon Remote Protocol implementation of Samba which is a...
http://blog.trendmicro.com/trendlabs-security-intelligence/samba-remote-code-execution-vulnerability-cve-2015-0240/
How Malware Generates Mutex Names to Evade Detection, (Mon, Mar 9th)
Malicious software sometimes uses mutex objects to avoid infecting the system more than once, as well as to coordinate communications among its multiple components on the host. Incident responders can look for known mutex names to spot the presence of malware on the system. To evade detection, some malware avoids using a hardcoded name for its mutex, as is the case with the specimen discussed in this note. Static Mutex Names as Indicators of Compromise For background details about mutex...
https://isc.sans.edu/diary.html?storyid=19429&rss
New crypto ransomware in town : CryptoFortress
This post has been heavily edited to fix my mistake.
http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html
Seagate Confirms NAS Zero Day, Won't Patch Until May
Seagate confirmed a publicly disclosed vulnerability in one of its network attached storage products, but said it wont have a patch available until May.
http://threatpost.com/seagate-confirms-nas-zero-day-wont-patch-until-may/111513
OpenSSL Audit
IntroductionThe reputation built by NCC Group, including iSEC Partners, Matasano Security, Intrepidus Group and NGS Secure, has led compani ...
https://www.nccgroup.com/en/blog/2015/03/openssl-audit/
l+f: Vernetzte Wetterstation funkte WLAN-Passwort zum Hersteller
Die Netatmo-Wetterstationen schickten nicht nur ihre Messwerte ins Netz, sondern auch SSID und WLAN-Passwort des Nutzers.
http://heise.de/-2571218
Update - Notizen zu FREAK
In den letzten Tagen gab es wieder einmal große mediale Aufmerksamkeit für eine Schwachstelle in OpenSSL und anderen Crypto-Libraries. Der Eintrag für die zugehörige CVE-ID CVE-2015-0204 besteht seit November letzten Jahres, aktualisierte Versionen von OpenSSL wurden heuer im Jänner veröffentlicht. | Update 2015-03-09 | Ergänzung: Auflistungen betroffener Bibliotheken/Anbieter finden sich auf...
http://www.cert.at/services/blog/20150306175713-1442.html
Mono TLS vulnerabilities
Topic: Mono TLS vulnerabilities Risk: Medium Text:Hi A TLS impersonation attack was discovered in Monos TLS stack by researchers at Inria. During checks on our TLS stack, w...
http://cxsecurity.com/issue/WLB-2015030042
IBM Security Bulletin: Multiple Vulnerabilities in the IBM Java SDK affect IBM Notes and Domino (Oracle January 2015 Critical Patch Update)
2015-03-09T11:05:28-04:00
http://www.ibm.com/support/docview.wss?uid=swg21698222
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204)
2015-03-09T11:04:47-04:00
http://www.ibm.com/support/docview.wss?uid=swg21698574
IBM Security Bulletin: Vulnerability in SSLv3 Affects Power Hardware Management Console (CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568)
2015-03-09T11:01:43-04:00
http://www.ibm.com/support/docview.wss?uid=nas8N1020593
IBM Security Bulletin: Vulnerability in SSLv3 enabled in IBM Host On-Demand affects Rational Functional Tester (CVE-2014-3566)
2015-03-09T11:01:10-04:00
http://www.ibm.com/support/docview.wss?uid=swg21697348
IBM Security Bulletin: Fixes available for Security Vulnerabilities in IBM WebSphere Portal (CVE-2014-6214; CVE-2015-0139; CVE-2015-0177)
2015-03-09T11:10:19-04:00
http://www.ibm.com/support/docview.wss?uid=swg21697213
HPSBUX03235 SSRT101750 rev.3 - HP-UX Running BIND, Remote Denial of Service (DoS)
A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS).
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04550240
Vulnerabilities in WordPress Pluins
https://wpvulndb.com/vulnerabilities/7826
https://wpvulndb.com/vulnerabilities/7827
https://wpvulndb.com/vulnerabilities/7828
https://wpvulndb.com/vulnerabilities/7829
https://wpvulndb.com/vulnerabilities/7830
https://wpvulndb.com/vulnerabilities/7831
https://wpvulndb.com/vulnerabilities/7832
https://wpvulndb.com/vulnerabilities/7833
https://wpvulndb.com/vulnerabilities/7834
https://wpvulndb.com/vulnerabilities/7835
https://wpvulndb.com/vulnerabilities/7836
https://wpvulndb.com/vulnerabilities/7837