End-of-Shift report
Timeframe: Freitag 15-05-2015 18:00 − Montag 18-05-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
Cyberattacks on Oil and Gas Firms Launched with no Malware at all
Oil and gas industry targeted by hackers with a genuine looking windows file, not a malware. The attacks are ongoing for about two years. A unique targeted attack being underway for about two consecutive years exploits Windows file functions that look legitimate and a couple of homemade scripts - but not malware - in order...
http://securityaffairs.co/wordpress/36843/cyber-crime/cyberattacks-on-oil-and-gas-firms.html
Microsoft Stops Chinese Group from Using TechNet Site for Attacks (May 14, 2015)
Microsoft and FireEye have taken steps to prevent a group of Chinese cyber criminals known as APT17 from using the companys TechNet website in its attacks...
http://www.sans.org/newsletters/newsbites/r/17/38/302
VENOM - Does it live up to the hype?, (Sat, May 16th)
Unless you have been hiding under a rock this week you have heard about VENOM. The first article that I saw was fromZDNet with the headline of Bigger than Heartbleed, Venom security vulnerability threatens most datacenters. Pretty provocative stuff. Is VENOM really worth that much hype? VENOM stands for Virtualized Environment Neglected Operations Manipulation. The cuteacronym basically means that the exploit takes advantage of a vulnerability in legacy code.In short thevulnerability is...
https://isc.sans.edu/diary.html?storyid=19701&rss
AEADs: getting better at symmetric cryptography
I gave a talk a couple of weeks ago at the Yahoo Unconference. The conference was at the end of a particually hard week for a bunch of reasons and I fear that the talk wasn't that great. (Afterwards I got home about 3pm and pretty much slept until the following morning.) This post is a, hopefully clearer, articulation of its contents.
http://www.imperialviolet.org/2015/05/16/aeads.html
About the supposed factoring of a 4096 bit RSA key
tl;dr News about a broken 4096 bit RSA key are not true. It is just a faulty copy of a valid key. Earlier today a blog post claiming the factoring of a 4096 bit RSA key was published and quickly made it to the top of Hacker News. The key in question was the PGP key of a well-known Linux kernel developer. I already commented on Hacker News why this is most likely wrong, but I thought Id write up some more details. To understand what is going on I have to explain some background both on RSA and...
https://blog.hboeck.de/archives/872-No,-nobody-has-factored-a-4096-bit-RSA-key.html
Google App Engine: Google reagiert träge auf Java-Sicherheitslücken
Klammheimlich patcht Google Java-Schwachstellen in seiner Entwicklungsumgebung App Engine und ignoriert den Entdecker der Lücken weitgehend. Einige Sicherheitslücken klaffen immer noch.
http://heise.de/-2652121
Angreifer nutzen kritische Lücke in ProFTPD aus
Wer den FTP-Server ProFTPD betreibt, muss handeln: Durch eine schwerwiegende Schwachstelle können Online-Ganoven beliebigen Code ausführen. Und das tun sie auch bereits.
http://heise.de/-2652114
Screech! Grand Theft Auto V malware mods warning
Gamers find themselves in latest Mods & Rockstar punch-up Cybercrooks are cooking up malware disguised as mods for the Grand Theft Auto V video game.
http://go.theregister.com/feed/www.theregister.co.uk/2015/05/18/gta_malware_mods_warning/
Rombertiks disk wiping mechanism is aimed at pirates, not researchers
Rombertik, the information-stealing malware that was recently analyzed by Cisco researchers and which apparently tries to prevent researchers from doing so by rewriting the computers Master Boot Reco...
http://feedproxy.google.com/~r/HelpNetSecurity/~3/oE0fh7NZ4sg/malware_news.php
Oracle Patches VENOM Vulnerability
Oracle on Saturday released its patch for the VENOM vulnerability, a guest escape flaw that affects many virtualization platforms.
http://threatpost.com/oracle-patches-venom-vulnerability/112868
openssh 6.8p1 heap buffer overflow
Topic: openssh 6.8p1 heap buffer overflow Risk: High Text:Quick background story: I started a while ago to develop a solution to use american fuzzy lop with networking input. I did so b...
http://cxsecurity.com/issue/WLB-2015050105
Bugtraq: [SE-2014-02] Unconfirmed / unpatched vulnerabilities in Google App Engine
http://www.securityfocus.com/archive/1/535548
ZDI-15-230: ManageEngine Applications Manager IT360UtilitiesServlet query SQL Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Applications Manager. Authentication is not required to exploit this vulnerability.
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/qN5KZVA4xgA/
ZDI-15-229: ManageEngine Applications Manager DowntimeSchedulerServlet TASKID SQL Injection Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Applications Manager. Authentication is not required to exploit this vulnerability.
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/PLAGhXOxQh0/
ZDI-15-231: Dell Sonicwall GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Dell SonicWALL Global Management System (GMS) virtual appliance. Authentication is required to exploit this vulnerability.
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/HtMlLoJoKXI/
Cisco Web Security Appliance Web Tracking Report Page Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=38884
DSA-3261 libmodule-signature-perl - security update
Multiple vulnerabilities were discovered in libmodule-signature-perl, aPerl module to manipulate CPAN SIGNATURE files. The CommonVulnerabilities and Exposures project identifies the following problems:...
https://www.debian.org/security/2015/dsa-3261
SAP Sybase Unwired Platform Online Data Proxy Discloses Password and Username Information to Local Users
http://www.securitytracker.com/id/1032310
SAP Customer Relationship Management Bugs Let Users Execute Arbitrary Code and Remote Users Inject SQL Commands
http://www.securitytracker.com/id/1032309
SAP NetWeaver RFC SDK Discloses Potentially Sensitive Information
http://www.securitytracker.com/id/1032308