End-of-Shift report
Timeframe: Mittwoch 08-07-2015 18:00 − Donnerstag 09-07-2015 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan... on July 1
Earlier this week several vulnerabilities were disclosed as part of the leak of information from the Italian company Hacking Team. We've noted that this exploit is now in use by various exploit kits. However, feedback provided by the Smart Protection Network also indicates that this exploit was also used in limited attacks in Korea and Japan....
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Ys8noghmsHc/
Ding! Your RAT has been delivered
Talos is constantly observing malicious spam campaigns delivering various different types of payloads. Common payloads include things like Dridex, Upatre, and various versions of Ransomware. One less common payload that Talos analyzes periodically are Remote Access Trojans or RATs. A recently observed spam campaign was using freeware remote access trojan DarkKomet (a.k.a DarkComet). This isn't a novel approach since threat actors have been leveraging tools like DarkKomet or Hawkeye...
http://blogs.cisco.com/security/talos/darkkomet-rat-spam
Finnland: 17-jähriger Botnetz-Betreiber verurteilt
Über 50.000 Rechner für ein Botnetz gekapert, DDoS-Attacken geritten und Kreditkartendaten geklaut: Ein 17-jähriger Finne, angeblich Mitglied der Hackergruppe Lizard Squad, wird zu zwei Jahren auf Bewährung verurteilt.
http://heise.de/-2745646
Detecting Random - Finding Algorithmically chosen DNS names (DGA), (Thu, Jul 9th)
Most normal user traffic communicates via a hostname and not an IP address. So looking at traffic communicating directly by IP with no associated DNS request is a good thing do to. Some attackers use DNS names for their communications. There is also malware such as Skybot and the Styx exploit kit that use algorithmically chosen host name rather than IP addresses for their command and control channels. This malware uses what has been called DGA or Domain Generation Algorithms to create random...
https://isc.sans.edu/diary.html?storyid=19893&rss
Happy Video Game Day 2015
Gamers are being targeted more and more by malware, trojans, and keyloggers, especially those that participate in pay-to-play games and MMORPGs (Massively Multiplayer Online Role-Playing Game). Your accounts, personal identity, banking information and even credit card numbers can be stolen if you are playing without a cyber-security solution. The PC gaming market is increasing rapidly and is expected to reach $30.9 Billion in 2016, and with that, the targets are getting bigger and more...
http://www.webroot.com/blog/2015/07/08/happy-video-game-day-2015
Cisco PSIRT reporting Customers affected by ASA VPN DoS attacks, (Thu, Jul 9th)
Patch your firewalls! 2015-July-08 UPDATE:">Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers...
https://isc.sans.edu/diary.html?storyid=19895&rss
Sicherheitslücke: OpenSSL akzeptiert falsche Zertifikate
Ein OpenSSL-Update behebt eine kritische Sicherheitslücke. Mittels einiger Tricks kann ein Angreifer damit ein gewöhnliches Zertifikat zu einer Zertifizierungsstelle machen. Betroffen sind vor allem Clients.
http://www.golem.de/news/sicherheitsluecke-openssl-akzeptiert-falsche-zertifikate-1507-115143-rss.html
OpenSSL CVE-2015-1793: Man-in-the-Middle Attack
As announced at the beginning of this week, OpenSSL has released the fix for CVE-2015-1793.
https://ma.ttias.be/openssl-cve-2015-1793-man-middle-attack/
OpenSSL Security Advisory [9 Jul 2015]
An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. (original advisory). Reported by Adam Langley and David Benjamin (Google/BoringSSL).
https://openssl.org/news/secadv_20150709.txt
Administration Views - Critical - Information Disclosure - SA-CONTRIB-2015-132
Advisory ID: DRUPAL-SA-CONTRIB-2015-132Project: Administration Views (third-party module)Version: 7.xDate: 2015-July-08Security risk: 15/25 ( Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureDescriptionAdministration Views module replaces overview/listing pages with actual views for superior usability.The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have
https://www.drupal.org/node/2529378