Tageszusammenfassung - Montag 13-07-2015

End-of-Shift report

Timeframe: Freitag 10-07-2015 18:00 − Montag 13-07-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter

Government Grade Malware: a Look at HackingTeam's RAT

Security researchers the world over have been digging through the massive HackingTeam dump for the past five days, and what we've found has been surprising. I've heard this situation called many things, and there's one description that I can definitely agree with: it's like Christmas for hackers. "On the fifth day of Christmas Bromium sent to...

http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hackingteams-rat/

Pawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit

Analysis and data by Brooks Li (Threats Analyst) and Feike Hacquebord (Senior Threat Researcher) Zero-day exploits continued to be used in targeted attacks because they are effective, given that software vendors have yet to create patches for them. Throughout our on-going investigation and monitoring of a targeted attack campaign, Operation Pawn Storm, we found suspicious URLs that...

http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/5OzXdZhhVhc/

New Zero-Day Vulnerability (CVE-2015-5123) in Adobe Flash Emerges from Hacking Team Leak

After two Adobe Flash player zero-days disclosed in a row from the leaked data of Hacking Team, we discovered another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) that surfaced from the said leak. Adobe has already released a security advisory after we reported the said zero-day. This vulnerability is rated as critical and...

http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rV5yri4x48E/

Mit Windows 10 kommen Updates automatisch

Windows 10-Kunden können sich künftig nur noch sehr begrenzt aussuchen, wann sie ein Update erhalten.

http://futurezone.at/produkte/mit-windows-10-kommen-updates-automatisch/141.103.717

Jump List Files Are OLE Files, (Sun, Jul 12th)

Jump List files are another type of files that are actually OLE files. They can contain useful data for forensic investigations. There are a couple of tools that can extract information from these files. Here you can see oledump analyzing an automatic Jump List file: The stream DestList contains the Jump List data: There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files: The plugin takes an option...

https://isc.sans.edu/diary.html?storyid=19911&rss

Identifying the five principal methods of network attacks

Companies are underestimating the risk of failing to provide security training to non-technical staff. A new Intel Security study, which surveyed IT decision makers in European-based companies, fo...

http://feedproxy.google.com/~r/HelpNetSecurity/~3/gSbxVIXvO94/secworld.php

Mobile SSL failures: More common than they should be

Securing your mobile application traffic is apparently more difficult than it should be, as researchers Anthony Trummer and Tushar Dalvi discovered when looking into SSL/TLS usage on the Android opera...

http://feedproxy.google.com/~r/HelpNetSecurity/~3/dY8mHp2RDC4/article.php

Identifying and exploiting IBM WebSphere Application Server

IBM WebSphere is application server similar to Tomcat, JBoss and WebLogic. Therefore, it should be interesting to any penetration tester doing enterprise scale work where Websphere might be present. It should be also interesting to anyone who is working on securing enterprise environment since Websphere allows deploying own (malicious or not) code to the server. I have written NSE scripts to identify IBM Websphere consoles of application servers and to brute force any usernames and passwords. I...

https://k0st.wordpress.com/2015/07/13/identifying-and-exploiting-ibm-websphere-application-server/

Start Secure 2015 - Sicherheits-Start-ups gesucht

Der Wettbewerb "Start Secure 2015" wird gemeinsam vom Innenministerium und der futurezone veranstaltet. Als Organisationspartner fungieren SBA Research, das die Sieger-Start-ups auf Wunsch auch als Inkubator bei der Investorensuche berät, sowie das Kuratorium Sicheres Österreich.

http://futurezone.at/thema/start-ups/sicherheits-start-ups-gesucht/139.420.313

Common Assessment Tool Cheatsheets

I have an unhealthy obsession for time savers when im doing pentest work. Since a lot of my time is spent on the command line I love cheatsheets. I thought id use this thread to post some of the more awesome cheat sheets I find...

https://forum.bugcrowd.com/t/common-assessment-tool-cheatsheets/502

Tunneling Data and Commands Over DNS to Bypass Firewalls

No matter how tightly you restrict outbound access from your network, you probably allow DNS queries to at least one server. Adversaries can abuse this "hole" in your firewall to exfiltrate data and establish stealthy Command and Control (C2) channels that are very difficult to block. ... I am struggling to come up with a solution to plug this firewall "hole", but I have a few risk mitigation recommendations:...

https://zeltser.com/c2-dns-tunneling/

Google Photo App Uploads Your Images To Cloud, Even After Uninstalling

Have you ever seen any mobile application working in the background silently even after you have uninstalled it completely? I have seen Google Photos app doing the same. Your Android smartphone continues to upload your phone photos to Google servers without your knowledge, even if you have already uninstalled the Google Photos app from your device. Nashville Business...

http://feedproxy.google.com/~r/TheHackersNews/~3/yxF2id-ZsHg/google-photo-app-sync.html

"Forkmeiamfamous": Seaduke, latest weapon in the Duke armory

Low-profile information-stealing Trojan is used only against high-value targets

http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory

BGP Hijacking - why you need to care!

This came across our desk this morning when we were putting together Dragon News Bytes. There is lots of talk about what has been discovered in the recent reporting on the data dump from the Hacking Team incident. A lot of the reporting discusses the ethics of the company's services and whom they have been selling them to. Concentrating for a moment on the technology deployed in this activity, it is suggested that BGP hijacking was involved. This is described the article entitled...

https://blog.team-cymru.org/2015/07/bgp-hijacking-why-do-you-need-to-care/

Allerletzter Aufruf: Support fÜr Windows 2003 Server endet

Am 14. Juli ist endgÜltig Schluss. FÜr Windows 2003 Server liefert Microsoft keine Updates mehr aus, auch nicht bei Sicherheitsproblemen. Wobei auch hier zu gelten scheint: Ausnahmen bestÄtigen die Regel.

http://www.heise.de/newsticker/meldung/Allerletzter-Aufruf-Support-fuer-Windows-2003-Server-endet-2749074.html?wt_mc=rss.ho.beitrag.rdf

Hacking Team 0-day Flash Wave with Exploit Kits

https://www.f-secure.com/weblog/archives/00002819.html

New PHP Releases Fix BACRONYM MySQL Flaw

Several new versions of PHP have been released, all of which contain a number of bug fixes, most notably a patch for the so-called BACKRONYM vulnerability in MySQL. That bug in MySQL is caused by a problem with the way that the database software handles requests for secure connections. Researchers at Duo Security disclosed the...

http://threatpost.com/new-php-releases-fix-bacronym-mysql-flaw/113740

The Adobe Flash Conundrum: Old Habits Die Hard

Is it time to hop off the endless cycle of Flash vulnerabilities and updates? Last week has not been great for Adobe Flash. The 440GB of leaked Hacking Team emails has become a treasure trove for vulnerability hunters. Over the past 7 days, Flash was hit by three separate vulnerabilities: CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 At this time, only the...

http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/AmkybOPif7Y/

Bugtraq: ESA-2015-115: EMC RecoverPoint for Virtual Machines (VMs) Restriction Bypass Vulnerability

http://www.securityfocus.com/archive/1/535981

Cisco Mobility Services Engine Control And Provisioning Information Disclosure Vulnerability

http://tools.cisco.com/security/center/viewAlert.x?alertId=39825

Juniper Security Advisories

Juniper Junos IPv6 SEND Processing Flaw Lets Remote Users Deny Service

http://www.securitytracker.com/id/1032849

Juniper Junos SRX Network Security Daemon Bug Lets Remote Users Deny Service

http://www.securitytracker.com/id/1032848

Juniper Junos EX4600 and QFX Series Unspecified Flaw Lets Remote Users Deny Service

http://www.securitytracker.com/id/1032847

Juniper Junos J-Web Bugs Let Remote Users Conduct Cross-Site Scripting and Denial of Service Attacks

http://www.securitytracker.com/id/1032846

Bugtraq: [security bulletin] HPSBGN03373 rev.1 - HP Release Control running TLS, Remote Disclosure of Information

http://www.securityfocus.com/archive/1/535983

Cisco WebEx Meeting Center Reflected Cross-Site Scripting Vulnerability

http://tools.cisco.com/security/center/viewAlert.x?alertId=39782

F5 Security Advisories

Splunk Enterprise and Splunk Light Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks

http://www.securitytracker.com/id/1032859

Squid CONNECT Method Peer Response Processing Flaw Lets Remote Users Bypass Security Controls

http://www.securitytracker.com/id/1032873

PHP 5.x Security Updates, (Sun, Jul 12th)

PHP 5.6.11, 5.5.27 and 5.4.43 were updated fixing numerous bugs in the various components of PHP including CVE-2015-3152. PHP recommend testing and upgrading to the current release. The binaries and packages are available here and the release notes here. [1] http://www.php.net/ChangeLog-5.php [2] http://windows.php.net/download/ Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0

https://isc.sans.edu/diary.html?storyid=19907&rss

Joomla J2Store 3.1.6 SQL Injection

Topic: Joomla J2Store 3.1.6 SQL Injection Risk: Medium Text:J2Store v3.1.6, a Joomla! extension that adds basic store functionality to a Joomla! instance, suffered from two unauthenticate...

http://cxsecurity.com/issue/WLB-2015070053

DFN-CERT-2015-0907 FreeRADIUS: Eine Schwachstelle ermÖglicht das Umgehen von Sicherheitsvorkehrungen

https://portal.cert.dfn.de/adv/DFN-CERT-2015-0907/

DFN-CERT-2015-1030 strongSwan: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und Denial-of-Service-Angriffe

https://portal.cert.dfn.de/adv/DFN-CERT-2015-1030/