End-of-Shift report
Timeframe: Donnerstag 16-07-2015 18:00 − Freitag 17-07-2015 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
MSRT July 2015: Crowti
In our ongoing effort to provide malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month: Win32/Crowti Win32/Reveton Crowti, a file encryption threat, is one of the top prevalent ransomware families. We have recently seen it sent as a spam email attachment with formats similar to those shown below: Figure 1: Email spam samples delivering Crowti as an attachment As well as using spam emails as the entry point or infection...
http://blogs.technet.com/b/mmpc/archive/2015/07/14/msrt-july-2015-crowti.aspx
Running SAP? Checked for patches lately? Nows a good time
New round of fixes includes one for security bypass flaw SAP has released its July pack of security fixes, including critical patches one researcher says demand your urgent attention.
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/17/running_sap_kit_have_you_checked_for_patches_lately_nows_a_good_time/
Ad networks beware; Google raises Red Screen of malware Dearth
Chrome to take shine off dodgy ad networks. Watch out dodgy ad slingers and news sites; Google is expanding its last line of defence Chrome feature to brand all security-slacker ad networks as unsafe.
http://go.theregister.com/feed/www.theregister.co.uk/2015/07/17/google_safe_browsing/
Fake News App in Hacking Team Dump Designed to Bypass Google Play
Looking into the app's routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google's security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once...
http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-designed-to-bypass-google-play/
Significant Flash exploit mitigations are live in v18.0.0.209
Whilst Project Zero has gained a reputation for vulnerability and exploitation research, thats not all that we do. One of the main reasons we perform this research is to provide data to defenders; and one of the things that defenders can do with this data is to devise exploit mitigations. Sometimes, well take on exploit mitigations ourselves. Recently, weve been working with Adobe on Flash mitigations, and this post describes some significant mitigations have landed over the past couple of...
http://googleprojectzero.blogspot.co.at/2015/07/significant-flash-exploit-mitigations_16.html
Save the Date: 2 November NCSRA-Symposium 2015
For the second time the NCSC will be co-organizing the NCSRA Symposium, which will be held on 2 November during Alert Online (the Dutch national cyber security awareness campaign). This symposium offers possibilities for knowledge sharing and community building in cybersecurity research and innovation.
https://www.ncsc.nl/english/current-topics/news/save-the-date-2-november-ncsra-symposium-2015.html
Process Explorer and VirusTotal, (Fri, Jul 17th)
About a year ago, Rob had a diary entry about checking a file from Process Explorer with VirusTotal. Did you know you can have all EXEs of running processes scanned with VirusTotal? In Process Explorer, add column VirusTotal: Enable VirusTotal checks: And accept the VirusTotal terms: And now you can see the VirusTotal scores: Process Explorer is not the only Sysinternals tool that comes with VirusTotal support. Ill showcase more tools in upcoming diary entries. Sysinternals:...
https://isc.sans.edu/diary.html?storyid=19931&rss
SANS: Kostenloser Webcast: 5 Jahre nach Stuxnet: Was hat sich geändert, was nicht und was liegt vor uns
Wednesday, July 29, 2015 at 17:00 CEST Thomas Brandstetter | In der industriellen Welt war die Entdeckung der Stuxnet-Malware das markanteste Ereignis der letzten Jahre. Viele Präsentationen über Industrial Security haben seither mit dem Satz Seit Stuxnet ist alles anders begonnen. Anlässlich des 5-Jahres-Jubiläums der Entdeckung von Stuxnet lohnt es zu fragen: Stimmt das? Welche Auswirkungen hatte Stuxnet tatsächlich auf die industrielle Welt? Thomas Brandstetter war im...
https://www.sans.org/webcasts/5-years-stuxnet-changed-didnt-lies-100617
Flash-Updates für Linux und noch einmal für die Extended-Support-Version
Auch Linux-Nutzer, die nicht mit Chrome unterwegs sind, kommen nun in den Genuss des neuesten Flash-Updates. Außerdem müssen Extended-Support-Nutzer noch mal patchen.
http://heise.de/-2752440
Kommentar: Weg mit Flash!
Bei Adobes Plug-in stimmt die Balance aus Nutzen und Risiko nicht mehr. Es wird Zeit, dieses Relikt abzuschalten, meint Herbert Braun
http://heise.de/-2751583
TotoLink Routers Plagued By XSS, CSRF, RCE Bugs
A slew of routers manufactured in China are fraught with vulnerabilities, some which have existed in products for as long as six years.
http://threatpost.com/totolink-routers-plagued-by-xss-csrf-rce-bugs/113816
Bugtraq: Novell GroupWise 2014 WebAccess vulnerable to XSS attacks
http://www.securityfocus.com/archive/1/536023
Elasticsearch 1.6.0 Remote Code Execution
Topic: Elasticsearch 1.6.0 Remote Code Execution Risk: High Text:Summary: Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol that enables r...
http://cxsecurity.com/issue/WLB-2015070089
Elasticsearch 1.6.0 Directory Traversal
Topic: Elasticsearch 1.6.0 Directory Traversal Risk: Medium Text:Summary: Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to ...
http://cxsecurity.com/issue/WLB-2015070090
WP Backitup <= 1.9.1 - Backup File Disclosure
https://wpvulndb.com/vulnerabilities/8105
Cisco Prime Collaboration Assurance Web Interface Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=40003
EMC Documentum WebTop Lets Remote Users Redirect the Target User to an Arbitrary Site
http://www.securitytracker.com/id/1032965
EMC Documentum CenterStage Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks
http://www.securitytracker.com/id/1032966
Eaton's Cooper Power Series Form 6 Control and Idea/IdeaPlus Relays with Ethernet Vulnerability
This advisory was originally posted to the US-CERT secure Portal library on January 6, 2015, and is now being released to the ICS-CERT web site. This advisory provides mitigation details for a predictable TCP sequence vulnerability in Eaton's Cooper Power Systems Form 6 and Idea/IdeaPLUS relays with Ethernet application.
https://ics-cert.us-cert.gov/advisories/ICSA-15-006-01
SSA-732541 (Last Update 2015-07-17): Denial-of-Service Vulnerability in SIPROTEC 4
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-732541.pdf
IBM Security Bulletins
IBM Vulnerability in Apache Tomcat may affect IBM WebSphere Application Server Community Edition (CVE-2014-0230)
IBM Security Bulletin: Open Source Apache Tomcat vulnerability and vulnerability in Diffie-Hellman ciphers affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2014-0230, CVE-2014-7810, CVE-2015-4000)
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Sterling Secure Proxy and Sterling External Authentication Server (CVE-2015-0488, CVE-2015-1916, CVE-2015-2808, CVE-2015-0478, CVE-2015-0204)
IBM Security Bulletin: Vulnerabilities in OpenSSL including Logjam affect Rational Application Developer for WebSphere Software (CVE-2015-4000, CVE-2015-1793)
IBM Security Bulletin: Vulnerability in OpenSSL affects IBM SDK for Node.js (CVE-2015-1793)
IBM Security Bulletin: Vulnerability in the Dojo Toolkit affects IBM Business Process Manager, which is shipped with IBM SmartCloud Orchestrator and IBM SmartCloud Orchestrator Enterprise (CVE-2014-8917)
IBM Security Bulletin: Tivoli Workload Scheduler Distributed Potential Security vulnerabilities with IBM WebSphere Application Server (CVE-2015-1920)
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us