End-of-Shift report
Timeframe: Dienstag 08-11-2016 18:00 − Mittwoch 09-11-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
Admins aufgepasst: SHA1-Zertifikate vor dem endgültigen Aus
Ab Januar 2017 wird es ernst: die großen Browser werden ab dann richtige Fehlermeldungen anzeigen, wenn sie auf Zertifikate treffen, die eine Signatur mit SHA1 aufweisen. Die sind aber immer noch im Einsatz, wie ein Kurztest von heise Security zeigt.
https://heise.de/-3460868
Adsense: Google entfernt Bankentrojaner aus Werbenetzwerk
Erneut ist über ein Werbenetzwerk Schadsoftware verteilt worden. Eine Google-Adsense-Kampagne hatte versucht, Android-Nutzern einen Bankentrojaner unterzuschieben. Die entsprechenden Anzeigen wurden mittlerweile deaktiviert. (Malware, Virus)
http://www.golem.de/news/adsense-google-entfernt-bankentrojaner-aus-werbenetzwerk-1611-124363-rss.html
MS16-NOV - Microsoft Security Bulletin Summary for November 2016 - Version: 1.0
https://technet.microsoft.com/en-us/library/security/MS16-NOV
App-Schwachstelle: Angreifer können iPhone-Anrufe auslösen
Ein Fehler in populären iOS-Apps ermöglicht es, das iPhone zum automatischen Anwählen einer bestimmten Rufnummer zu bringen und den Nutzer zugleich am sofortigen Abbruch des Telefonats zu hindern.
https://heise.de/-3460552
November 2016 security update release
Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security updates and advisories can be found in the Security TechNet Library.
https://blogs.technet.microsoft.com/msrc/2016/11/08/november-2016-security-update-release/
Thoughts on the recent 'NtSetWindowLongPtr' vulnerability
On October 31, Google security team has announced it has discovered a vulnerability, actively exploited the wild, in (unspecified) versions of Microsoft Windows. The vulnerability is a local privilege escalation, allowing an unprivileged user to gain kernel privileges.
https://labs.bromium.com/2016/11/08/thoughts-on-the-recent-ntsetwindowlongptr-vulnerability/
New XM1RPC SEO Spam and Backdoor Campaign
We have been monitoring a new campaign specifically targeting WordPress sites, using hundreds of them for SEO spam distribution. We call it the XM1RPC campaign due to the common backdoor used across all of the compromised sites. The file is named in such a way as to confuse WordPress administrators who are familiar with XML-RPC. This malware usually infects all sites that share the same FTP account, which means cleaning just one website won't help...
https://blog.sucuri.net/2016/11/xm1rpc-spam-backdoor.html
Phoenix Contact ILC PLC Authentication Vulnerabilities
This advisory contains mitigation details for authentication vulnerabilities in Phoenix Contact's ILC PLCs.
https://ics-cert.us-cert.gov/advisories/ICSA-313-01
Siemens Industrial Products Local Privilege Escalation Vulnerability
This advisory contains mitigation details for a privilege escalation vulnerability that affects several Siemens industrial products.
https://ics-cert.us-cert.gov/advisories/ICSA-16-313-02
OSIsoft PI System Incomplete Model of Endpoint Features Vulnerability
This advisory contains mitigation details for an incomplete model of endpoint features vulnerability in OSIsoft's PI System software.
https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03
TrickBot Banking Trojan Adds New Browser Manipulation Tools
The banking Trojan TrickBot is evolving fast, according to researchers, and within weeks will expand its victim list and attack scope.
http://threatpost.com/trickbot-banking-trojan-adds-new-browser-manipulation-tools/121859/
DSA-3709 libxslt - security update
Nick Wellnhofer discovered that the xsltFormatNumberConversion functionin libxslt, an XSLT processing runtime library, does not properly checkfor a zero byte terminating the pattern string. This flaw can be exploited to leak a couple of bytes after the buffer that holds thepattern string.
https://www.debian.org/security/2016/dsa-3709
Security Advisory - Input Validation Vulnerability in Wi-Fi Driver of Huawei Smart Phones
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161109-01-smartphone-en
Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched
The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors. Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets.
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/QdtwFJ1RHyQ/
Vuln: SAP NetWeaver Java AS Webdynpro Component Information Disclosure Vulnerability
http://www.securityfocus.com/bid/94174
New BEC scams seek to build trust first, request wire transfer later
Business email compromise scammers have gradually changed their tactics to improve their scam success rate.
https://www.symantec.com/connect/blogs/new-bec-scams-seek-build-trust-first-request-wire-transfer-later
IBM Security Bulletins
IBM Security Bulletin: Multiple OpenSSL vulnerabilities affect IBM Aspera Shares 1.9.4 or earlier and IBM Aspera Console 3.0.6 or earlier
https://support.asperasoft.com/hc/en-us/articles/229505687-Security-Bulletin-Multiple-OpenSSL-vulnerabilities-affect-IBM-Aspera-Shares-1-9-2-or-earlier- -IBM-Aspera-Console-3-0-6-or-earlier
IBM Security Bulletin: The BigFix Platform has a vulnerability involving missing the HTTP Strict-Transport-Security Header (CVE-2016-0297)
http://www.ibm.com/support/docview.wss?uid=swg21993214
IBM Security Bulletin: BigFix Platform has a vulnerability where information is exposed through Log Files (CVE-2016-0296)
http://www.ibm.com/support/docview.wss?uid=swg21993213
IBM Security Bulletin: Lotus Protector for Mail Security Affected By Multiple Open Source CURL Vulnerabilities (CVE-2016-7167)
http://www.ibm.com/support/docview.wss?uid=swg21993246
IBM Security Bulletin: IBM Connections Mobile Server Security Refresh for Apache Struts (CVE-2016-0785, CVE-2016-0785, CVE-2016-3093, CVE-2016-4003)
http://www.ibm.com/support/docview.wss?uid=swg21984206
IBM Security Bulletin: IBM Connections Security Refresh for Apache Struts CVE-IDs: CVE-2016-0785 CVE-2016-2162
http://www.ibm.com/support/docview.wss?uid=swg21985424