Tageszusammenfassung - Mittwoch 7-12-2016

End-of-Shift report

Timeframe: Dienstag 06-12-2016 18:00 − Mittwoch 07-12-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter

Onlinewerbung: Forscher stoppen monatelange Malvertising-Kampagne

Über eine Malvertising-Kampagne ist in den vergangenen Monaten Schadcode verteilt worden. Die Macher des Stegano-Exploit-Kits versteckten dabei unsichtbare Pixel in Werbeanzeigen und nutzen Exploits in Flash und dem Internet Explorer.

http://www.golem.de/news/onlinewerbung-forscher-stoppen-monatelange-malvertising-kampagne-1612-124928-rss.html

Petya-Variante: Goldeneye-Ransomware verschickt überzeugende Bewerbungen

Kurz vor dem Jahresende gibt es erneut eine größere Ransomware-Kampagne in Deutschland. Kriminelle verschicken mit Goldeneye professionell aussehende Bewerbungen an Personalabteilungen - und nutzen möglicherweise Informationen des Arbeitsamtes.

http://www.golem.de/news/petya-variante-goldeneye-ransomware-verschickt-ueberzeugende-bewerbungen-1612-124940-rss.html

Kriminelle könnten Daten von Visa-Kreditkarten vergleichsweise einfach erraten

In einer Studie zeigen Sicherheitsforscher, wie sie CVV-Nummern und andere Kreditkarten-Daten in wenigen Sekunden erraten und damit anschließend Geld überweisen.

https://heise.de/-3564898

Flash Exploit Found in Seven Exploit Kits

An Adobe Flash Player vulnerability used by the Sofacy APT gang was also found in seven of the top exploit kits, according to an analysis by Recorded Future.

http://threatpost.com/flash-exploit-found-in-seven-exploit-kits/122284/

Explained: Domain Generating Algorithm

Domain Generating Algorithms are in use by cyber criminals to prevent their servers from being blacklisted or taken down. The algorithm produces random looking domain names. The idea is that two machines using the same algorithm will contact the same domain at a given time.Categories: Security world TechnologyTags: algorithmdgadomainDomain Generating AlgorithmgeneratinggenerationPieter Arntz(Read more...)

https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/

Attacking NoSQL applications, (Tue, Dec 6th)

In last couple of years, the MEAN stack (MongoDB, Express.js, Angular.js and Node.js) became the stack of choice for many web application developers. The main reason for this popularity is the fact that the stack supports both client and server side programs written in JavaScript, allowing easy development. The core database used by the MEAN stack, MongoDB, is a NoSQL database program that uses JSON-like documents with dynamic schemas allowing huge flexibility. Although NoSQL databases are not...

https://isc.sans.edu/diary.html?storyid=21787&rss

MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking

In this month's Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need. BrowserModifier:Win32/Clodaconas, for instance, displays ads when you're browsing the internet. It modifies search results pages so that you see unsolicited ads related to your...

https://blogs.technet.microsoft.com/mmpc/2016/12/06/msrt-december-2016-addresses-clodaconas-which-serves-unsolicited-ads-through-dns-hijacking/

Unrestricted Backend Login Method Seen in OpenCart

>From the attacker's perspective, creating ways to maintain access to a compromised website is desirable. This allows them to further distribute malware and perform different kinds of malicious activities. One of the ways attackers try to secure their access is by adding admin users, or pieces of malicious code throughout the site. This allows them to regain access easily, if needed. However, we recently found a unique way to achieve this kind of breach.

https://blog.sucuri.net/2016/12/unrestricted-backend-login.html

Crims using anti-virus exclusion lists to send malware to where it can do most damage

When vendors tell you what to whitelist, crims are reading too Advanced malware writers are using anti-virus exclusion lists to better target victims, researchers say.

http://go.theregister.com/feed/www.theregister.co.uk/2016/12/07/clever_crims_using_av_exclusion_lists_as_malware_safe_harbour/

Deep Analysis of the Online Banking Botnet TrickBot

TrickBot aims at stealing online banking information from browsers when victims are visiting online banks. The targeted banks are from Australia, New Zealand, Germany, United Kingdom, Canada, United States, Israel, and Ireland, to name a few.

http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot

Debugging war story: the mystery of NXDOMAIN

The following blog post describes a debugging adventure on Cloudflares Mesos-based cluster. This internal cluster is primarily used to process log file information so that Cloudflare customers have analytics, and for our systems that detect and respond to attacks.The problem encountered didnt have any effect on our customers,

https://blog.cloudflare.com/debugging-war-story-the-mystery-of-nxdomain/

Popular smart toys violate children's privacy rights?

My Friend Cayla and i-Que, two extremely popular "smart" toys manufactured by Los Angeles-based Genesis Toys, do not safeguard basic consumer (and children's) rights to security and privacy, researchers have found. The toys come with companion apps, and the latter use services by Nuance Communications, a company headquartered in Massachussetts that specializes in voice-and speech-recognition services for a variety of industries.

https://www.helpnetsecurity.com/2016/12/07/smart-toys-privacy-rights/

Bugtraq: [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security

http://www.securityfocus.com/archive/1/539883

Security Advisory - Privilege Escalation Vulnerability in Some Huawei Storage Products

http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-01-storage-en

Security Advisory - Dirty COW Vulnerability in Huawei Products

http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-01-dirtycow-en

Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones

http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-01-smartphone-en

Tesla Gateway ECU Vulnerability

This advisory contains mitigation details for a Gateway ECU vulnerability in Teslas Model S automobile.

https://ics-cert.us-cert.gov/advisories/ICSA-16-341-01

Locus Energy LGate Command Injection Vulnerability

This advisory contains mitigation details for a command injection vulnerability in Locus Energy's LGate application.

https://ics-cert.us-cert.gov/advisories/ICSA-16-231-01-0

F5 Security Advisories

Security Advisory: Python urllib and urllib2 library vulnerability CVE-2016-5699

https://support.f5.com:443/kb/en-us/solutions/public/k/10/sol10420455.html?ref=rss

Cisco Security Advisories

Cisco AnyConnect Secure Mobility Client Local Privilege Escalation Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-anyconnect1

Cisco Web Security Appliance Drop Decrypt Policy Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-wsa1

Cisco Web Security Appliance HTTP URL Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-wsa

Cisco Firepower Management Center Information Disclosure Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-vdc

Cisco Unified Communications Manager IM and Presence Service Information Disclosure Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-ucm

Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-pca

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-ise1

Cisco Identity Services Engine Active Directory Integration Component Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-ise

Cisco IOS XR Software Default Credentials Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-iosxr

Cisco IOS and Cisco IOS XE Software Zone-Based Firewall Feature Bypass Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-ios-zbf

Cisco IOS XR Software HTTP 2.0 Request Handling Event Service Daemon Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-ios-xr

Cisco IOS and IOS XE Software SSH X.509 Authentication Bypass Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-ios-xe-x509

Cisco IOS Frame Forwarding Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-ios

Cisco Intercloud Fabric Director Static Credentials Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-icf

Cisco Hybrid Media Service Privilege Escalation Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-hms

Cisco FirePOWER Malware Protection Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-fpwr

Cisco Firepower Management Center and Cisco FireSIGHT System Software Malicious Software Detection Bypass Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-firepower

Cisco FireAMP Connector Endpoint Software Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-fireamp

Cisco Expressway Series Software Security Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-expressway

Cisco Email Security Appliance SMTP Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-esa1

Cisco Email Security Appliance and Web Security Appliance Content Filter Bypass Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-esa

Cisco Unified Communications Manager Unified Reporting Upload Tool Directory Traversal Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-cur

Cisco Unified Communications Manager Administration Page Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-cucm

Cisco ONS 15454 Series Multiservice Provisioning Platforms TCP Port Management Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-cons

Cisco Emergency Responder Directory Traversal Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-cer1

Cisco Emergency Responder Cross-Site Request Forgery Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-cer

Cisco IOx Application-Hosting Framework Directory Traversal Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-caf

Cisco Security Appliances AsyncOS Software Update Server Certificate Validation Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-asyncos

Cisco ASR 5000 Series IKEv2 Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-asr1

Cisco ASR 5000 Series IPv6 Packet Processing Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-asr Next End-of-Shift report: 2016-12-09