End-of-Shift report
Timeframe: Freitag 09-12-2016 18:00 − Montag 12-12-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
Windows 10: protection, detection, and response against recent Depriz malware attacks
A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams...
https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/
Microsoft Edges malware alerts can be faked, researcher says
Fiddle with a URL and you can pop up and tell users to do anything Technical support scammers have new bait with the discovery that Microsofts Edge browser can be abused to display native and legitimate-looking warning messages.
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/12/microsoft_edges_malware_alerts_can_be_faked/
New Ransomware Offers The Decryption Keys If You Infect Your Friends
MalwareHunterTeam has discovered "Popcorn Time," a new in-development ransomware with a twist. Gumbercules!! writes: "With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key," writes Bleeping Computer. Infected victims are given a "referral code" and, if two people are infected by that code and pay up -- the original victim is given their...
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/BAJPIfARkR0/new-ransomware-offers-the-decryption-keys-if-you-infect-your-friends
Escaping a restricted shell
help command outputs this list of available commands we can use, It's almost basically the web interface disguised as a shell session; Well not really but i'm sure you guys got the point. So let's begin with command substitution (a.k.a command injection) technique:...
https://humblesec.wordpress.com/2016/12/08/escaping-a-restricted-shell/
Zcash, or the return of malicious miners
Despite this dramatic drop from the initial values (which was anticipated), Zcash mining remains among the most profitable compared to other cryptocurrencies. This has led to the revival of a particular type of cybercriminal activity - the creation of botnets for mining. A few years ago, botnets were created for bitcoin mining, but the business all but died out after it became only marginally profitable.
https://securelist.com/blog/research/76862/zcash-or-the-return-of-malicious-miners/
5 Questions to Ask your IoT Vendors; But Do Not Expect an Answer.
1 - For how long, after I purchase a device, should I expect security updates?
2 - How will I learn about security updates?
3 - Can you share a pentest report for your device?
4 - How can I report vulnerabilities?
5 - If you use encryption, then disclose what algorithms you use and how it is implemented
https://isc.sans.edu/diary/5+Questions+to+Ask+your+IoT+Vendors%3B+But+Do+Not+Expect+an+Answer./21807
VB2016 paper: Modern attacks on Russian financial institutions
Today, we publish the VB2016 paper and presentation (recording) by ESET researchers Jean-Ian Boutin and Anton Cherepanov, in which they look at sophisticated attacks against Russian financial institutions.
https://www.virusbulletin.com/blog/2016/december/vb2016-paper-modern-attacks-russian-financial-institutions/
Pentesting ICS Systems
Security of ICS systems is one of the most critical issues of this last year. In this article, we will have a brief introduction to ICS systems, risks, and finally, methodology and tools to pentest ICS based systems Introduction Industrial control system (ICS) is a term that includes many types of control systems and instrumentation...
http://resources.infosecinstitute.com/pentesting-ics-systems/
Ongoing Windows update bug woes affecting all ISPs
Virgin also advising customers knocked offline An ongoing software update bug on Windows 8 and 10 appears affecting users of several UK ISPs, with Virgin Media the latest provider to admit the problem is knocking a number of its customers offline.
http://go.theregister.com/feed/www.theregister.co.uk/2016/12/12/ongoing_windows_8_10_dhcp_problems_affecting_all_isps/
Netgear-Router trivial angreifbar, noch kein Patch in Sicht
Im Web-Interface einiger Netgear-Router klafft offenbar eine kritische Sicherheitslücke, die Angreifer leicht ausnutzen können, um Code mit Root-Rechten auszuführen. Schutz verspricht bisher nur ein unorthodoxer Weg: Man soll die Lücke selbst ausnutzen.
https://heise.de/-3568679
DDoS tool encourages users to compete against each other for points
Sledgehammer tool encourages hackers to launch DDoS attacks - but theres a sting in the tail
https://nakedsecurity.sophos.com/2016/12/12/ddos-tool-encourages-users-to-compete-against-each-other-for-points/
VU#582384: Multiple Netgear routers are vulnerable to arbitrary command injection
Vulnerability Note VU#582384 Multiple Netgear routers are vulnerable to arbitrary command injection Original Release date: 09 Dec 2016 | Last revised: 09 Dec 2016 Overview Netgear R7000 and R6400 routers and possibly other models are vulnerable to arbitrary command injection. Description CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection) Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and...
http://www.kb.cert.org/vuls/id/582384
DSA-3730 icedove - security update
Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,same-origin policy bypass issues, integer overflows, buffer overflowsand use-after-frees may lead to the execution of arbitrary code ordenial of service.
https://www.debian.org/security/2016/dsa-3730
Vuln: McAfee VirusScan Enterprise Multiple Security Vulnerabilities
http://www.securityfocus.com/bid/94823
IBM Security Bulletins
IBM Security Bulletin: One vulnerability in IBM Java SDK affects IBM Application Delivery Intelligence v1.0.1 and v1.0.1.1 (CVE-2016-5597)
http://www-01.ibm.com/support/docview.wss?uid=swg21995653
IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK for Node.js
http://www.ibm.com/support/docview.wss?uid=swg21993007
IBM Security Bulletin: Open Source Apache Tomcat Commons FileUpload Vulnerabilities affects Atlas Policy Suite (CVE-2016-3092)
http://www-01.ibm.com/support/docview.wss?uid=swg21995382
IBM Security Bulletin: Potential Information Disclosure vulnerability in IBM MessageSight (CVE-2016-5986)
http://www-01.ibm.com/support/docview.wss?uid=swg21995246
IBM Security Bulletin: IBM Security Access Manager appliances are affected by vulnerabilities in OpenSSH (CVE-2015-5352, CVE-2015-6563, CVE-2015-6564)
http://www.ibm.com/support/docview.wss?uid=swg21992610
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web version 7 software (CVE-2016-3550, CVE-2016-3485)
http://www.ibm.com/support/docview.wss?uid=swg21993132
IBM Security Bulletin: Open Redirect vulnerability in IBM MessageSight (CVE-2016-3040)
http://www-01.ibm.com/support/docview.wss?uid=swg21995247
IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU affect for IBM Connections (CVE-2016-0264 )
https://www-01.ibm.com/support/docview.wss?uid=swg21988365
IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU affect Content Collector for Email (CVE-2016-0264)
https://www-01.ibm.com/support/docview.wss?uid=swg21988357
IBM Security Bulletin: Information Disclosure in IBM MessageSight (CVE-2016-0378)
http://www-01.ibm.com/support/docview.wss?uid=swg21995238