End-of-Shift report
Timeframe: Dienstag 09-02-2016 18:00 − Mittwoch 10-02-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
Fast Flux Bot Nets and Fluxer - Part 1
This time well start a two-parter on fast flux bot nets including the concept of domain generation algorithms.
http://www.scmagazine.com/fast-flux-bot-nets-and-fluxer--part-1/article/473047/
DMA Locker Strikes Back
A few days ago we published a post about a new ransomware - DMA Locker (read more here). At that time, it was using a pretty simple way of storing keys. Having the original sample was enough to recover files. Unfortunately, the latest version (discovered February 8th) comes with several improvements and RSA key. Let's...
https://blog.malwarebytes.org/news/2016/02/dma-locker-strikes-back/
Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months
Regen your keys ASAP Web hosting biz Linode broke the security in its customers virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them.
http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/linode_ssh_security/
Skimmers Hijack ATM Network Cables
If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data.
http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/
Patchday: Microsoft stopft 6 kritische Lücken, lässt alte Internet-Explorer-Versionen im Regen stehen
Es ist wieder einmal Zeit zum Updaten für Microsoft-Anwender. Wer noch ältere Versionen des Internet Explorer im Einsatz hat, muss jetzt schleunigst handeln.
http://heise.de/-3098499
The history of Cryptowall: a large scale cryptographic ransomware threat
This tracker focusses on tracking the development changes in the CryptoWall ransomware, it does not attempt to track every single CryptoWall sample that exists. It simply exists to track the family in a more higher level fashion, a few samples will be listed next to specific versions just for reference rather than bulk collection. The timeline below shows the development track of CryptoWall when new versions were first seen. Below the timeline you will find an overview.
https://www.cryptowalltracker.org/
Sparkle-Installer: Gatekeeper-Sicherung für Macs lässt sich umgehen
Viele App-Entwickler für Mac nutzen das Sparkle-Framwork für praktische Auto-Updates - und machen damit zahlreiche Mac-Programme angreifbar. Betroffen sind nicht nur VLC und uTorrent.
http://www.golem.de/news/man-in-the-middle-angriff-sparkle-installer-macht-viele-mac-apps-angreifbar-1602-119038-rss.html
Cracking Damn Insecure and Vulnerable App (DIVA) - part 5:
In the first four articles, we have discussed solutions for the first eleven challenges in DIVA. In this last article of this series, we will discuss the remaining two challenges that are related to native code. In case if you missed the previous articles in this series, here are the links.
http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable-apps-diva-part-1/ http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable-app-diva-part-2/
http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable-app-diva-part-5/
Hijacking forgotten & misconfigured subdomains
Its been a while since my last blog post, so I decided to release a new tool. I think that we need more articles about "DNS hacking", I hope that you will learn something new here.
http://www.xexexe.cz/2016/02/hijacking-forgotten-misconfigured.html
Network forensic analysis tool NetworkMiner 2.0 released
NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. ...
http://www.net-security.org/secworld.php?id=19421
MSRT February 2016
The February release of the Microsoft Malicious Software Removal Tool (MSRT) includes updated detections for the following malware families: Bladabindi Gamarue Sality Kelihos Diplugem The updates include detections for the latest variants from these malware families. There were no new malware families added to the MSRT this month. The MSRT works in tandem with real-time...
https://blogs.technet.microsoft.com/mmpc/2016/02/09/msrt-february-2016/
MS16-FEB - Microsoft Security Bulletin Summary for February 2016 - Version: 1.0
https://technet.microsoft.com/en-us/library/security/MS16-FEB
Deception: Shine Bright Like a Diamond
***German Summary: Projektpläne, Designs, Kundendaten: Die Kronjuwelen eines jeden Unternehmens gehören vor Cyberkriminellen unter allen Umständen versteckt - oder? Werfen Sie den Ködern aus, denn jetzt täuschen die Guten! Deception ("Täuschung") lautet der neue Cyber-Security-Ansatz, der nach Schätzungen des renommierten Marktforschungsunternehmens Gartner bereits 2018 in rund 10 % aller Unternehmen zum Einsatz kommen wird. Virtuelle Fallen...
http://blog.sec-consult.com/2016/02/deception-shine-bright-like-diamond.html
Tollgrade SmartGrid Sensor Management System Software Vulnerabilities
This advisory contains mitigation details for vulnerabilities in Tollgrade Communications, Inc.'s SmartGrid LightHouse Sensor Management System (SMS) Software EMS.
https://ics-cert.us-cert.gov/advisories/ICSA-16-040-01
Bugtraq: Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216)
http://www.securityfocus.com/archive/1/537490
Bugtraq: ESA-2016-010 EMC Documentum xCP Security Update for Multiple Vulnerabilities
http://www.securityfocus.com/archive/1/537489
Bugtraq: dotDefender Firewall CSRF
http://www.securityfocus.com/archive/1/537491
[2016-02-10] Yeager CMS multiple vulnerabilities
Yeager CMS suffers from multiple critical security issues including multiple SQL injections, arbitrary file upload, server-side request forgery and non-permanent cross-site scripting vulnerabilities. Unauthenticated attackers are able to compromise Yeager CMS in both application and database levels.
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160210-0_Yeager_CMS_Multiple_Vulnerabilities_v10.txt
DFN-CERT-2016-0237: Horde Application Framework: Zwei Schwachstellen ermöglichen einen Cross-Site-Scripting-Angriff
09.02.2016
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0237/
Cisco Security Advisories
Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
Cisco Prime Collaboration Provisioning Local Privilege Escalation Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160209-pcp
Cisco Application Policy Infrastructure Controller Enterprise Module Web Framework Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160208-apic
Cisco Video Communications Server Information Disclosure Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160208-vcs
Cisco Unified Products Information Disclosure Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160208-ucm
Cisco Unified Communications Manager Information Disclosure Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-201600208-ucm
IBM Security Bulletins
IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect Liberty for Java for IBM Bluemix January 2016 CPU (CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448)
http://www.ibm.com/support/docview.wss?uid=swg21976217
IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Security SiteProtector System (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21976042
IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Manager (FSM) (CVE-2016-0777, CVE-2016-0778)
http://www.ibm.com/support/docview.wss?uid=isg3T1023319
IBM Security Bulletin: IBM Pure Power Integrated Manager (PPIM) is affected by vulnerabilities in ntp (CVE-2014-9750, CVE-2014-9751)
http://www.ibm.com/support/docview.wss?uid=isg3T1023291
IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Pure Power Integrated Manager (PPIM) (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=isg3T1023292
IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects Watson Explorer (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21974808
IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2015-8380, CVE-2015-8382, CVE-2015-8391)
http://www.ibm.com/support/docview.wss?uid=swg21976124
IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803)
http://www.ibm.com/support/docview.wss?uid=swg21971058
IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-1819)
http://www.ibm.com/support/docview.wss?uid=swg21976393
IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2014-8121)
http://www.ibm.com/support/docview.wss?uid=swg21976290
IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Mobile (CVE-2015-2730)
http://www.ibm.com/support/docview.wss?uid=swg21976295
IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by an OpenSSH vulnerability (CVE-2008-5161)
http://www.ibm.com/support/docview.wss?uid=swg21976082
IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by multiple NTP vulnerabilities
http://www.ibm.com/support/docview.wss?uid=swg21975967
IBM Security Bulletin: Vulnerability in OpenSSL affects IBM MQ Light (CVE-2015-3197)
http://www.ibm.com/support/docview.wss?uid=swg21976345
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVS-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21975832
IBM Security Bulletin: A Security Vulnerability has been identified in Apache Solr shipped with IBM Operations Analytics - Log Analysis
http://www.ibm.com/support/docview.wss?uid=swg21975544
IBM Security Bulletin: Vulnerabilities in cURL and libcURL affect IBM Security Access Manager (CVE-2014-3613, CVE-2014-8150)
http://www.ibm.com/support/docview.wss?uid=swg21974736
IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM MQ Light (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21976341