End-of-Shift report
Timeframe: Mittwoch 10-02-2016 18:00 − Donnerstag 11-02-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
Critical bug found in Cisco ASA products, attackers are scanning for affected devices
Several Cisco Adaptive Security Appliance (ASA) products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code exec...
http://www.net-security.org/secworld.php?id=19427
Some notes on VirusTotal.
Many of you are probably familiar with VirusTotal, a service that allows you to scan a file or URL using multiple antivirus and URL scanners. VirusTotal results are often used in write-ups about...read moreThe post Some notes on VirusTotal. appeared first on Webroot Threat Blog.
http://www.webroot.com/blog/2016/02/09/some-notes-on-virustotal/
Seo-moz.com SEO Spam Campaign
Here at Sucuri we handle countless cases of SEO spam. This malware involves a website being compromised in order to spread (mostly pharmaceutical) advertisements by linking visitors to unwanted websites and stuffing spam keywords into the site. These links and keywords help the spam websites to rank higher in search engines like Google, sending evenRead More The post Seo-moz.com SEO Spam Campaign appeared first on Sucuri Blog.
https://blog.sucuri.net/2016/02/seo-moz-com-seo-spam-campaign.html
Malvertising Via Skype Delivers Angler
A recent malvertising campaign shows that platforms that display ads, even when they are not necessarily the browser, are not immune to the attack. An example of a popular non-browser application that shows ads is Skype. These images would be familiar to avid Skype users. This did not really bother us much until last night, when we...
https://labsblog.f-secure.com/2016/02/10/malvertising-via-skype-delivers-angler/
Tomcat IR with XOR.DDoS, (Thu, Feb 11th)
Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response "> "> ">0 S root 31847 1 0 80 0 - 1124641 futex_ 2015 ? 02:36:33 /usr/bin/java -classpath /usr/share/apache-tomcat-7.0.65/bin/bootstrap.jar ">Here you can see that it is running from /usr/share/apache-tomcat-7.0.65. ">The Tomcat configurations
https://isc.sans.edu/diary.html?storyid=20721&rss
Building automation systems are so bad IBM hacked one for free
Remote sites owned as router, controller and server all fall to pen-test team An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security.
http://go.theregister.com/feed/www.theregister.co.uk/2016/02/11/building_automation_systems_so_bad_ibm_hacked_one_for_free/
How Malware Detects Virtualized Environment, and its Countermeasures - An Overview
Virtual Machines are usually considered a good way to analyze malware as they can provide an isolated environment for the malware to trigger but their actions can be controlled and intercepted. However, modern age malware detects their environment in which they are running, and if they detect they are running in VM, they sustain their...
http://resources.infosecinstitute.com/how-malware-detects-virtualized-environment-and-its-countermeasures-an-overview/
DFN-CERT-2016-0252: Cisco Adaptive Security Appliance Software: Eine Schwachstelle ermöglicht die Übernahme der Systemkontrolle
Eine Schwachstelle in der Cisco Adaptive Security Appliances Software ermöglicht einem entfernten, nicht authentifizierten Angreifer beliebigen Programmcode auszuführen und so die Kontrolle über ein betroffenes System zu übernehmen, auch ist die Durchführung eines Denial-of-Service-Angriffs möglich.
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0252/
ZDI-16-163: Dell SonicWALL GMS Virtual Appliance Deserialization of Untrusted Data Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-16-163/
ZDI-16-164: Dell SonicWALL GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-16-164/
Cisco Spark Representational State Transfer Interface Information Disclosure Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-sp2
Cisco Spark Representational State Transfer Interface Unauthorized Access Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-sp1
Cisco Spark Representational State Transfer Interface Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-sp3
Cisco Advanced Malware Protection and Email Security Appliance Proxy Engine Security Bypass Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160211-esaamp
Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates
A number of vulnerabilities have been identified in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that could allow a malicious, unprivileged user to perform privileged operations or execute commands.
https://support.citrix.com/article/CTX206001
IBM Security Bulletins
IBM Security Bulletin: Vulnerability in libssh2 affects PowerKVM (CVE-2015-1782)
http://www.ibm.com/support/docview.wss?uid=isg3T1023318
IBM Security Bulletin: Multiple vulnerabilities in curl affect PowerKVM
http://www.ibm.com/support/docview.wss?uid=isg3T1023307
IBM Security Bulletin: Vulnerability in IBM Java Runtime affects Tivoli Storage Manager Operations Center and Tivoli Storage Manager Client Management Service (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21976362
IBM Security Bulletin:Security Bulletin: Vulnerability in IBM Java Runtime affect AppScan Source (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21976569
IBM Security Bulletin: Vulnerability in cpio affects PowerKVM (CVE-2014-9112)
http://www.ibm.com/support/docview.wss?uid=isg3T1023298
IBM Security Bulletin: Vulnerability in Linux Kernel affects PowerKVM (CVE-2016-0728)
http://www.ibm.com/support/docview.wss?uid=isg3T1023279
IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Netezza Platform Software clients (CVE-2015-3194)
http://www.ibm.com/support/docview.wss?uid=swg21976419
IBM Security Bulletin: IBM Sterling Order Management is affected by Apache Commons Collections security vulnerabilities (CVE-2015-7450)
http://www.ibm.com/support/docview.wss?uid=swg21975793
IBM Security Bulletin: Cross-site scripting vulnerability in Liberty for Java for IBM Bluemix (CVE-2015-7417)
http://www.ibm.com/support/docview.wss?uid=swg21976218
IBM Security Bulletin: Multiple vulnerabilities in IBM JAVA Runtime affect AppScan Source (CVE-2015-4872)
http://www.ibm.com/support/docview.wss?uid=swg21976159