End-of-Shift report
Timeframe: Dienstag 01-03-2016 18:00 − Mittwoch 02-03-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
Threat Actors Behind "Shrouded Crossbow" Create BIFROSE for UNIX
We recently came across a variant of the BIFROSE malware that has been rewritten for UNIX and UNIX-like systems. This is the latest tool developed by attackers behind operation Shrouded Crossbow, which have produced other BIFROSE variants such as KIVARS and KIVARS x64. UNIX-based operating systems are widely used in servers, workstations, and even mobile devices. With a lot of highly confidential data found in these servers and devices, a UNIX version of BIFROSE can certainly be classified as a...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/m3eM40z3oI8/
Cachebleed-Angriff: CPU-Cache kann private Schlüssel verraten
Forschern ist es gelungen, RSA-Verschlüsselungsoperationen von OpenSSL mittels eines Cache-Timing-Angriffs zu belauschen und so den privaten Key zu knacken. Der Cachebleed-Angriff nutzt dabei Zugriffskonflikte auf den Cache-Speicher.
http://www.golem.de/news/cachebleed-angriff-cpu-cache-kann-private-schluessel-verraten-1603-119497-rss.html
Let's ride with TeslaCrypt
TeslaCrypt is a ransomware spread by e-mails or exploit kits. It encrypts your files and asks you to pay in order to retrieve the decryption key. The current version is 3.0. Many analysis are already available on the Internet. In this article we are focusing on two aspects of TeslaCrypt: - The attack vector - The web callback...
http://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/
Security: Angebliche Locky-Warnung vom BKA ist ein Trojaner
Die Angst vor Locky wird jetzt offenbar von Kriminellen ausgenutzt. In einer angeblich vom Bundeskriminalamt stammenden Mail wird vor dem Kryptotrojaner gewarnt und ein Werkzeug zur Entfernung angeboten - das selbst Malware enthält.
http://www.golem.de/news/security-angebliche-locky-warnung-vom-bka-ist-ein-trojaner-1603-119525-rss.html
$17 smartwatch sends something to random Chinese IP address
Samsung Gear 2 also has some problems, researcher says RSA bsides A cheap smart watch often peddled on eBay uses a pairing app for Android or iOS that contains a backdoor that quietly connects to an unknown Chinese IP address.
http://go.theregister.com/feed/www.theregister.co.uk/2016/03/02/chinese_backdoor_found_in_ebays_popular_cheap_smart_watch/
iPhone-Fingerabdruck lässt sich mit Plastilin austricksen
Ein Hersteller von Fingerabdrucksensoren zeigt, wie einfach Apples Touch-ID mit gefälschten Fingerabdrücken zu umgehen ist.
http://futurezone.at/produkte/iphone-fingerabdruck-laesst-sich-mit-plastilin-austricksen/184.429.253
Der DROWN Angriff auf SSL/TLS
Es ist wieder soweit: Es gibt einen Presserummel rund um eine neu entdeckte Schwachstelle in SSL/TLS. Es gibt einen Namen (DROWN = Decrypting RSA with Obsolete and Weakened eNcryption) und ein fancy Logo. Nachzulesen ist alles unter: [...] Wir haben uns das angesehen und beschlossen, dazu keine offizielle Warnung zu publizieren. Das Problem ist nicht so dringend und dramatisch, wie manche...
http://www.cert.at/services/blog/20160302151126-1688.html
Django Bugs Let Remote Users Conduct Redirect and Cross-Site Scripting Attacks and Determine Valid Usernames
http://www.securitytracker.com/id/1035152
DFN-CERT-2016-0366: Perl: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes mit Benutzerrechten
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0366/
Intel Security - Security Bulletin: Protected resource access bypass vulnerability resolved in multiple McAfee endpoint products for Microsoft Windows
Multiple McAfee endpoint products include a private mechanism to access settings and files protected by self-protection rules. This mechanism is not sufficiently secure and may be misused to access registry keys and files that should be protected from tampering.
https://kc.mcafee.com/corporate/index/content&id=SB10151
Schneider Electric Building Operation Application Server Vulnerability
This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software.
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripiting
This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application.
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02
Cisco Security Advisories
Cisco NX-OS Software TCP Netstack Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-netstack
Cisco Nexus 3000 Series and 3500 Platform Switches Insecure Default Credentials Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-n3k
Cisco Web Security Appliance HTTPS Packet Processing Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-wsa
Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-n5ksnmp
Cisco FireSIGHT System Software Convert Timing Channel Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-FireSIGHT1
Cisco FireSIGHT System Software Device Management UI Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-FireSIGHT
IBM Security Bulletins
IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Privileged Identity Manager Virtual Appliance (CVE-2015-7547)
http://www.ibm.com/support/docview.wss?uid=swg21978009
IBM Security Bulletin: Lotus Protector for Mail affected by glibc, getaddrinfo stack-based buffer overflow (CVE-2015-7547)
http://www.ibm.com/support/docview.wss?uid=swg21977368
IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Marketing Platform, IBM Campaign, IBM Predictive Insight, IBM Contact Optimization, IBM Marketing Operations (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21976886
IBM Security Bulletin: A vulnerability in the GSKit component of IBM Tivoli Storage Manager Fastback for Workstations (CVE-2016-0201)
http://www.ibm.com/support/docview.wss?uid=swg21974685
Security Bulletin: Vulnerabilities in OpenSSL and MD5 Signature and Hash Algorithm (CVE-2015-7575) affect IBM System Networking RackSwitch products.
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099210
Security Bulletin: Multiple vulnerabilities, including MD5 Signature and Hash Algorithm (CVE-2015-7575), affect IBM Flex System Networking Switches
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099200
IBM Security Bulletin: Multiple vulnerabilities in libpng affect IBM Cognos Metrics Manager (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540)
http://www.ibm.com/support/docview.wss?uid=swg21976924
IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Client Application Access (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21977618