End-of-Shift report
Timeframe: Dienstag 15-03-2016 18:00 − Mittwoch 16-03-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
Bugtraq: [security bulletin] HPSBGN03556 rev.1 - ArcSight ESM and ESM Express, Remote Arbitrary File Download, Local Arbitrary Command Execution
http://www.securityfocus.com/archive/1/537801
Exploit Kits in 2015: Scale and Distribution
In the first part of this series of blog posts, we discussed what new developments and changes in the exploit kit landscape were seen in 2015. In this post, we look at the scale of the exploit kit problem - how many users were affected, ..
http://blog.trendmicro.com/trendlabs-security-intelligence/exploit-kits-2015-scale-distribution/
Apache Struts Input Validation Flaw in I18NInterceptor Lets Remote Conduct Cross-Site Scripting Attacks
http://www.securitytracker.com/id/1035272
Apache Struts Double OGNL Evaluation Lets Remote Users Execute Arbitrary Code on the Target System
http://www.securitytracker.com/id/1035271
VMware vRealizes that vRealize has XSS bugs on Linux
Virtzillas also released first maintenance release for vRealize Automation A tricky Tuesday for VMwares vRealize products, which have received the first maintenance release for version 7 and also become the subject of a security alert.
www.theregister.co.uk/2016/03/16/vmware_vrealizes_that_vrealize_has_xss_bugs_on_linux/
OpenSSH 7.2p1 xauth Command Injection / Bypass
https://cxsecurity.com/issue/WLB-2016030083
TeslaCrypt 3.1? New Ransomware Strain Removes ShadowCopies via WMI
The authors of TeslaCrypt 3.1 ransomware understood that the common ransomware action of deleting shadow copies by executing "vssadmin Delete Shadows /All /Quiet" draws the defenders attention, and so they worked around that by using WMI.
http://www.minerva-labs.com/
subsearch
subsearch is a command line tool designed to brute force subdomain names. It is aimed at penetration testers and bug bounty hunters and has been built with a focus on speed, stealth and reporting.
https://github.com/gavia/subsearch
Git Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code
http://www.securitytracker.com/id/1035290
FortiOS open redirect vulnerability
The FortiOS webui accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. The redirect input parameter is also prone to a cross site scripting.
http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability
IBM Security Bulletin: Vulnerabilities in java affect Power Hardware Management Console (CVE-2016-0448)
http://www.ibm.com/support/docview.wss?uid=nas8N1021172
IBM Security Bulletin: Vulnerabilities in OpenSSH affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images (CVE-2016-0777, CVE-2016-0778)
http://www.ibm.com/support/docview.wss?uid=swg21978487
IBM Security Bulletin: Vulnerability in OpenSSL affects IBM WebSphere MQ (CVE-2015-1788)
http://www.ibm.com/support/docview.wss?uid=swg21972125
DDoSing with Other Peoples Botnets
While I was reverse engineering ZeroAccess in order to write a monitoring system, I had an idea which would allow me to use ZeroAccess C&C infrastructure to reflect and amplify a UDP based DDoS attack, which Id found to be beautifully ironic. After further analysis, I discovered it may even be possible to use non worker bots (which connect from behind NAT) to participate in the attack.
http://www.malwaretech.com/2016/03/ddosing-with-other-peoples-botnets.html
DFN-CERT-2016-0461/">Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0461/
Nacktfotos von Prominenten: Verdächtiger gesteht Phishing-Angriff auf iCloud
Im Verfahren um die Veröffentlichung von privaten Promifotos hat sich der Verdächtige des Phishings schuldig bekannt. Doch mit der Veröffentlichung der Bilder will der Mann nichts zu tun haben.
http://www.golem.de/news/nacktfotos-von-prominenten-verdaechtiger-gesteht-phishing-angriff-auf-icloud-1603-119812.html
HTTPS: 77 Prozent aller Google-Anfragen verschlüsselt
In seinem Transparenzbericht dokumentiert Google nun auch den Prozentsatz von Transportverschlüsselung bei seinen eigenen Diensten und Anfragen an Server der Suchmaschine. Vor allem der hohe Wert bei der Verteilung von Werbung überrascht.
http://heise.de/-3140351
Erpressungstrojaner auf Websites von New York Times und BBC
Potenziell Millionen Nutzer gefährdet, Sicherheitsforscher sehen Beleg für Schwächen des Werbenetzwerks
http://derstandard.at/2000033046874
AceDeceiver: iOS-Trojaner nutzt Schwachstellen in Apples DRM
Angreifern ist es einer Sicherheitsfirma zufolge gelungen, Schad-Software mehrfach ungehindert in den App Store zu bringen. Durch Schwachpunkte in Apples DRM FairPlay könne die Malware zudem auf iPhones gelangen - ohne Enterprise-Zertifikat.
http://heise.de/-3140627