End-of-Shift report
Timeframe: Freitag 08-04-2016 18:00 − Montag 11-04-2016 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
Mumblehard takedown ends army of Linux servers from spamming
One year after the release of the technical analysis of the Mumblehard Linux botnet, we are pleased to report that it is no longer active. ESET, in cooperation with the Cyber Police of Ukraine and CyS Centrum LLC, have taken down the Mumblehard botnet, stopping all its spamming activities since February 29th, 2016.
http://www.welivesecurity.com/2016/04/07/mumblehard-takedown-ends-army-of-linux-servers-from-spamming/
Improvements to Safe Browsing Alerts for Network Administrators
[...] Today, to provide Network Admins with even more useful information for protecting their users, we're adding URLs related to Unwanted Software, Malicious Software, and Social Engineering to the set of information we share. Here's the full set of data we share with network administrators:[...]
https://security.googleblog.com/2016/04/improvements-to-safe-browsing-alerts.html
Ransomware: Locky, TeslaCrypt, Other Malware Families Use New Tool To Evade Detection
Today we identified a new tool actively being used by the Locky ransomware family to evade detection and potentially infect endpoints. Unit 42 identified slight changes in Locky detonations through the AutoFocus threat intelligence service,...
http://researchcenter.paloaltonetworks.com/2016/04/unit42-ransomware-locky-teslacrypt-other-malware-families-use-new-tool-to-evade-detection/
FBI: $2.3 Billion Lost to CEO Email Scams
The U.S. Federal Bureau of Investigation (FBI) this week warned about a "dramatic" increase in so-called "CEO fraud," e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates that these scams have cost organizations more than $2.3 billion in losses over the past three years.
http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/
If only hackers could stop slurping test and dev databases. Wait, our phone is ringing ...
Delphix thinks it has a solution Exposure and loss of sensitive data is happening everywhere these days. One attack surface, as the jargon has it, is sensitive production data used in internal testing and development systems.
http://www.theregister.co.uk/2016/04/08/delphix_data_breach_prevention/
Hikvision Digital Video Recorder Cross-Site Request Forgery
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5315.php
The Open-source vulnerabilities database (OSVDB) shuts down permanently
The Open Sourced Vulnerability Database (OSVDB) shut down permanently in response to the lack of assistance from the industry. The Open Sourced Vulnerability Database (OSVDB) shut down permanently, the news was reported in a blog post published by the maintainers of the project. The decision was made in response to the lack of assistance from the industry.
http://securityaffairs.co/wordpress/46129/security/osvdb-shuts-down.html
Windows XP ist nicht totzukriegen: 11 Prozent Marktanteil
15 Jahre nach der Veröffentlichung und zwei Jahre nach Support-Ende durch Microsoft ist Windows XP weiterhin das dritthäufigste Betriebssystem im Desktop-Bereich.
http://futurezone.at/produkte/windows-xp-ist-nicht-totzukriegen-11-prozent-marktanteil/191.839.744
Hacker-Angriff auf DuMont Mediengruppe: Zeitungsportale betroffen
Systeme aus Sicherheitsgründen abgeschaltet
http://derstandard.at/2000034558622
Moxa NPort Device Vulnerabilities
NCCIC/ICS-CERT is aware of a public report of vulnerabilities affecting Moxa NPort 6110, 5100 series, and 6000 series devices. The Moxa NPort 6110 device is a Modbus/TCP to serial communication gateway. Moxa NPort 5100 series and 6000 series devices are serial-to-Ethernet converters.
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01
Learning from Bait and Switch Mobile Ransomware
Porn and mobile malware; two things that can illicit the response "I didn't know how it got there" when someone finds them. We have recently caught sight of a mobile ransomware distributed by fake adult websites. However, much like a lot of things in the adult industry, this malware doesn't seem very logical.This piece showcases an incident that can help users understand mobile threats and aims to boost user awareness to these threats. We believe that securing knowledge
http://blog.trendmicro.com/trendlabs-security-intelligence/learning-from-bait-switch-mobile-ransomware/
Mindless Flash masses saved as exploit kit devs go astray with 0day
Since-patched flaw was imperfectly targeted by incompetent crimeware Malwarebytes hacker Jerome Segura says black hats have made a mess of efforts to unleash an Adobe Flash zero day vulnerability as part of their popular exploit kit, reducing the pool of potential victims.
http://www.theregister.co.uk/2016/04/11/mindless_flash_masses_saved_as_magnitude_mongrels_bork_0day/
Vista: Das letzte Jahr für die viel gehasste Windows-Version
Am 11. April 2017 wird der Support eingestellt - Baldiges Update empfohlen
http://derstandard.at/2000034590249
New Threat Report
Our latest threat report (PDF) is now available. The report discusses trends from the most prevalent cybersecurity threats we've seen during the year 2015. The Chain of Compromise (CoC) model is also introduced along with exploit kits, ransomware and more. Get it and more from:f-secure.com/labs
https://labsblog.f-secure.com/2016/04/11/new-threat-report/
Erpressungs-Trojaner Petya geknackt, Passwort-Generator veröffentlicht
Ein kostenloses Tool soll das zum Entschlüsseln nötige Passwort innerhalb weniger Sekunden generieren können, verspricht der Macher des Werkzeugs. Erste Erfolgsberichte von Petya-Opfern liegen bereits vor.
http://heise.de/-3167064
Nuclear Drops Tor Runs and Hides
Yesterday we observed a new technique in the Nuclear kit and found a new payload and technique we've not seen before.
http://blog.talosintel.com/2016/04/nuclear-tor.html
iMessage-Schwachstelle ermöglicht Zugriff auf alle Nachrichten im Klartext
Eine Sicherheitslücke in der Nachrichten-App erlaubt einem Angreifer, die Datenbank mit sämtlicher Kommunikation des Opfers auszulesen, sobald dieses einen zugesendeten Link anklickt. Apple hat die Schwachstelle in OS X 10.11.4 beseitigt.
http://www.heise.de/newsticker/meldung/iMessage-Schwachstelle-ermoeglicht-Zugriff-auf-alle-Nachrichten-im-Klartext-3167921.html?wt_mc=rss.ho.beitrag.rdf
IBM Security Bulletins
IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Netezza Host Management (CVE-2016-2842)
http://www.ibm.com/support/docview.wss?uid=swg21980927
IBM Security Bulletin: Multiple vulnerabilities in RubyOnRails affects IBM BigFix Compliance Analytics. (CVE-2016-2097, CVE-2016-2098)
http://www.ibm.com/support/docview.wss?uid=swg21979720
IBM Security Bulletin: Vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2015-7560)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005727
IBM Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server if FIPS 140-2 is enabled (CVE-2016-0306)
http://www.ibm.com/support/docview.wss?uid=swg21979231
Multiple vulnerabilities in OpenSSL affect AIX CVE-2016-0800 CVE-2016-0799 CVE-2016-0798 CVE-2016-0797 CVE-2016-0705 CVE-2016-0702
http://www.ibm.com/support/
IBM Security Bulletin: Cross-site scripting vulnerability in Liberty for Java for IBM Bluemix (CVE-2016-0283)
http://www.ibm.com/support/docview.wss?uid=swg21980429
IBM Security Bulletin: IBM InfoSphere Information Governance Catalog is vulnerable to XXE Injection Attack (CVE-2016-0250)
http://www.ibm.com/support/docview.wss?uid=swg21977152
IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images (CVE-2016-0701, CVE-2015-3197)
http://www.ibm.com/support/docview.wss?uid=swg21979209
IBM Security Bulletin: Multiple vulnerabilities in RubyOnRails affects IBM BigFix Compliance Analytics. (CVE-2015-7581, CVE-2016-0751, CVE-2016-0752, CVE-2016-0753)
http://www.ibm.com/support/docview.wss?uid=swg21979514
IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Algorithmics Algo Risk Application and Counterparty Credit Risk (CVE-2015-7575)
http://www.ibm.com/support/docview.wss?uid=swg21979757
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM BigFix Compliance Analytics. (CVE-2015-7575, CVE-2016-0466)
http://www.ibm.com/support/docview.wss?uid=swg21979412
IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services Access Control: Information Disclosure - Dojo Readmes (CVE-2016-0232)
http://www.ibm.com/support/docview.wss?uid=swg21977163
IBM Security Bulletin: IBM DB2 LUW contains a denial of service vulnerability in which a malformated DRDA message may cause the DB2 server to terminate abnormally (CVE-2016-0211)
http://www.ibm.com/support/docview.wss?uid=swg21979984
IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2015-8317)
http://www.ibm.com/support/docview.wss?uid=swg21979515
IBM Security Bulletin: Multiple vulnerabilities in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500)
http://www.ibm.com/support/docview.wss?uid=swg21979513