End-of-Shift report
Timeframe: Mittwoch 20-04-2016 18:00 − Donnerstag 21-04-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
Angebliche Paket-Verständigung von der "Post" kann Ihre Daten durch Verschlüsselung unbrauchbar machen
Modus Operandi Kaum ist die Bedrohung durch angebliche E-Mails von DHL im Abklingen, erreicht uns eine neue Welle von E-Mails mit gefährlichem Inhalt. Nunmehr gibt die Mail vor von der "Post" zu stammen und informiert über eine nicht erfolgreich durchgeführte Zustellung. Die weitere Vorgehensweise bleibt dabei gleich; der Empfänger wird aufgefordert den Versandschein über einen Link in der Mail herunter zu laden.
http://www.bmi.gv.at/cms/BK/betrug/files/Cryptolocker_Ransomware_Post.pdf
Decoding Pseudo-Darkleech (#1), (Thu, Apr 21st)
Im currently going through a phase of WordPress dPression. Either my users are exceptionally adept at finding hacked and subverted WordPress sites, or there are just so many of these sites out there. This weeks particular fun seems to be happening on restaurant web sites. Inevitably, when checking out the origin of some crud, I discover a dPressing installation that shows signs of being owned since months. The subverted sites currently lead to Angler Exploit Kit (Angler EK), and are using...
https://isc.sans.edu/diary.html?storyid=20969&rss
SpyEye botnet kit developer sentenced to long jail term
Aleksandr Andreevich Panin, the Russian developer of the SpyEye botnet creation kit, and an associate were on Wednesday sentenced to prison terms by a court in Atlanta, Georgia, for their role in developing and distributing malware that is said to have caused millions of dollars in losses to the financial sector.Panin, who set out to develop SpyEye as a successor to the Zeus malware that affected financial institutions since 2009, was sentenced by the court to nine and half years in prison,...
http://www.cio.com/article/3059554/spyeye-botnet-kit-developer-sentenced-to-long-jail-term.html
Looking Into a Cyber-Attack Facilitator in the Netherlands
A small webhosting provider with servers in the Netherlands and Romania has been a hotbed of targeted attacks and advanced persistent threats (APT) since early 2015. Starting from May 2015 till today we counted over 100 serious APT incidents that originated from servers of this small provider. Pawn Storm used the servers for at least 80 high profile attacks against various governments in the US, Europe, Asia, and the Middle East. Formally the Virtual Private Server (VPS) hosting company is...
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/MKFUpCeHi9s/
FBI warns farming industry about equipment hacks, data breaches
As Internet-connected equipment is increasingly used in many industry sectors, alerts like the latest one issued by the FBI to US farmers will likely become a regular occurrence. While precision agriculture technology (a.k.a. smart farming) reduces farming costs and increases crop yields, farmers need to be aware of and understand the associated cyber risks to their data and ensure that companies entrusted to manage their data, including digital management tool and application developers...
https://www.helpnetsecurity.com/2016/04/21/farming-cyber-risks/
Lab - Cryptographic Algorithms
For this lab we'll be using GPG, OpenSSL to demonstrate symmetric and asymmetric encryption/decryption and MD5, SHA1 to demonstrate hash functions. Virtual Machine Needed: Kali Before starting the lab here are some definitions: In all symmetric crypto algorithms (also called Secret Key encryption) a secret key is used for both encrypt plaintext and decrypt the...
http://resources.infosecinstitute.com/lab-cryptographic-algorithms/
Fremdenfeindliche Ausdrucke: "Hackerangriff" auf Universitätsdrucker
Hackerangriff oder doch nur eine falsche Druckerkonfiguration: In verschiedenen Universitäten in Deutschland sind in den Druckern Dokumente mit fremdenfeindlichem Hintergrund gefunden worden.
http://www.golem.de/news/fremdenfeindliche-ausdrucke-hackerangriff-auf-universitaetsdrucker-1604-120478-rss.html
Security update available for the Adobe Analytics AppMeasurement for Flash Library
A Security Bulletin (APSB16-13) has been published regarding a security update for the Adobe Analytics AppMeasurement for Flash Library. This update resolves an important vulnerability in the AppMeasurement for Flash library that could be abused to conduct DOM-based cross-site scripting attacks...
https://blogs.adobe.com/psirt/?p=1341
DFN-CERT-2016-0655: Squid: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0655/
[R2] Nessus < 6.6 Fixes Two Vulnerabilities
http://www.tenable.com/security/tns-2016-08
Moxa NPort Device Vulnerabilities (Update A)
This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-16-099-01 Moxa NPort Device Vulnerabilities that was published April 8, 2016, on the ICS-CERT web page. ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. ICS-CERT has notified Moxa of the report, and Moxa has validated all five of the reported vulnerabilities.
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01
Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow
Topic: Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow Risk: High Text:/* This function is reachable by sending a RNDIS Set request with OID 0x01010209 (OID_802_3_MULTICAST_LIST) from the Guest to...
https://cxsecurity.com/issue/WLB-2016040133
Avast SandBox Escape via IOCTL Requests
Topic: Avast SandBox Escape via IOCTL Requests Risk: Medium Text:* CVE: CVE-2016-4025 * Vendor: Avast * Reported by: Kyriakos Economou * Date of Release: 19/04/2016 * Affected Products: Mu...
https://cxsecurity.com/issue/WLB-2016040134
Cisco Security Advisories
Cisco Wireless LAN Controller Management Interface Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-wlc
Cisco Wireless LAN Controller Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-bdos
Cisco Adaptive Security Appliance Software DHCPv6 Relay Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-asa-dhcpv6
Cisco Wireless LAN Controller HTTP Parsing Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-htrd
Multiple Cisco Products libSRTP Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp
IBM Security Bulletins
IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2016-0800)
http://www.ibm.com/support/docview.wss?uid=swg21980721
IBM Security Bulletin: A vulnerability in libcURL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3237)
http://www.ibm.com/support/docview.wss?uid=swg21980719
IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3197, CVE-2015-4000)
http://www.ibm.com/support/docview.wss?uid=swg21980716
IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196)
http://www.ibm.com/support/docview.wss?uid=swg21980714
IBM Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2015-8851
http://www.ibm.com/support/docview.wss?uid=swg21981528
IBM Security Bulletin: IBM Spectrum Scale, with the Spectrum Scale GUI installed, is affected by a security vulnerability (CVE-2016-0361)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005742
Drupal Security Advisories for Third-Party Modules
EPSA Crop - Image Cropping - Critical -XSS - SA-CONTRIB-2016-024 - Unsupported
https://www.drupal.org/node/2710247
Organic groups - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2016-023
https://www.drupal.org/node/2710115
Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022
https://www.drupal.org/node/2710063