End-of-Shift report
Timeframe: Freitag 22-04-2016 18:00 − Montag 25-04-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
Angler Exploit Kit, Bedep, and CryptXXX, (Sat, Apr 23rd)
Introduction On Friday 2016-04-15, Proofpoint researchers spotted CryptXXX [1], a new type of ransomware from the actors behind Reveton. CryptXXX is currently spread through Bedep infections sent by the Angler exploit kit (EK). So far, Ive only seen Bedep send CryptXXX after Angler EK traffic caused by the pseudo-Darkleech campaign." /> CryptXXX infections have their own distinct look." /> Bedep recently improved its evasion capabilities [3]. Its being sent by one of the most...
https://isc.sans.edu/diary.html?storyid=20981&rss
Highlights from the 2016 HPE Annual Cyber Threat Report, (Mon, Apr 25th)
HP released their annual report for 2016 that covers a broad range of information (96 pages) in various sectors and industries. The report is divided in 7 themes, those that appear the most interesting to me are Theme #5: The industry didnt learn anything about patching in 2015 and Theme #7: The monetization of malware. Theme #5 According to this report, the bug that was the most exploited in 2014 was still the most exploited last year which is now over five years old. CVE-2010-2568 where a...
https://isc.sans.edu/diary.html?storyid=20985&rss
Top 10 web hacking techniques of 2015
Now in its tenth year, the Top 10 List of Web Hacking Techniques takes a step back from the implications of an attack to understand how they happen. The list is chosen by the security research community, coordinated by WhiteHat Security. After receiving 39 submissions detailing hacking techniques discovered in 2015, the following hacks were voted into the top 10 spaces: FREAK (Factoring Attack on RSA-Export Keys) LogJam Web Timing Attacks Made Practical Evading All...
https://www.helpnetsecurity.com/2016/04/25/top-10-web-hacking-techniques-2015/
Kritische Lücken: HP Data Protector verzichtet auf Authentifikation
Angreifer können den HP Data Protector über verschiedene Schwachstellen in den Mangel nehmen und Code auf Computer schieben. Sicherheits-Updates unterbinden das.
http://heise.de/-3183095
Snap: Ubuntus neue Pakete sind auf dem Desktop nicht sicherer
Die Ubuntu-Macher Canonical behaupten, mit dem neuen Paketformat Snap werden installierte Apps sicherer. Für Desktop-Anwender stimmt das allerdings nicht.
http://heise.de/-3183128
RDP Replay Code Release
We took a more in depth look to see what information could be extracted from a PCAP of this [RDP] activity, and this led to a tool being created to replay the RDP session as the attacker would have seen it. We have made this tool available after being asked by a number of our blog readers. This tool requires the private key for decrypting, which can usually be recovered with cooperation from the client.
http://www.contextis.com/resources/blog/rdp-replay-code-release/
Apple ID und iCloud: Gezieltes Phishing mit Textnachricht
Betrüger versuchen derzeit per SMS, Nutzer auf eine gefälschte Apple-ID-Anmeldeseite zu locken, um persönliche Daten in Erfahrung zu bringen. Die Mitteilung ist persönlich adressiert.
http://heise.de/-3183878
A Newer Variant of RawPOS in Depth
RawPOS - A History RawPOS (also sometimes referred to as Rdasrv from the original service install name) is a Windows based malware family that targets payment card data. It has been around at least since 2011, if not much earlier. Despite it being very well known and the functions it performs easy to understand, RawPOS continues to prove extremely effective in perpetuating long-term and devastating card breaches to this day. Similar to its cousin, BlackPOS, this malware targets industries...
https://www.alienvault.com/blogs/security-essentials/a-newer-variant-of-rawpos-in-depth
Empty DDoS Threats: Meet the Armada Collective
[...] Our conclusion was a bit of a surprise: weve been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack. In fact, because the extortion emails reuse Bitcoin addresses, theres no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments. [...]
https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/
GozNym banking malware spotted now in Europe
IBMs X-Force reported today the actors behind the hybrid GozNym banking trojan that stole $4 million from U.S. banks in March have released a new configuration that is targeting European banks.
http://www.scmagazine.com/goznym-banking-malware-spotted-now-in-europe/article/491855/
Angriff auf Zentralbank: Billigrouter und Malware führen zu Millionenverlust
Man sollte meinen, dass die Zentralbank eines Landes über eine Firewall verfügt. In Bangladesch war das offenbar nicht der Fall. So konnten Angreifer mit spezialisierter Malware fast 1 Milliarde US-Dollar überweisen - und scheiterten dann an einem Fehler.
http://www.golem.de/news/angriff-auf-zentralbank-billigrouter-und-malware-fuehren-zu-millionenverlust-1604-120536-rss.html
Manipulierte PNG-Datei schießt iOS- und Mac-Apps ab
Das Öffnen einer präparierten Bilddatei bringt Apps in iOS wie OS X zum Absturz, darunter den iOS-Homescreen. Die iMessage-App öffnet sich dadurch unter Umständen nicht mehr.
http://heise.de/-3184062
Exploit kit targets Android devices, delivers ransomware
Ransomware hitting mobile devices is not nearly as widespread as that which targets computers, but Blue Coat researchers have discovered something even less unusual: mobile ransomware delivered via exploit kit. The ransomware in question calls itself Cyber.Police (the researchers have dubbed it Dogspectus), and does not encrypt users' files, just blocks the infected Android device. It purports to be part of an action by the (nonexistent) "American national security agency"...
https://www.helpnetsecurity.com/2016/04/25/exploit-kit-targets-android-devices/
VU#229047: Allround Automations PL/SQL Developer v11 performs updates over HTTP
Vulnerability Note VU#229047 Allround Automations PL/SQL Developer v11 performs updates over HTTP Original Release date: 25 Apr 2016 | Last revised: 25 Apr 2016 Overview Allround Automations PL/SQL Developer version 11 checks for updates over HTTP and does not verify updates before executing commands, which may allow an attacker to execute arbitrary code. Description CWE-345: Insufficient Verification of Data Authenticity - CVE-2016-2346 According to the researcher, Allround Automations...
http://www.kb.cert.org/vuls/id/229047
IBM Security Bulletins
IBM Security Bulletin: Vulnerabilities in git affect PowerKVM (CVE-2016-2315, CVE-2016-2324)
http://www.ibm.com/support/docview.wss?uid=isg3T1023527
IBM Security Bulletin: Vulnerabilities in NetworkManager affect PowerKVM (CVE-2015-0272,CVE-2015-2924)
http://www.ibm.com/support/docview.wss?uid=isg3T1023498
IBM Security Bulletin: A Security Vulnerability was fixed in IBM Security Privileged Identity Manager (CVE-2016-0357)
http://www.ibm.com/support/docview.wss?uid=swg21981720
IBM Security Bulletin: A vulnerability in libssh2 affects PowerKVM (CVE-2016-0787)
http://www.ibm.com/support/docview.wss?uid=isg3T1023482
IBM Security Bulletin: Vulnerabilities in ISC Bind affect PowerKVM (CVE-2016-1285, CVE-2016-1286)
http://www.ibm.com/support/docview.wss?uid=isg3T1023483
IBM Security Bulletin: A vulnerability in nss-util affects PowerKVM (CVE-2016-1950)
http://www.ibm.com/support/docview.wss?uid=isg3T1023484
IBM Security Bulletin: A vulnerability in strongSwan affects PowerKVM (CVE-2015-8023)
http://www.ibm.com/support/docview.wss?uid=isg3T1023447
IBM Security Bulletin: Vulnerability in OpenSSL affects Sterling Connect:Enterprise for UNIX (CVE-2016-0800).
http://www.ibm.com/support/docview.wss?uid=swg21980890
IBM Security Bulletin: Information disclosure through unauthenticated SOAP request message. (CVE-2016-0299)
http://www.ibm.com/support/docview.wss?uid=swg21981155
IBM Security Bulletin: ClassLoader Manipulation with Apache Struts affecting IBM WebSphere Portal (CVE-2014-0114)
http://www.ibm.com/support/docview.wss?uid=swg21680194
IBM Security Bulletin: Vulnerability in libssh2 affects SAN Volume Controller and Storwize Family (CVE-2015-1782)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005710
IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM SAN Volume Controller and Storwize Family (CVE-2016-0475)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005709
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere MQ (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448)
http://www.ibm.com/support/docview.wss?uid=swg21976896
IBM Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Control Center (CVE-2015-5254)
http://www.ibm.com/support/docview.wss?uid=swg21981352
IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM WebSphere MQ (CVE-2015-4872)
http://www.ibm.com/support/docview.wss?uid=swg21981838
IBM Security Bulletin: Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2015-3194)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005657
IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem models 840 and 900 (CVE-2015-3194)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005656
IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2015-3194)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005657