End-of-Shift report
Timeframe: Mittwoch 27-04-2016 18:00 − Donnerstag 28-04-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
Malware Takes Advantage of Windows "God Mode"
Microsoft Windows has hidden an Easter Egg since Windows Vista. It allows users to create a specially named folder that acts as a shortcut to Windows settings and special folders, such as control panels, My Computer, or the printers folder. This "God Mode" can come in handy for admins, but attackers are now using this undocumented feature for evil ends. Files placed within one of these master control panel shortcuts are not easily accessible via Windows Explorer because the folders do...
https://blogs.mcafee.com/mcafee-labs/malware-takes-advantage-of-windows-god-mode/
VB2016 Call for Papers Deadline
You have until the early hours (GMT) of Monday 21 March to submit an abstract for VB2016! The VB2016 programme will be announced in the first week of April.
https://www.virusbulletin.com/blog/2016/03/vb2016-call-papers-deadline/
How broken is SHA-1 really?
SHA-1 collisions may be found in the next few months, but that doesnt mean that fake SHA-1-based certificates will be created in the near future. Nevertheless, it is time for everyone, and those working in security in particular, to move away from outdated hash functions.
https://www.virusbulletin.com/blog/2016/03/how-broken-sha-1-really/
Firefox 46 Patches Critical Memory Vulnerabilities
Mozilla released Firefox 46, which includes patches for one critical and four high-severity vulnerabilities, all of which can lead to remote code execution.
http://threatpost.com/firefox-46-patches-critical-memory-vulnerabilities/117698/
DNS and DHCP Recon using Powershell, (Thu, Apr 28th)
I recently had a client pose an interesting problem. They wanted to move all their thin clients to a separate VLAN. In order to do that, I needed to identify which switch port each was on. Since there were several device vendors involved, I couldnt use OUI portion of the MAC. Fortunately, they were using only a few patterns in their thin client hostnames, so that gives me an in. Great you say, use nmap -sn, sweep for the names, get the MAC addresses and map those to switch ports - easy right?
https://isc.sans.edu/diary.html?storyid=20995&rss
Time for a patch: six vulns fixed in NTP daemon
Whats the time? Its time to get ill. Unless you fix these beastly flaws Cisco has turned over a bunch of Network Time Protocol daemon (ntpd) vulnerabilities to the Linux Foundations Core Infrastructure Initiative.
http://go.theregister.com/feed/www.theregister.co.uk/2016/04/28/time_for_a_patch_six_vulns_fixed_in_ntp_daemon/
Handling security bugs, vulnerable infrastructure and a range of DDoS attacks: 22nd MELANI semi-annual report
In the second half of 2015, there were once again some spectacular cyber-related incidents worldwide. These were primarily DDoS attacks, phishing attacks and attacks on industrial control systems. Published today, the 22nd MELANI semi-annual report features handling security vulnerabilities as its key topic.
https://www.melani.admin.ch/melani/en/home/dokumentation/newsletter/semi-annual_report-2-2015.html
Binary Webshell Through OPcache in PHP 7
In this article, we will be looking at a new exploitation technique using the default OPcache engine from PHP 7. Using this attack vector, we can bypass certain hardening techniques that disallow the file write access in the web directory. This could be used by an attacker to execute his own malicious code in a hardened environment.
http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/
Kaspersky DDoS Intelligence Report for Q1 2016
In Q1, resources in 74 countries were targeted by DDoS attacks. China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days).
http://securelist.com/analysis/quarterly-malware-reports/74550/kaspersky-ddos-intelligence-report-for-q1-2016/
Cyber Security Lecture given by Mozilla
May 09, 2016 - 4:00 pm - 6:30 pm TU Wien Karlsplatz 13 1040 Wien
Let’s Encrypt (J.C. Jones)
You can’t build a secure website without having a certificate, and getting a certificate is one of the hardest parts of setting up a secure website. Mozilla helped start up Let’s Encrypt to make getting a certificate easier and promote the security of the Web. In 16 months, Let’s Encrypt went from an idea...
Mozilla Security (Richard Barnes)
The Web is arguably the single largest platform for applications in the world. Securing a Web browser requires security expertise from across the field, including low-level program internals, network security, language design, and access controls. In this talk, we will discuss some of the critical Web...
https://www.sba-research.org/events/cyber-security-lecture-given-by-mozilla/
PCI DSS 3.2 is out: What's new?
The Payment Card Industry Security Standards Council has published the latest version of PCI DSS, the information security standard for organizations that handle customer credit cards. Changes and improvements in PCI DSS 3.2 include: Multi-factor authentication will be required for all administrative access into the cardholder data environment. Previously, use of multi-factor authentication was only a must when it was accessed remotely, by an untrusted user/device. This will not impact...
https://www.helpnetsecurity.com/2016/04/28/pci-dss-3-2-whats-new/
Cisco Finds Backdoor Installed on 12 Million PCs
UPDATED. Cisco's Talos security intelligence and research group has come across a piece of software that installed backdoors on 12 million computers around the world.
http://www.securityweek.com/cisco-finds-backdoor-installed-12-million-pcs
Forthcoming OpenSSL releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2h, 1.0.1t. These releases will be made available on 3rd May 2016 between approximately 1200-1500 UTC. They will fix several security defects with maximum severity "high".
https://mta.openssl.org/pipermail/openssl-announce/2016-April/000069.html
VMSA-2015-0007.4
VMware vCenter and ESXi updates address critical security issues.
http://www.vmware.com/security/advisories/VMSA-2015-0007.html
Bugtraq: CVE-2015-5207 - Bypass of Access Restrictions in Apache Cordova iOS
http://www.securityfocus.com/archive/1/538213
sol93532943: SSHD session.c vulnerability CVE-2016-3115
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. (CVE-2016-3115)
https://support.f5.com/kb/en-us/solutions/public/k/93/sol93532943.html?ref=rss
sol52349521: OpenSSL vulnerability CVE-2016-2842
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799. (CVE-2016-2842)
https://support.f5.com/kb/en-us/solutions/public/k/52/sol52349521.html?ref=rss
Cisco Security Advisories
Cisco Application Policy Infrastructure Controller Enterprise Module Unauthorized Access Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-apic
Cisco WebEx Meetings Server Open Redirect Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-cwms
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: April 2016
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd
IBM Security Bulletins
IBM Security Bulletin: Multiple vulnerabilities in Samba - including Badlock - Transformation Extender Hypervisor Edition
http://www.ibm.com/support/docview.wss?uid=swg21981057
IBM Security Bulletin: Multiple vulnerabilities in Samba including Badlock - affect IBM OS Images for Red Hat Linux Systems.
http://www.ibm.com/support/docview.wss?uid=swg21982097
IBM Security Bulletin: Multiple vulnerabilities in Samba, including Badlock, affect IBM i
http://www.ibm.com/support/docview.wss?uid=nas8N1021296
IBM Security Bulletin: Multiple vulnerabilities in php5 affect IBM Flex System Manager (FSM) (CVE-2015-6836, CVE-2015-6837, CVE-2015-6838)
http://www.ibm.com/support/docview.wss?uid=isg3T1023641
IBM Security Bulletin: Multiple vulnerabilities in ISC BIND and Samba - including Badlock - affect IBM Netezza Host Management
http://www.ibm.com/support/docview.wss?uid=swg21979985
IBM Security Bulletin: Multiple vulnerabilitiesin gnutls affect IBM Flex System Manager(FSM) (CVE-2015-2806, CVE-2015-8313)
http://www.ibm.com/support/docview.wss?uid=isg3T1023642
IBM Security Bulletin: A vulnerability in openLDAP affects IBM Flex System Manager(FSM) (CVE-2015-6908)
http://www.ibm.com/support/docview.wss?uid=isg3T1023640
IBM Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server for Bluemix if FIPS 140-2 is enabled (CVE-2016-0306) and multiple vulnerabilities in Samba - including Badlock (CVE-2016-2118)
http://www.ibm.com/support/docview.wss?uid=swg21982128
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux
http://www.ibm.com/support/docview.wss?uid=swg21981752
IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition
http://www.ibm.com/support/docview.wss?uid=swg21980826
IBM Security Bulletin: Multiple vulnerabilities exist with Oracle Outside In Technology (OIT) in IBM FileNet Content Manager and IBM Content Foundation.
http://www.ibm.com/support/docview.wss?uid=swg21975822
IBM Security Bulletin: Multiple Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - Jan 2016 - Includes Oracle Jan 2016 CPU + 3 IBM CVEs affects IBM Algorithmics One Core, Algo Risk Application, and Counterparty Credit Risk
http://www.ibm.com/support/docview.wss?uid=swg21981333
IBM Security Bulletin: A vulnerability in SQLite affects IBM Security Access Manager for Web (CVE-2015-3416)
http://www.ibm.com/support/docview.wss?uid=swg21981270
IBM Security Bulletin: Vulnerability in RSOC_APP_01 Frameable Response Potential Clickjacking (CSRF) affects IBM Algorithmics Algo Risk Application - CVE-2016-0207
http://www.ibm.com/support/docview.wss?uid=swg21981322