End-of-Shift report
Timeframe: Mittwoch 04-05-2016 18:00 − Freitag 06-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
Microsoft to retire support for SHA1 certificates in the next 4 months
The lock icon will be gone by summer; sites using SHA1 to be blocked come January.
http://arstechnica.com/security/2016/05/microsoft-to-retire-support-for-sha1-certificates-in-the-next-4-months/
Österreich auf der Suche nach Nachwuchs-Hackern
Bei der Cyber Security Challenge 2016 werden vom Abwehramt und dem Verein Cyber Security Austria zum fünften Mal junge Hacker-Talente gesucht.
http://futurezone.at/digital-life/oesterreich-auf-der-suche-nach-nachwuchs-hackern/196.938.245
ImageTragick: Another Vulnerability, Another Nickname, (Thu, May 5th)
Introduction On Tuesday 2016-05-03, we started seeing reports about a vulnerability for a cross-platform suite named ImageMagick [1, 2, 3]. This new vulnerability has been nicknamed ImageTragick and has its own website. Apparently, the vulnerability will be assigned to CVE-2016-3714. It wasnt yet on mitre.orgs CVE site when I wrote this diary. Johannes Ullrich already discussed this vulnerability in yesterdays ISC StormCast for 2016-05-04, but theres been more press about it. Should...
https://isc.sans.edu/diary.html?storyid=21023&rss
Jaku botnet hides targeted attacks within generic botnet noise
Botnets are usually created by cyber criminals that use them to launch DDoS attacks, deliver spam, effect click fraud. The recently discovered Jaku botnet can effectively do all those things, if its botmaster(s) choose to do so, but it seems that they have other things in mind. The botnet which, according to Forcepoint researchers, numbered as many as 17,000 victims at different points in time, consists of several botnets "answering to" different C&C servers. The...
https://www.helpnetsecurity.com/2016/05/05/jaku-botnet-targeted-attacks/
Juniper patches OpenSSHs roaming bug in Junos OS
Screen OS not affected The next vendor to kill off the OpenSSH roaming bug announced in January is Juniper Networks.
http://go.theregister.com/feed/www.theregister.co.uk/2016/05/05/juniper_patches_opensshs_roaming_bug_in_junos_os/
Criminals Peddling Affordable AlphaLocker Ransomware
A relatively affordable and difficult to detect ransomware-as-a-service named AlphaLocker has begun making the rounds, researchers warn.
http://threatpost.com/criminals-peddling-affordable-alphalocker-ransomware/117888/
Microsoft BITS Used to Download Payloads, (Thu, May 5th)
A few day ago,I found an interesting malicious Word document. First of all, the file has a very low score on VT:2/56 (analysis is available here). The document is a classic one:Once opened, it asks the victim to enable macro execution if not yet enabled. The document targets" />">">The OLE document contains"> $ oledump.py b2a9d203bb135b54319a9e5cafc43824 1: 113 \x01CompObj 2: 4096 \x05DocumentSummaryInformation 3: 4096 \x05SummaryInformation 4: 9398 1Table 5:
https://isc.sans.edu/diary.html?storyid=21027&rss
On The Monetization Of Crypto-Ransomware
Over the last few years, technologies and infrastructure, in the form of crypto-currencies, the dark web and well-organized criminal affiliate programs have aligned to create the perfect storm. And from that storm, the crypto-ransomware beast has arisen. There's a reason why crypto-ransomware is making the news almost daily - it's unique compared to every other...
https://labsblog.f-secure.com/2016/05/06/on-the-monetization-of-crypto-ransomware/
Studie: TLS-Proxies bringen Sicherheitsprobleme
Unter 14 Antivirus- und Kinderschutzprodukten, die Inhalte in gesicherten TLS-Verbindungen filtern, fand sich kein einziges, das dabei keine zusätzlichen Sicherheitsprobleme verursachte.
http://heise.de/-3197932
Qualcomm flaw puts millions of Android devices at risk
A vulnerability in an Android component shipped with phones that use Qualcomm chips puts users text messages and call history at risk of theft.The flaw was found by security researchers from FireEye and was patched by Qualcomm in March. However, because the vulnerability was introduced five years ago, many affected devices are unlikely to ever receive the fix because theyre no longer supported by their manufacturers.The vulnerability, which is tracked as CVE-2016-2060, is located on an Android...
http://www.cio.com/article/3066827/qualcomm-flaw-puts-millions-of-android-devices-at-risk.html#tk.rss_security
Security Alert: New Ransomware Promises to Donate Earnings to Charity
Psychological manipulation is heavily used in cyber attacks, especially in phishing and ransomware compromise attempts. As with all online scams, the attackers' main objective is simple: to make as much money and steal as much data as possible. So, in their malicious pursuit, they'll come up with new tactics to force their victims into complying with their conditions. Encrypting ransomware, such as CryptoWall or TeslaCrypt, is proof.
https://heimdalsecurity.com/blog/security-alert-new-ransomware-donate-earnings-charity/
New Security Flaw Found in Lenovo Solution Center Software
Security researchers at Trustwave SpiderLabs have discovered a new vulnerability in Lenovo's much maligned Lenovo Solution Center software. The vulnerability allows attackers with local network access to a PC to execute arbitrary code.
http://threatpost.com/new-security-flaw-found-in-lenovo-solution-center-software/117896/
Public Key Infrastructure (PKI)
Executive Summary This article is a detailed theoretical and hands-on with Public Key Infrastructure (PKI) and OpenSSL based Certificate Authority. In the first section, PKI and its associated concepts will be discussed. A test bed or lab environment on Ubuntu 14 will be prepared to apply PKI knowledge. Generation of CA, server and user keys/certificates...
http://resources.infosecinstitute.com/public-key-infrastructure-pki-2/
Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-14)
A prenotification Security Advisory (APSB16-14) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, May 10, 2016. We will continue to provide updates on the upcoming releases via the Security Advisory as well as the...
https://blogs.adobe.com/psirt/?p=1344
Squid HTTP caching proxy Multiple Vulns
https://cxsecurity.com/issue/WLB-2016050024
[R1] PHP < 5.6.21 Vulnerabilities Affect Tenable SecurityCenter
http://www.tenable.com/security/tns-2016-09
HPE Network Node Manager i Multiple Flaws Let Remote Users Bypass Authentication, Obtain Data and Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks
http://www.securitytracker.com/id/1035767
Bugtraq: ESA-2016-051: Patch 14 for RSA Authentication Manager 8.1 SP1 to Address Multiple Vulnerabilities
http://www.securityfocus.com/archive/1/538287
DSA-3567 libpam-sshauth - security update
It was discovered that libpam-sshauth, a PAM module to authenticateusing an SSH server, does not correctly handle system users. In certainconfigurations an attacker can take advantage of this flaw to gain rootprivileges.
https://www.debian.org/security/2016/dsa-3567
USN-2963-1: OpenJDK 8 vulnerabilities
Ubuntu Security Notice USN-2963-14th May, 2016openjdk-8 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTSSummarySeveral security issues were fixed in OpenJDK 8.Software description openjdk-8 - Open Source Java implementation DetailsMultiple vulnerabilities were discovered in the OpenJDK JRE related toinformation disclosure, data integrity, and availability. An attackercould exploit these to cause a denial of service, expose sensitive...
http://www.ubuntu.com/usn/usn-2963-1/
USN-2964-1: OpenJDK 7 vulnerabilities
Ubuntu Security Notice USN-2964-14th May, 2016openjdk-7 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTSSummarySeveral security issues were fixed in OpenJDK 7.Software description openjdk-7 - Open Source Java implementation DetailsMultiple vulnerabilities were discovered in the OpenJDK JRE related to informationdisclosure, data integrity, and availability. An attacker could exploitthese to cause a denial of service, expose...
http://www.ubuntu.com/usn/usn-2964-1/
Cisco security Advisories
Cisco Adaptive Security Appliance with FirePOWER Services Kernel Logging Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-fpkern
Cisco FirePOWER System Software Packet Processing Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-firepower
Cisco TelePresence XML Application Programming Interface Authentication Bypass Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-tpxml
Cisco Finesse HTTP Request Processing Server-Side Request Forgery Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-finesse
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl
IBM Security Bulletins
IBM Security Bulletin: Vulnerabilities in bind affect Power Hardware Management Console (CVE-2016-1285, CVE-2016-1286)
http://www.ibm.com/support/docview.wss?uid=nas8N1021266
IBM Security Bulletin: Vulnerabilities in ntp affect Power Hardware Management Console (CVE-2015-5300, CVE-2015-7704, CVE-2015-8138)
http://www.ibm.com/support/docview.wss?uid=nas8N1021264
IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM XIV Storage System (CVE-2015-7547)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005699
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2015-7575, CVE-2016-0475)
http://www.ibm.com/support/docview.wss?uid=swg21982445
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2015-7575, CVE-2016-0475)
http://www.ibm.com/support/docview.wss?uid=swg21982446
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Insight (CVE-2015-4872, CVE-2015-4893, CVE-2015-4803, CVE-2015-5006, CVE-2016-0483, CVE-2015-7575, CVE-2016-0448, CVE-2016-0466)
http://www.ibm.com/support/docview.wss?uid=swg21972468
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Reporting for Development Intelligence (CVE-2015-4872, CVE-2015-4893, CVE-2015-4803, CVE-2015-5006, CVE-2016-0483, CVE-2015-7575, CVE-2016-0448, CVE-2016-0466)
http://www.ibm.com/support/docview.wss?uid=swg21972469
IBM Security Bulletin: IBM Cognos Business Intelligence Server 2016Q1 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities.
http://www.ibm.com/support/docview.wss?uid=swg21979767
IBM Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) February 2016
http://www.ibm.com/support/docview.wss?uid=swg21980693
IBM Security Bulletin: Current Releases of IBM SDK for Node.js in IBM Bluemix are affected by CVE-2016-3956, CVE-2016-2515 and CVE-2016-2537.
http://www.ibm.com/support/docview.wss?uid=swg21981433
IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (CVE-2016-2542)
http://www.ibm.com/support/docview.wss?uid=swg21982467
IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage FlashCopy Manager on Windows (CVE-2016-2542)
http://www.ibm.com/support/docview.wss?uid=swg21982448
IBM Security Bulletin: A vulnerability in SQLite affects IBM Security Access Manager for Mobile (CVE-2015-3416)
http://www.ibm.com/support/docview.wss?uid=swg21981269
IBM Security Bulletin: IBM SPSS Statistics ActiveX Control Buffer Overflow (CVE-2015-8530)
http://www.ibm.com/support/docview.wss?uid=swg21982035
IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7403)
http://www.ibm.com/support/docview.wss?uid=swg21982660