End-of-Shift report
Timeframe: Freitag 20-05-2016 18:00 − Montag 23-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
Backdoor in Fake Joomla! Core Files
We usually write a lot about obfuscation methods on Sucuri Labs and here on the blog. Sometimes we write about free tools to obfuscate your code that aren't that free and we also have an online tool to help decoding the malware you find. But sometimes the malware is not clearly encoded using base64, gzinflate, hex concatenation,... The post Backdoor in Fake Joomla! Core Files appeared first on Sucuri Blog.
https://blog.sucuri.net/2016/05/unexpected-backdoor-fake-core-files.html
60 percent of enterprise Android phones prone to QSEE vulnerability
Duo Labs researchers found that 60 percent of enterprise Android phones are affected by a critical QSEE vulnerability.
http://www.scmagazine.com/majority-of-enterprise-android-phones-vulnerable-to-critical-qsee-bug/article/497977/
The strange case of WinZip MRU Registry key, (Sun, May 22nd)
When we want to know if a document (.doc, .pdf, whatever) has been opened by the user, in a Windows environment our information goldmine place is the Registry and particularly its MRUs keys. However, it seems this is not always the case. During the analysis of the Retefe case I wrote about in my previous diary, I came across a Registry behavior I did not expect, or at least I was not aware of, about how to verify if the file contained within the zip archive had been opened or not. Regarding...
https://isc.sans.edu/diary.html?storyid=21087&rss
ENISA- Europol issue joint statement
ENISA and Europol issue joint statement on lawful criminal investigation that respects 21st Century data protection.
https://www.enisa.europa.eu/news/enisa-news/enisa-europol-issue-joint-statement
Geldautomaten: Kriminelle erbeuten Millionen in zwei Stunden
Kriminelle Kartenfälscher agieren global: Mit Hilfe von Kreditkarteninformationen einer südafrikanischen Bank erbeutete eine Bande in Japan in nur 2,5 Stunden Bargeld im Wert von mehr als 12 Millionen Euro.
http://www.golem.de/news/geldautomaten-kriminelle-erbeuten-millionen-in-zwei-stunden-1605-121044-rss.html
National coordinators meet to prepare for ECSM launch
National coordinators from across Europe gathered in Brussels earlier this month in preparation for the launch of this year's European Cyber Security Month.
https://www.enisa.europa.eu/news/enisa-news/national-coordinators-meet-to-prepare-fro-ecsm-launch
Organizations unprepared for employee-caused security incidents
While employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior, according to a new Ponemon Institute study. The study, Managing Insider Risk Through Training & Culture, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences...
https://www.helpnetsecurity.com/2016/05/23/employee-caused-security-incidents/
When Hashing isn't Hashing
Anyone working in application security has found themselves saying something like this a thousand times: "always hash passwords with a secure password hashing function." I've said this phrase at nearly all of the developer events I've spoken at, it's become a mantra of sorts for many of us that try to improve the security of applications. We tell developers to hash passwords, then we have to qualify it to explain that it isn't normal hashing.
https://adamcaudill.com/2016/05/23/when-hashing-isnt-hashing/
Technical Report about the RUAG espionage case
After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in...
https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
Hack von Rüstungskonzern: Schweizer Cert gibt Security-Tipps für Unternehmen
Daran könnten sich andere Sicherheitsfirmen ein Beispiel nehmen: Das Schweizer Cert hat detailliert die Angriffsmethoden einer APT-Gruppe auf den Technikkonzern Ruag analysiert und gibt Unternehmen Tipps zum Schutz.
http://www.golem.de/news/hack-von-ruestungskonzern-schweizer-cert-gibt-security-tipps-fuer-unternehmen-1605-121048-rss.html
After trio of hacks, SWIFT addresses information sharing concerns
Following reports of a cyberattack last year in which hackers stole $9 million from an Ecuadorean bank, SWIFT stated it is taking steps to create more information sharing practices.
http://www.scmagazine.com/after-trio-of-hacks-swift-addresses-information-sharing-concerns/article/497988/
Student convicted after finding encryption flaws in government network
He found that the encrypted network often wasnt... but he lost patience when it looked as though nothing was being done about it.
https://nakedsecurity.sophos.com/2016/05/23/student-convicted-after-finding-encryption-flaws-in-government-network/
A recently patched Flash Player exploit is being used in widespread attacks
It took hackers less than two weeks to integrate a recently patched Flash Player exploit into widely used Web-based attack tools that are being used to infect computers with malware.The vulnerability, known as CVE-2016-4117, was discovered earlier this month by security researchers FireEye. It was exploited in targeted attacks through malicious Flash content embedded in Microsoft Office documents.When the targeted exploit was discovered, the vulnerability was unpatched, which prompted a...
http://www.cio.com/article/3073558/a-recently-patched-flash-player-exploit-is-being-used-in-widespread-attacks.html#tk.rss_security
Security Update Available for Adobe Connect (APSB16-17)
A Security Bulletin (APSB16-17) has been published regarding a security update for Adobe Connect. Adobe recommends users update their product installations to the latest version using the instructions referenced in the security bulletin.
https://blogs.adobe.com/psirt/?p=1355
TA16-144A: WPAD Name Collision Vulnerability
Original release date: May 23, 2016 Systems Affected Windows, OS X, Linux systems, and web browsers with WPAD enabled Overview Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers [1]. In combination with the New generic Top Level Domain (gTLD) program's incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in...
https://www.us-cert.gov/ncas/alerts/TA16-144A
Bugzilla 4.4.11 and 5.0.2 Security Advisory
A specially crafted bug summary could trigger XSS in dependency graphs.
https://www.bugzilla.org/security/4.4.11/
DSA-3585 wireshark - security update
Multiple vulnerabilities were discovered in the dissectors/parsers forPKTC, IAX2, GSM CBCH and NCP which could result in denial of service.
https://www.debian.org/security/2016/dsa-3585
SECURITY BULLETIN: Trend Micro InterScan Web Security Virtual Appliance (IWSVA) Multiple Remote Code Execution Vulnerabilities
Trend Micro has released new builds of the Trend Micro InterScan Web Security Virtual Appliance. These updates resolve vulnerabilities in the product that could potentially allow a remote attacker to execute arbitrary code on vulnerable installations.
https://esupport.trendmicro.com/solution/en-US/1114185.aspx
SECURITY BULLETIN: Trend Micro OfficeScan Path Traversal Vulnerability
Trend Micro has released an update for OfficeScan (OSCE) 11.0 Service Pack (SP) 1 which resolves a vulnerability in the product that when certain conditions are met could be exploited to access files and directories located outside of the core product web root folder.
https://esupport.trendmicro.com/solution/en-US/1114097.aspx
ZDI-16-353: BitTorrent API Cross Site Scripting Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of BitTorrent and uTorrent. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://www.zerodayinitiative.com/advisories/ZDI-16-353/
IBM Security Bulletins
IBM Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-0283, CVE-2015-7417).
http://www.ibm.com/support/docview.wss?uid=swg21981914
IBM Security Bulletin: Vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7484, CVE-2015-7474, CVE-2015-7485, CVE-2015-7486, CVE-2016-0219)
http://www.ibm.com/support/docview.wss?uid=swg21983720
IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3193, CVE-2015-3195, CVE-2015-1794)
http://www.ibm.com/support/docview.wss?uid=swg21982608
IBM Security Bulletin: Multiple vulnerabilities in IBM Marketing Platform (CVE-2016-0224, CVE-2016-0229, CVE-2016-0233)
http://www.ibm.com/support/docview.wss?uid=swg21980989
IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways
http://www.ibm.com/support/docview.wss?uid=swg21982607
IBM Security Bulletin: Vulnerability identified in IBM Domino Java Console (CVE-2016-0304)
http://www.ibm.com/support/docview.wss?uid=swg21983328
IBM Security Bulletin: OpenSSL vulnerabilities in Node.js found on May 03, 2016 affect Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2016-2107, CVE-2016-2105)
http://www.ibm.com/support/docview.wss?uid=swg21983555
IBM Security Bulletin: Multiple OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software
http://www.ibm.com/support/docview.wss?uid=swg21982949
IBM Security Bulletin: One vulnerability in IBM Java SDK affect Application Delivery Intelligence 1.0.0 (CVE-2016-3427)
http://www.ibm.com/support/docview.wss?uid=isg3T1023804
IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: WebSphere Dashboard Framework (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264)
http://www.ibm.com/support/docview.wss?uid=swg21982528
IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: Web Experience Factory (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264)
http://www.ibm.com/support/docview.wss?uid=swg21982527
IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2016-3427)
http://www.ibm.com/support/docview.wss?uid=swg21983002
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems, IBM OS Images for AIX, and Windows. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264)
http://www.ibm.com/support/docview.wss?uid=swg21983647
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Image Construction and Composition Tool. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264)
http://www.ibm.com/support/docview.wss?uid=swg21983644
IBM Security Bulletin: Vulnerability in OpenSSL affects Tivoli Provisioning Manager for OS Deployment, Tivoli Provisioning Manager for Images (CVE-2016-2842)
http://www.ibm.com/support/docview.wss?uid=swg21982159
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server
http://www.ibm.com/support/docview.wss?uid=swg21981545
IBM Security Bulletin: Multiple vulnerabilities in ApacheTomcat affect IBM Security SiteProtector System (CVE-2015-5174, CVE-2015-5345, CVE-2016-0706 and CVE-2016-0714)
http://www.ibm.com/support/docview.wss?uid=swg21983242
IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3197 )
http://www.ibm.com/support/docview.wss?uid=swg21982697
IBM Security Bulletin: Vulnerabilities in OpenStack affect IBM Spectrum Scale V4.2 and V4.1.1 (CVE-2015-8466 and CVE-2016-0738)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005833