End-of-Shift report
Timeframe: Dienstag 24-05-2016 18:00 − Mittwoch 25-05-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
New Botnets Used for Low and Slow Credential Testing (May 23, 2016)
Botnets are being used to test account access credentials...
http://www.sans.org/newsletters/newsbites/r/18/41/306
Many Ubiquiti Wireless Devices Still Vulnerable (May 20 and 23, 2016)
Owners of Ubiquiti wireless devices are being urged to apply a patch that the company released last year; the flaw it fixes is being actively exploited...
http://www.sans.org/newsletters/newsbites/r/18/41/308
Nulled WordPress Themes: Malvertising and Black Hat SEO
If you have been following our blog for some time, you know that we regularly warn about risks associated with the use of third-party software on your site. A benign plugin may sneakingly inject ads into your site which cause malvertising problems for the site visitors (e.g. SweetCaptcha). Other plugins may be hijacked by hackers or... The post Nulled WordPress Themes: Malvertising and Black Hat SEO appeared first on Sucuri Blog.
https://blog.sucuri.net/2016/05/nulled-wordpress-themes-malvertising-black-hat-seo.html
New Wekby Attacks Use DNS Requests As Command and Control Mechanism
We have observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks. Wekby is a group that has been active for a number of years, targeting various industries such...
http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/
SWIFT exec unveils info sharing plan, calls Bangladesh a watershed event
SWIFT CEO Gottfried Leibbrandt issued details of the messaging service companys information-sharing strategy.
http://www.scmagazine.com/swift-exec-unveils-info-sharing-plan-calls-bangladesh-a-watershed-event/article/498583/
Stop Using "internal" Top Level Domain Names, (Wed, May 25th)
Cert.org this week warned again that internal top level domain names can be used against you, if one of these domains happens to be registered as a new generic top level domain (gTLD). Currently, there are about 1200 approved gTLDs, and the number will only increase even though the initial gold rush seems to have leveled off somewhat [1] US-Cert just sent out a reminder again regarding the use of internal domain names for automatic proxy configuration via WPAD. If this internal, but not...
https://isc.sans.edu/diary.html?storyid=21095&rss
CVE-2015-2545: overview of current threats
Cyberespionage attacks conducted by different groups across the Asia-Pacific (APAC) and Far East regions share one common feature: in order to infect their victims with malware, the attackers use an exploit for the CVE-2015-2545 vulnerability.
http://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
Who's tracking you online, and how?
Armed with a tool that mimics a consumer browser but is actually bent on discovering all the ways websites are tracking visitors, Princeton University researchers have discovered several device fingerprinting techniques never before seen in the wild. The web privacy measurement tool is called OpenWPM, and has been open sourced. Its creators are the very same researchers who performed this latest study. They crawled and analyzed measurements collected from 1 million of the most popular...
https://www.helpnetsecurity.com/2016/05/25/whos-tracking-you-online/
The Answer is always the same: Layers of Security
There is a common misperception that now that containers support seccomp we no longer need SELinux to help protect our systems. WRONG. The big weakness in containers is the container possesses the ability to interact with the host kernel and the host file systems. Securing the container processes is all about shrinking the attack surface on the host OS and more specifically on the host kernel.seccomp does a great job of shrinking the attack surface on the kernel. The idea is to limit the number...
https://access.redhat.com/blogs/766093/posts/2334141
Skimmers Found at Walmart: A Closer Look
Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals.
http://krebsonsecurity.com/2016/05/skimmers-found-at-walmart-a-closer-look/
VMSA-2016-0006
VMware vCenter Server updates address an important cross-site scripting issue
http://www.vmware.com/security/advisories/VMSA-2016-0006.html
HPE Service Manager Unspecified Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System
http://www.securitytracker.com/id/1035954
Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities
Multiple ETAP binaries are prone to a stack-based buffer overflow vulnerability because the application fails to handle malformed arguments. An attacker can exploit these issues to execute arbitrary code within the context of the application or to trigger a denial-of-service conditions.
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5324.php
Operation Technology ETAP 14.1.0 Local Privilege Escalation
ETAP suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the C flag (Change) for Authenticated Users group.
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5323.php
ZDI-16-354: (0Day) ActivePDF Toolkit ImageToPDF IAT Overwrite Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ActivePDF Toolkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://www.zerodayinitiative.com/advisories/ZDI-16-354/
Moxa MiiNePort Vulnerabilities
This advisory contains mitigation details for weak credential management, sensitive information not protected, and cross-site request forgery vulnerabilities in Moxa's MiiNePort serial device server module series.
https://ics-cert.us-cert.gov/advisories/ICSA-16-145-01
Security Advisory: Java vulnerabilities CVE-2013-5802 and CVE-2013-5823
https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53316849.html?ref=rss
Security Advisory: Multiple Java vulnerabilities
https://support.f5.com:443/kb/en-us/solutions/public/k/95/sol95313044.html?ref=rss
Wartungsarbeiten Dienstag, 31.5.2016
Wartungsarbeiten Dienstag, 31. 5. 2016 | 25. Mai 2016 | Am Dienstag, 31. Mai 2016, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen, diese können jeweils mehrere Minuten andauern. Es...
http://www.cert.at/services/blog/20160525113745-1748.html
Next End-of-Shift report: 2016-05-27