End-of-Shift report
Timeframe: Mittwoch 06-07-2016 18:00 − Donnerstag 07-07-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
New Mac backdoor malware: Eleanor
This new malware is only the second piece of true Mac malware spotted so far in 2016, with the first being the KeRanger ransomware.
https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/
CryptXXX ransomware updated, (Wed, Jul 6th)
This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated.
https://isc.sans.edu/diary.html?storyid=21229&rss
[webapps] - OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities
Several vulnerabilities have been discovered between 2015, October and 2016, February. Reported vulnerabilities are similar to those previously discovered by hyp3rlinx, although they concern different pages.
In brief, the flaws are of the following kinds: CSRF, XSS (reflected and stored), file upload and information disclosure. Most vulnerabilities need an administration access to the web application and may lead to personal information leakage or account take-over.
https://www.exploit-db.com/exploits/40065
Realstatistics Malware Campaign Leads To Ransomware
Our Incident Response Team (IRT) has been tracking a mass infection campaign over the last 2 weeks ( codenamed 'Realstatistics'). This campaign has compromised thousands of websites built on the Joomla! and WordPress Content Management System (CMS). We have codenamed the campaign 'Realstatistics' because of the domain being used by the attackers.
https://blog.sucuri.net/2016/07/joomla-wordpress-affected-by-realstatistics-infection-campaign-distributing-randsomware-malware.html
EMC Avamar Backup Restoration Flaw Lets Remote Authenticated Users Read and Delete Files on the Target System
A vulnerability was reported in EMC Avamar. A remote authenticated user can read and delete files on the target system.
A remote authenticated user can exploit a flaw in the backup restoration component to read and delete files on the target system.
EMC Avamar Data Store and Avamar Virtual Edition are affected.
http://www.securitytracker.com/id/1036235
Androids July security bulletin patches 20 critical flaws
Google releases Android security bulletin, providing updates for 89 critical and high severity vulnerabilities affecting software and hardware components including Mediaserver, OpenSSL, BoringSSL, Bluetooth, Qualcomm, and numerous drivers.
http://www.scmagazine.com/androids-july-security-bulletin-patches-20-critical-flaws/article/507919/
mimikittenz
mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
https://github.com/putterpanda/mimikittenz
Acer Portal Android Application - MITM SSL Certificate Vulnerability (CVE-2016-5648)
The Acer Portal Android application (version 3.9.3.2006 and below), installed by the manufacturer on all Acer branded Android devices, does not validate the SSL certificate it receives when connecting to the mobile application login server.
http://www.securityfocus.com/archive/1/538851
Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-26)
A prenotification Security Advisory (APSB16-26) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, July 12, 2016.
https://blogs.adobe.com/psirt/?p=1374
Insecure Unserialize in extension "Page path" (pagepath)
It has been discovered that the extension "Page path" (pagepath) is susceptible to Insecure Unserialize.
https://typo3.org/news/article/insecure-unserialize-in-extension-page-path-pagepath/
Cross-Site Scripting in extension "CCDebug" (cc_debug)
It has been discovered that the extension "CCDebug" (cc_debug) is susceptible to Cross-Site Scripting.
https://typo3.org/news/article/cross-site-scripting-in-extension-ccdebug-cc-debug/
ZDI-16-407: Eaton ELCSoft ELCSimulator Stack Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. Authentication is not required to exploit this vulnerability.
www.zerodayinitiative.com/advisories/ZDI-16-407/
ZDI-16-406: Novell NetIQ Sentinel Server ReportViewServlet fileName Directory Traversal Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose arbitrary file contents on vulnerable installations of Novell NetIQ Sentinel Server. Authentication is required to exploit this vulnerability but it can be bypassed using a separate flaw within the LogonFormController.
http://www.zerodayinitiative.com/advisories/ZDI-16-406/
Cisco Video Communication Server and Expressway Trusted Certificate Authentication Bypass Vulnerability
A vulnerability in certificate management and validation for the Mobile and Remote Access (MRA) feature for Cisco Expressway Series and TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to bypass authentication and access internal HTTP system resources.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160706-vcs
Cisco AMP Threat Grid Unauthorized Clean IP Access Vulnerability
A vulnerability in the virtual network stack of the Cisco AMP Threat Grid Appliance could allow an unauthenticated, remote attacker to access internal interfaces within the appliance.
The vulnerability is due to insufficient isolation between the sandbox and other internal components. An attacker could exploit this vulnerability by submitting a malware sample crafted to exploit this flaw. An exploit could allow the attacker to intercept interprocess calls and allow them to access, modify, and delete information from the system.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160706-tg
IBM Security Bulletins
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Virtual Server Protection for VMware (CVE-2015-3195)
http://www.ibm.com/support/docview.wss?uid=swg21986312
IBM Security Bulletin: IBM TRIRIGA Applications are vulnerable to a privilege escalation attack. (CVE-2016-2917)
http://www-01.ibm.com/support/docview.wss?uid=swg21984304
IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Metrics Manager (CVE-2016-3427)
http://www-01.ibm.com/support/docview.wss?uid=swg21985522
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM eDiscovery Analyzer
https://www-01.ibm.com/support/docview.wss?uid=swg21984496
IBM Security Bulletin: Multiple Samba vulnerability issues in IBM Storwize V7000 Unified
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005814
IBM Security Bulletin: Multiple Samba vulnerability issue on IBM SONAS.
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005813
IBM Security Bulletin: Badlock Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2118)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005816
IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2015-5252)
http://www.ibm.com/support/docview.wss?uid=ssg1S1005810
IBM Security Bulletin:Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2015-7560)
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005805
IBM Security Bulletin: Vulnerability in openldap2 affects IBM Flex System Chassis Management Module (CVE-2015-6908)
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099421
IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM UrbanCode Release (CVE-2015-5174)
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000164