End-of-Shift report
Timeframe: Donnerstag 14-07-2016 18:00 − Freitag 15-07-2016 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
Erpressungstrojaner: Locky kann jetzt auch offline
Eine neue Version der Locky-Ransomware kann jetzt auch Rechner ohne Internetverbindung verschlüsseln. Die Offline-Variante hat für die Opfer immerhin einen kleinen Vorteil.
http://www.golem.de/news/erpressungstrojaner-locky-kann-jetzt-auch-offline-1607-122125-rss.html
Untangling Kovter's persistence methods
Kovter is a click-fraud malware famous from the unconventional tricks used for persistence. It hides malicious modules in PowerShell scripts as well as in registry keys to make detection and analysis difficult. In this post we will take a deep dive into the techniques used by its latest samples to see all the elements and...Categories: Malware Threat analysisTags: click fraudkovter(Read more...)
https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
Security Best Practices for Azure App Service Web Apps, Part 5
Microsoft's Azure App Service is a fully managed platform as a service for developers that provides features and frameworks to quickly and easily build apps for any platform and any device. Despite the ease of using Azure, developers need to keep security in mind because Azure will not take care of every aspect of security. In our first...
https://blogs.mcafee.com/mcafee-labs/azure-app-service-web-apps-security-best-practices-part-5/
Reverse engineering DUBNIUM - Stage 2 payload analysis
Recently, we blogged about the basic functionality and features of the DUBNIUM advanced persistent threat (APT) activity group Stage 1 binary and Adobe Flash exploit used during the December 2015 incident (Part 1, Part 2). In this blog, we will go through the overall infection chain structure and the Stage 2 executable details. Stage 2 executables...
https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/
Oracle Critical Patch Update Pre-Release Announcement - July 2016
This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2016, which will be released on Tuesday, July 19, 2016.
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
Spähsoftware: Maxthon-Browser sendet kritische Daten nach China
Forscher haben entdeckt, dass der alternative Browser Maxthon sicherheitsrelevante Nutzerdaten an einen Server in Peking sendet. Die Daten ließen sich hervorragend für gezielte Angriffe nutzen. Und sie sind nur schlecht gegen Dritte abgesichert.
http://www.golem.de/news/spaehsoftware-maxthon-browser-sendet-sensible-daten-nach-china-1607-122138-rss.html
Steueranlagen von Kraftwerken ungeschützt im Netz
Journalisten haben über 100 Systeme - Steuerungen von Kraftwerken, Eigenheimen und Industrieanlagen - gefunden, die ungeschützt im Netz erreichbar sind - auch in Österreich.
http://futurezone.at/digital-life/steueranlagen-von-kraftwerken-ungeschuetzt-im-netz/209.994.668
Neutrino EK picks up momentum in recent attacks
The Neutrino developers have made some changes to the landing page source code as well as integrated a new exploit. The malware campaigns that once were Anglers continue to point to Neutrino including a large malvertising attack on top adult sites we detected a few days ago.Categories: Cybercrime ExploitsTags: AnglerEKexploit kitmalvertisingneutrino(Read more...)
https://blog.malwarebytes.com/cybercrime/2016/07/neutrino-ek-picks-up-momentum-in-recent-attacks/
Debian Security Advisory DSA-3618-1 - php5 security update
CVE ID: CVE-2016-5768 CVE-2016-5769 CVE-2016-5770 CVE-2016-5771 CVE-2016-5772 CVE-2016-5773 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.23, which includes additional bug fixes.
https://lists.debian.org/debian-security-announce/2016/msg00196.html
DFN-CERT-2016-1140: FortiManager, FortiAnalyzer: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1140/
F5 Security Advisories
sol53084033: OpenSSL vulnerability CVE-2016-2178
An attacker could trigger an exploit using a timing side-channel attack to discover a DSA private key.
https://support.f5.com/kb/en-us/solutions/public/k/53/sol53084033.html?ref=rss
sol04054286: Linux kernel TCP vulnerability CVE-2016-2070
Successful exploitation of this vulnerability leads to a denial-of-service (DoS) attack, due to a divide-by-zero error which causes the system to stop responding. Product/Versions known to be vulnerable: ARX 6.2.0 - 6.4.0, Traffix SDC 5.0.0, 4.0.0 - 4.4.0
https://support.f5.com/kb/en-us/solutions/public/k/04/sol04054286.html?ref=rss
sol05125306: glibc vulnerability CVE-2016-1234
This vulnerability may allow a context-dependent attacker to cause a denial of service (DoS) via a long name. Product/Versions known to be vulnerable: Traffix SDC 5.0.0, 4.0.0 - 4.4.0
https://support.f5.com/kb/en-us/solutions/public/k/05/sol05125306.html?ref=rss
sol23873366: OpenSSL vulnerability CVE-2016-2177
This vulnerability may allow remote attackers to cause a denial-of-service (DoS) attack.
https://support.f5.com/kb/en-us/solutions/public/k/23/sol23873366.html?ref=rss
Cisco Security Advisories
Cisco Meeting Server Persistent Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-ms
Cisco WebEx Meetings Server Administrator Interface Reflected Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-wms1
Cisco WebEx Meetings Server Reflected Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-wms3
Cisco WebEx Meetings Server Administrator Interface SQL Injection Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-wms
Cisco WebEx Meetings Server Command Injection Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-wms4
IBM Security Bulletins
IBM Security Bulletin: XML External Entities Injection Vulnerability in IBM Traveler (CVE-2016-3039)
http://www-01.ibm.com/support/docview.wss?uid=swg21985858
IBM Security Bulletin: Multiple security vulnerabilities have been identified in IBM JRE and WebSphere Application Server shipped with IBM Tivoli Service Automation Manager (CVE-2016-3426, CVE-2016-3427)
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000148
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) - IBM Java SDK updates April 2016
http://www-01.ibm.com/support/docview.wss?uid=swg21985875
IBM Security Bulletin: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2016-3426, CVE-2016-3427, CVE-2016-0306, CVE-2015-0254)
http://www-01.ibm.com/support/docview.wss?uid=swg21984732
IBM Security Bulletin: A cross-site scripting vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager Version 9 (CVE-2015-7417)
http://www.ibm.com/support/docview.wss?uid=swg21987056
ICS-CERT Advisories
Schneider Electric Pelco Digital Sentry Video Management System Vulnerability
https://ics-cert.us-cert.gov/advisories/ICSA-16-196-01
Moxa MGate Authentication Bypass Vulnerability
https://ics-cert.us-cert.gov/advisories/ICSA-16-196-02
Schneider Electric SoMachine HVAC Unsafe ActiveX ControL Vulnerability
https://ics-cert.us-cert.gov/advisories/ICSA-16-196-03
Philips Xper-IM Connect Vulnerabilities
https://ics-cert.us-cert.gov/advisories/ICSMA-16-196-01
Advantech WebAccess ActiveX Vulnerabilities (Update A)
https://ics-cert.us-cert.gov/advisories/ICSA-16-173-01