End-of-Shift report
Timeframe: Dienstag 06-09-2016 18:00 − Mittwoch 07-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
Cleaning the Wp-Page Pharma Hack in WordPress
Pharma hacks are common website infections categorized under SEO spam. With pharma hacks, the attacker exploits vulnerable websites to distribute pharmaceutical advertisements to visitors. Symptoms of a pharma hack include embedded links and anchor text on pages or modified listings in Search Engine Results Pages (SERPs). These attacks most often target search engines like Google...
https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpress.html
How to Set Up Your Own Malware Trap, (Tue, Sep 6th)
I am sure what you really want is more malware ;-). But a few people asked for tricks to collect malware.Malware can be useful for a number of reasons: First of all, you could extract indicators of compromise from malware using various more or less automated methods. In addition, it is a good idea to keep an eye on what your users may be seeing, in particular if they receive e-mail from sources other then your corporate e-mail system. Sadly, many corporations these days switch to cloud...
https://isc.sans.edu/diary.html?storyid=21447&rss
Google stopft letzte QuadRooter-Lücken in Android
Im Rahmen seines allmonatliche Android-Patches stopft Google 47 Sicherheitslücken im Betriebssystem. Sieben der Lücken gelten als kritisch.
http://heise.de/-3315023
Ungepatchte Lücken in Load-Balancern von Fortinet
Fortinet hat mit einem Update eine Sicherheitslücke in seinen Load-Balancern der FortiWAN-Serie geschlossen. Andere Lücken scheinen davon aber unbenommen, was es Angreifern erlauben würde, Admin-Kommandos ohne entsprechende Rechte auszuführen.
http://heise.de/-3315178
Keine Bestätigung persönlicher Daten bei Amazon erforderlich
In einer Phishingmail schreiben Kriminelle, dass Amazon das Benutzerkonto von Empfänger/innen zeitweise eingefroren habe. Aus diesem Grund sollen Kund/innen ihre persönlichen Daten bestätigen. Dazu müssen sie einen Link aufrufen und Zugangsdaten auf einer Website bekannt geben. Das dürfen Nutzer/innen nicht tun!
https://www.watchlist-internet.at/phishing/keine-bestaetigung-persoenlicher-daten-bei-amazon-erforderlich/
Back-dooring PE Files on Windows
Introduction: Portable Executable (PE) files are very commonly used today. Many people download these files from the internet or get it from a friend and run it on their systems without realizing the dangers involved in running these kind of files. It is very easy to add malicious code to these files and have it...
http://resources.infosecinstitute.com/back-dooring-pe-files-windows/
The Missing Piece - Sophisticated OS X Backdoor Discovered
In a nutshell Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on the Windows and Linux variants.
http://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/
A bite of Python
Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked...
https://access.redhat.com/blogs/766093/posts/2592591
OUCH! 2016 Newsletter
September 2016: Email Dos and Donts
https://securingthehuman.sans.org/resources/newsletters/ouch/2016
WordPress 4.6.1 Security and Maintenance Release
https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
FortiWAN Multiple Vulnerabilities
FortWan 4.2.4 and below is exposed to cross site scripting, information leak and escalation of privilege vulnerabilities.CVE-2016-4965 FortiWAN Non-administrative authenticated user having access privileges to the nslookup functionality can perform OS command injection in the root user contextCVE-20...
http://fortiguard.com/advisory/fortiwan-multiple-vulnerabilities
[R5] PHP < 5.6.21 Vulnerabilities Affect Tenable SecurityCenter
http://www.tenable.com/security/tns-2016-09
TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
Original release date: September 06, 2016 Systems Affected Network Infrastructure Devices Overview The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and...
https://www.us-cert.gov/ncas/alerts/TA16-250A
Security Advisory: Expat XML parser vulnerability CVE-2012-6702
https://support.f5.com:443/kb/en-us/solutions/public/k/65/sol65460334.html?ref=rss
Security Advisory: FreeType vulnerabilities CVE-2014-9746 and CVE-2014-9747
https://support.f5.com:443/kb/en-us/solutions/public/k/52/sol52439336.html?ref=rss
Bugtraq: Infoblox Cross-site scripting vulnerabilities
http://www.securityfocus.com/archive/1/539367
Bugtraq: [CVE-2016-6484] Infoblox Network Automation CRLF Injection/ HTTP splitting
http://www.securityfocus.com/archive/1/539366
BMC BladeLogic Server Automation For Linux 8.7 Directory Dump
Topic: BMC BladeLogic Server Automation For Linux 8.7 Directory Dump Risk: Medium Text:Title: Unauthenticated Arbitrary Directory Dump in BMC BladeLogic Server Automation Affected Software: BMC Bla...
https://cxsecurity.com/issue/WLB-2016090036
VU#282991: DEXIS Imaging Suite 10 contains hard-coded credentials
Vulnerability Note VU#282991 DEXIS Imaging Suite 10 contains hard-coded credentials Original Release date: 07 Sep 2016 | Last revised: 07 Sep 2016 Overview DEXIS is a dental x-ray imaging software that manages patient records. DEXIS Imaging Suite 10 contains several hard-coded credentials allowing administrative or root access to the patient database. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6532 DEXIS Imaging Suite 10 contains several hard-coded database credentials...
http://www.kb.cert.org/vuls/id/282991
VU#548399: Dentsply Sirona SchickTech CDR contains multiple hard-coded credentials
Vulnerability Note VU#548399 Dentsply Sirona SchickTech CDR contains multiple hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview The Dentsply Sirona ShickTech CDR DICOM is software for managing medical dental records. CDR DICOM contains several hard-coded credentials allowing administrative or root access. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6530 ShickTech CDR DICOM version 5 and below contains several hard-coded database...
http://www.kb.cert.org/vuls/id/548399
VU#619767: Open Dental contains hard-coded credentials
Vulnerability Note VU#619767 Open Dental contains hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview Open Dental is a medical dental records management software. Open Dental contains hard-coded default credentials allowing administrative or root access to the patient database. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6531Open Dental contains a hard-coded default database credential. An unauthenticated remote attacker with...
http://www.kb.cert.org/vuls/id/619767
VU#548399: Dentsply Sirona CDR DICOM contains multiple hard-coded credentials
Vulnerability Note VU#548399 Dentsply Sirona CDR DICOM contains multiple hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview The Dentsply Sirona (previously known as Shick Technologies) CDR DICOM is software for managing medical dental records. CDR DICOM contains several hard-coded credentials allowing administrative or root access. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6530 Dentsply Sirona CDR DICOM version 5 and below...
http://www.kb.cert.org/vuls/id/548399
Security Advisory - XML Bomb Vulnerability in AnyOffice
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-01-anyoffice-en
Security Advisory - Two Vulnerabilities in Huawei WS331a
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-01-ws331a-en
Security Advisory - TCP Connection Hijack Vulnerability
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-01-tcp-en
Security Advisory - Information Leak Vulnerability in Certain Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2015/hw-455876
IBM Security Bulletins
IBM Security Bulletin: Vulnerabilities in NTP affect AIX (CVE-2015-7974, CVE-2016-1550, CVE-2016-1551, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519, CVE-2016-1547, CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955)
http://http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc
IBM Security Bulletin: Two vulnerabilities in libvirt affect PowerKVM (CVE-2015-5313, CVE-2016-5008)
http://www.ibm.com/support/docview.wss?uid=isg3T1024185
IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php vulnerabilities
http://www.ibm.com/support/docview.wss?uid=isg3T1024229
IBM Security Bulletin: A vulnerability in the Apache HTTP Server affects PowerKVM (CVE-2016-5387)
http://www.ibm.com/support/docview.wss?uid=isg3T1024017
IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by a Pluggable Authentication Module (PAM) vulnerability (CVE-2013-7041)
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024221
IBM Security Bulletin: Vulnerabilities in Struts v2 affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-1181, CVE-2016-1182
http://www.ibm.com/support/docview.wss?uid=swg21988638
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center April 2016 CPU (CVE-2016-3426)
http://www.ibm.com/support/docview.wss?uid=swg21988636
IBM Security Bulletin: Vulnerability in libssh2 affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru Firmware and QLogic Virtual Fabric Extension Module for IBM BladeCenter (CVE-2016-0787)
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099450
IBM Security Bulletin: Vulnerability in Rational Team Concert with potential for Cross-Site Scripting attack (CVE-2016-0331)
http://www.ibm.com/support/docview.wss?uid=swg21989899
IBM Security Bulletin: OpenSource Apache Taglibs vulnerability affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2015-0254
http://www.ibm.com/support/docview.wss?uid=swg21988644
IBM Security Bulletin: Multiple vulnerabilities in MD5 Signature and Hash Algorithm, glibc and OpenSSL affect IBM Netezza Firmware Diagnostics Tools
http://www-01.ibm.com/support/docview.wss?uid=swg21980965