End-of-Shift report
Timeframe: Mittwoch 04-01-2017 18:00 − Donnerstag 05-01-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
E-Banking-Trojaner: Über 100.000 Euro Schaden
Eine E-Banking-Schadsoftware hat bei einer Netzwerktechnikfirma in der Stadt Salzburg über 100.000 Euro Schaden angerichtet. Mehrere Überweisungen wurden auf ein slowakisches Konto umgeleitet.
http://salzburg.orf.at/news/stories/2818225/
Microsoft kills off security bulletins - for good
Microsoft's last ever security bulletin is next week - so has the manual bulletin had its day?
https://www.htbridge.com/blog/microsoft-kills-off-security-bulletins-for-good.html
VB2016 paper: Open Source Malware Lab
At VB2016, ThreatConnect Director of Research Innovation Robert Simmons presented a paper on setting up an open source malware lab. Today, we share the accompanying paper and video.
https://www.virusbulletin.com/blog/2017/01/vb2016-paper-open-source-malware-lab/
What Hack? Burlington Electric Speaks Out
Burlington Electric Department general manager Neale Lunderville speaks out about last weeks incident and response to reports the electric grid had been hacked.
http://threatpost.com/what-hack-burlington-electric-speaks-out/122860/
Hackers could turn your smart meter into a bomb and blow your family to smithereens - new claim
And before that, pwn your IoT gadgets via power supply gear Smart meters are "dangerously insecure," according to researcher Netanel Rubin - who claimed the gear uses weak encryption, relies on easily pwned protocols, and can be programmed to explode.
http://go.theregister.com/feed/www.theregister.co.uk/2017/01/04/smart_metres_ccc/
FireCrypt Ransomware Comes With a DDoS Component
A new ransomware family named FireCrypt will encrypt the users files, but also attempt to launch a very feeble DDoS attack on a URL hardcoded in its source code.
https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/
Emsisoft releases a decryptor for version 3 of the Globe Ransomware
Fabian Wosar of Emisoft has released a decrypter for version 3 of the Globe Ransomware. This decryptor will decrypt the Globe Ransomware variants that commonly append the .decrypt2017 and .hnumkhotep extensions to encrypted files.
https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decryptor-for-version-3-of-the-globe-ransomware/
Mixed Messages : Novel Phishing Attempts Trying to Steal Your E-mail Password Goes Wrong, (Wed, Jan 4th)
A writer wrote in to send us an interesting phishing attempt they had received at their organization. An email from a school domain that purported to be VetMeds send an encrypted PDF that required a user-name and password to log in to. The subject of the email was Assessment document. The PDF itself was created with Microsoft Word and included a link that suggested it was a locked document and you needed to click a link to unlock it which pointed to chai[.]myjino[.]ru and gave a screen with a...
https://isc.sans.edu/diary.html?storyid=21881&rss
KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption
Researchers have discovered a Linux variant of the KillDisk ransomware, which itself is a new addition to the KillDisk disk wiper malware family, previously used only to sabotage companies by randomly deleting data and altering files. [...]
https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/
[R1] Nessus 6.9.3 Fixes One Vulnerability
Tenable Nessus was found to be impacted by an authenticated stored cross-site scripting (XSS) issue.
https://www.tenable.com/security/tns-2017-01
HPSBGN03688 rev.1 - HPE Operations Orchestration, Remote Code Execution
A potential security vulnerability has been identified in HPE Operations Orchestration. The vulnerability could be remotely exploited to allow remote code execution.
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05361944
Google Nexus Qualcomm GPU Driver CVE-2016-8434 Privilege Escalation Vulnerability
Google Nexus is prone to a privilege-escalation vulnerability. Attackers can exploit this issue to execute arbitrary code with elevated privileges within the context of the kernel.
http://www.securityfocus.com/bid/95257
Atlassian Confluence 5.9.12 Cross Site Scripting
Topic: Atlassian Confluence 5.9.12 Cross Site Scripting Risk: Low Text: ==[ Tempest Security Intelligence - ADV-3/2016 CVE-2016-6283 ] == Persisted Cross-Site Scripting (XSS) in Confluence J...
https://cxsecurity.com/issue/WLB-2017010029
ShoreTel Mobility Client iOS 9.1.2.101 SSL Man-In-The-Middle
Topic: ShoreTel Mobility Client iOS 9.1.2.101 SSL Man-In-The-Middle Risk: Medium Text:ShoreTel Mobility Client iOS Application - MITM SSL Certificate Vulnerability (CVE-2016-6562) Overview "The Mobility Clie...
https://cxsecurity.com/issue/WLB-2017010028
Doubleclick for Publishers (DFP) - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-002
Advisory ID: DRUPAL-SA-CONTRIB-2017-002Project: Doubleclick for Publishers (DFP) (third-party module)Version: 7.xDate: 2017-January-04Security risk: 10/25 ( Moderately Critical) AC:Complex/A:User/CI:None/II:None/E:Exploit/TD:AllVulnerability: Cross Site ScriptingDescriptionThis module enables you to to place advertisements on your site that are served by Googles DFP (Doubleclick for Publisher) service.The module has multiple Cross Site Scripting (XSS) vulnerabilities due to not sufficiently...
https://www.drupal.org/node/2841114
Permissions by Term -- Critical - Multiple vulnerabilities - SA-CONTRIB-2017-001
Advisory ID: DRUPAL-SA-CONTRIB-2017-001Project: Permissions by Term (third-party module)Version: 8.xDate: 2017-January-04Security risk: 15/25 ( Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypass, Information DisclosureDescriptionThe Permissions by Term module extends Drupal functionality by restricting access to single nodes via taxonomy terms. Taxonomy terms are part of the Drupal core functionality. Taxonomy term permissions can be coupled to specific...
https://www.drupal.org/node/2841094
IBM Security Bulletins
IBM Security Bulletin: Vulnerability in HTTP request processing affects IBM License Metric Tool v9 and IBM BigFix Inventory v9 (CVE-2016-8977)
http://www-01.ibm.com/support/docview.wss?uid=swg21995014
IBM Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU Oct 2016 Includes Oracle Oct 2016 CPU affect Content Collector for Email
https://www-01.ibm.com/support/docview.wss?uid=swg21995468
IBM Security Bulletin: vCenter password disclosure via application tracing in IBM Tivoli Storage Manager Client and IBM Tivoli Storage Manager for Virtual Environments:Data Protection for VMware (CVE-2016-6110)
http://www.ibm.com/support/docview.wss?uid=swg21996198
IBM Security Bulletin:Vulnerabilities in Apache Tomcat and OpenSSL affect Rational BuildForge
http://www-01.ibm.com/support/docview.wss?uid=swg21995528
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099526
IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Advanced Management Module (AMM) for BladeCenter systems
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099528
IBM Security Bulletin: IBM Tivoli Common Reporting (TCR) 2016Q4 Security Updater : TCR is affected by multiple vulnerabilities.
http://www-01.ibm.com/support/docview.wss?uid=swg21996032
IBM Security Bulletin: Vulnerability in DHCP affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099529
IBM Security Bulletin: Vulnerabilities in GNU C Library affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099524
IBM Security Bulletin: Apache Xerces-C vulnerabilities affects IBM Cloud Manager with OpenStack (CVE-2016-4463)
http://www.ibm.com/support/docview.wss?uid=isg3T1024585
Next End-of-Shift report: 2017-01-09