Tageszusammenfassung - Mittwoch 11-01-2017

End-of-Shift report

Timeframe: Dienstag 10-01-2017 18:00 − Mittwoch 11-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a

How to secure MongoDB - because it isnt by default and thousands of DBs are being hacked

Stop right now and make sure youve configured it correctly The rise in ransomware attacks on MongoDB installations prompted the database maker last week to issue advice on how to avoid being victimized.

http://go.theregister.com/feed/www.theregister.co.uk/2017/01/11/mongodb_ransomware_followup/

---

Phishing per Autofill: Chrome, Safari, Opera und Erweiterungen wie LastPass angreifbar

Chromium-basierte Browser, Safari und beliebte Erweiterungen wie der Passwortmanager LastPass lassen sich austricksen, um mehr über den Nutzer preiszugeben, als dieser ahnt.

https://heise.de/-3593811

---

Injection of Unwanted Google AdSense Ads

During the last couple of years, it has become quite prevalent for hackers to monetize compromised sites by injecting unwanted ads. They can be pop-up ads triggered when a visitor spends a certain amount of time on an infected page, or automatic redirection of mobile traffic to URLs that belong to ad networks. It's not uncommon to see adult ads since networks that work with the porn industry usually allow a higher level of anonymity and have less strict guidelines (if any) on the quality...

https://blog.sucuri.net/2017/01/injection-unwanted-google-adsense-ads.html

---

Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet

A new ransomware family made its presence felt today, named Spora, the Russian word for "spore." This new ransomwares most notable features are its solid encryption routine, ability to work offline, and a very well put together ransom payment site, the most sophisticated weve seen from ransomware authors as of yet. [...]

https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/

---

Juniper warns: Borked upgrade opens root on firewalls

Turn it off and turn it back on again. No, really Juniper is warning users of its SRX firewalls that a borked upgrade leaves a root-level account open to the world.

http://go.theregister.com/feed/www.theregister.co.uk/2017/01/11/juniper_warns_borked_upgrade_opens_root_on_firewalls/

---

Hancitor/Pony/Vawtrak malspam, (Wed, Jan 11th)

Introduction Until recently, I hadnt personally seen much malicious spam (malspam) using Microsoft office documents with Hancitor-based Visual Basic (VB) macros to send Pony and Vawtrak. It still happens, though. Occasionally, Ill find a report like this one from 2016-12-19, where Hancitor/Pony/Vawtrak malspam was disguised as a LogMeIn account notification, but I rarely come across an example on my own. At least until yesterday. This diary describes a recent wave of Hancitor/Pony/Vawtrak...

https://isc.sans.edu/diary.html?storyid=21919&rss

---

MS17-JAN - Microsoft Security Bulletin Summary for January 2017 - Version: 1.1

https://technet.microsoft.com/en-us/library/security/MS17-JAN

---

Bugtraq: ESA-2016-096: EMC Celerra, VNX1, VNX2 and VNXe SMB NTLM Authentication Weak Nonce Vulnerability

http://www.securityfocus.com/archive/1/539992 http://www.securityfocus.com/archive/1/539993 http://www.securityfocus.com/archive/1/539995

---

Vuln: Ansible CVE-2016-9587 Arbitrary Command Execution Vulnerability

http://www.securityfocus.com/bid/95352

---

VU#767208: ThreatMetrix SDK for iOS fails to validate SSL certificates

Vulnerability Note VU#767208 ThreatMetrix SDK for iOS fails to validate SSL certificates Original Release date: 10 Jan 2017 | Last revised: 10 Jan 2017 Overview On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack. Description ThreatMetrix is a security library for mobile applications, which aims to provide fraud prevention and device identity...

http://www.kb.cert.org/vuls/id/767208

---

DFN-CERT-2017-0041: BlackBerry Enterprise Server: Zwei Schwachstellen ermöglichen u.a. das Erlangen von Benutzerrechten

https://portal.cert.dfn.de/adv/DFN-CERT-2017-0041/

---

BSRT-2017-003 Vulnerability in WatchDox Server components impacts WatchDox by BlackBerry

http://support.blackberry.com/kb/articleDetail?articleNumber=000038915

---

DFN-CERT-2017-0045: WebKitGTK+: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes

https://portal.cert.dfn.de/adv/DFN-CERT-2017-0045/

---

GnuTLS Lets Remote Users Execute Arbitrary Code on the Target System

http://www.securitytracker.com/id/1037576

---

DFN-CERT-2017-0047: GnuTLS: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe

https://portal.cert.dfn.de/adv/DFN-CERT-2017-0047/

---

Vuln: PHP CVE-2017-5340 Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/95371

---

Bugtraq: Bit Defender #39 - Auth Token Bypass Vulnerability

http://www.securityfocus.com/archive/1/539999

---

Vuln: Computer Associates Service Desk Manager CVE-2016-10086 Security Bypass Vulnerability

http://www.securityfocus.com/bid/95366

---

Security Advisory - DoS Vulnerability in Multiple Huawei Products

http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170111-01-parser-en

---

Security Advisory - Camera DOS Vulnerability in ION Memory Management Module of Huawei Smart Phone

http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170111-01-smartphone-en

---

Security Notice - Statement on SaifAllah BenMassaoud Revealing CSRF Security Vulnerability in Huawei B660 Routers

http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170111-01-b660-en

---

Vuln: SAP Products

Vuln: SAP Single Sign On Denial of Service Vulnerability

http://www.securityfocus.com/bid/95363

---

Vuln: SAP ERP Defence Forces and Public Security Remote Authorization Bypass Vulnerability

http://www.securityfocus.com/bid/95362 http://www.securityfocus.com/bid/95365

---

Vuln: SAP NetWeaver AS JAVA getUserUddiElements SQL Injection Vulnerability

http://www.securityfocus.com/bid/95364

---

Vuln: SAP NetWeaver Application Server Java Portal App Component Cross Site Scripting Vulnerability

http://www.securityfocus.com/bid/95368

---

IBM Security Bulletins

IBM Security Bulletin: Hard-coded credentials used in IBM dashDB Local (CVE-2016-8954)

http://www-01.ibm.com/support/docview.wss?uid=swg21994471

---

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2016-5597)

http://www.ibm.com/support/docview.wss?uid=swg21995685

---

IBM Security Bulletin: Fix Available for IBM iNotes Cross-site Scripting Vulnerability (CVE-2016-5881)

http://www-01.ibm.com/support/docview.wss?uid=swg21995122

---

IBM Security Bulletin: January 2015 OpenSSL security vulnerabilities in Multiple IBM N Series Products

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009328

---

IBM Security Bulletin: October 2014 Java Runtime Environment (JRE) Vulnerabilities in Multiple N series Products

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009593