End-of-Shift report
Timeframe: Donnerstag 12-01-2017 18:00 − Freitag 13-01-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
Critical Patch Update - January 2017 - Pre-Release Announcement
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
EMET 5.52 update is now available
EMET 5.52 is the latest version of the Enhanced Mitigation Experience Toolkit (EMET) and is now available for download. EMET 5.52 is a minor update from EMET 5.51 to address the following: An issue with the EAF mitigation that causes some applications to hang on Windows 7 SP1. A fix to the MSI installer to...
https://blogs.technet.microsoft.com/srd/2017/01/12/emet-5-52-update-is-now-available/
Marlboro Ransomware Defeated in One Day
A new ransomware family was snuffed in its crib today after security researchers tracked it down, analyzed its source code for weaknesses, and released a decrypter in less than 24 hours. [...]
https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/
Angriffe auf VoIP-Gateways von beroNet, Patch sorgt für Sicherheit
Angreifer entdeckten eine Schwachstelle in den VoIP-Gateways des Berliner Herstellers beroNet und nutzen diese seit kurzem aus, um die Rechnungen ihrer Opfer in die Höhe zu treiben. Ein Patch des Herstellers stopft das Sicherheitsloch.
https://heise.de/-3594737
November-December 2016
The NCCIC/ICS-CERT Monitor for November/December 2016 is a summary of ICS-CERT activities for the previous two months
https://ics-cert.us-cert.gov/monitors/ICS-MM201612
Wie sich Banken vor Cyberangriffen schützen
Olaf Schwarz, Information Security Officer bei der Direktbank ING DiBa Austria über Cyberangriffe auf Banken, Ransomware und Sicherheitsschulungen für Mitarbeiter.
https://futurezone.at/digital-life/wie-sich-banken-vor-cyberangriffen-schuetzen/240.231.033
Whos Attacking Me?, (Fri, Jan 13th)
I started to play with a nice reconnaissance tool that could be helpful in many cases - offensive as well as defensive. IVRE [1] (DRUNK in French) is a tool developed by the CEA, the Alternative Energies and Atomic Energy Commission in France. Its a network reconnaissance framework that includes: Passive recon features (via flow analysis coming from Bro or Nfdump Fingerprinting analysis Active recon (via Nmapor Zmap) Import tools (from Nmap or Masscan) I deployed this tool and feed it with...
https://isc.sans.edu/diary.html?storyid=21933&rss
MongoDB Hijackers Move on to ElasticSearch Servers
After days of wreaking havoc among MongoDB servers, a group of crooks has moved on to hijacking ElasticSearch servers and asking for similar ransoms. [...]
https://www.bleepingcomputer.com/news/security/mongodb-hijackers-move-on-to-elasticsearch-servers/
Schlüsselaustausch: Aufregung um angebliche Whatsapp-Backdoor
Hat Whatsapp eine Backdoor? Das behaupten zumindest ein Sicherheitsforscher und der Guardian. Tatsächlich könnte es auch eine weniger spektakuläre Erklärung geben.
http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsapp-backdoor-1701-125571-rss.html
Ploutus ATM Malware: Press F3 for Money
Security researchers from FireEye have identified a new variant of the Ploutus ATM malware, used for the past few years to make ATMs spew out cash on command. [...]
https://www.bleepingcomputer.com/news/security/ploutus-atm-malware-press-f3-for-money/
Security Alert: RIG EK Exploits Outdated Popular Apps, Spreads Cerber Ransomware
Cybersecurity experts obsessively repeat two types of advice: Use stronger passwords. Update your software. Today's security alert is all about the importance of applying software updates as soon as they're released. At the moment, cybercriminals are using a swarm of malicious domains to launch drive-by attacks against unsuspecting users. The campaign works by injecting malicious scripts into insecure...
https://heimdalsecurity.com/blog/rig-exploit-kit-cerber-ransomware-outdated-software/
DSA-3761 rabbitmq-server - security update
It was discovered that RabbitMQ, an implementation of the AMQPprotocol, didnt correctly validate MQTT (MQ Telemetry Transport)connection authentication. This allowed anyone to login to an existinguser account without having to provide a password.
https://www.debian.org/security/2017/dsa-3761
Vuln: Splunk Enterprise CVE-2016-10126 Information Disclosure Vulnerability
http://www.securityfocus.com/bid/95412
Vuln: Lenovo XClarity Administrator CVE-2016-8221 Privilege Escalation Vulnerability
http://www.securityfocus.com/bid/95417
HPSBGN03694 rev.1 - HPE SiteScope, Remote Disclosure of Information
A security vulnerability in DES/3DES block ciphers used in the TLS protocol, could potentially impact HPE SiteScope resulting in remote disclosure of information, also known as the SWEET32 attack.
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05369403
Vuln: Zabbix CVE-2016-10134 SQL Injection Vulnerability
http://www.securityfocus.com/bid/95423
Security Advisory: BIND vulnerability CVE-2016-9147
https://support.f5.com:443/kb/en-us/solutions/public/k/02/sol02138183.html?ref=rss
Security Advisory: BIND vulnerability CVE-2016-9131
https://support.f5.com:443/kb/en-us/solutions/public/k/86/sol86272821.html?ref=rss
Security Advisory: BIND vulnerability CVE-2016-9444
https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40181790.html?ref=rss
PowerDNS Security Fixes
PowerDNS Recursor 4.0.4 released
https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001051.html
PowerDNS Recursor 3.7.4 released
https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001052.html
PowerDNS Authoritative Server 4.0.2 released
https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001053.html
PowerDNS Authoritative Server 3.4.11
released
https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001054.html
IBM Security Bulletins
IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affects multiple IBM Rational products based on IBM's Jazz technology
https://www.ibm.com/support/docview.wss?uid=swg21997084
IBM Security Bulletin: Unauthenticated User Could Gain Remote Access to TS3100/TS3200 (CVE-2016-9005)
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009656
IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Image Construction and Composition Tool. (CVE-2016-5573, CVE-2016-5542, and CVE-2016-5597)
http://www.ibm.com/support/docview.wss?uid=swg21997055
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM PureApplication System.
http://www.ibm.com/support/docview.wss?uid=swg21994499
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Image Construction and Composition Tool.
http://www.ibm.com/support/docview.wss?uid=swg21997063
IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty affects IBM SPSS Analytic Server (CVE-2016-5986)
http://www-01.ibm.com/support/docview.wss?uid=swg21996950
IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Advanced Management Module (AMM) for BladeCenter systems
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099527
IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM SPSS Analytic Server (CVE-2016-0378)
http://www-01.ibm.com/support/docview.wss?uid=swg21996968
IBM Security Bulletin: A vulnerability in the GSKit component of IBM Tivoli Monitoring (CVE-2015-1788)
http://www-01.ibm.com/support/docview.wss?uid=swg21997156