End-of-Shift report
Timeframe: Freitag 20-01-2017 18:00 − Montag 23-01-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
PowerShell 5.1 for Windows 7 and later , (Fri, Jan 20th)
Microsoft has released Windows Management Framework 5.1 for windows 7 and later. WMF 5.1 upgrades Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 to the PowerShell, WMI, WinRM and SIL components that were released with Windows Server 2016 and Windows 10 Anniversary Edition.">">"> (c) SANS Internet Storm Center.
https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
https://isc.sans.edu/diary.html?storyid=21957&rss
Hotel zum vierten Mal von Hackern lahmgelegt
Das Seehotel Jägerwirt auf der Turracher Höhe ist bereits zum vierten Mal von Hackern heimgesucht und erpresst worden. Die elektronischen Zimmerschlüssel wurden lahmgelegt. Daher will man jetzt zu normalen Schlüsseln zurückkehren.
http://kaernten.orf.at/news/stories/2821290/
Stopping Malware With a Fake Virtual Machine
As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting fake virtual machine artefacts or fake analysis tools on a system...
https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/
Wartungsarbeiten Dienstag, 24. 1. 2017
Am Dienstag, 24. Jänner 2017, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen. Es gehen dabei keine Daten (zb Emails) verloren, die Bearbeitung kann sich allerdings verzögern.
http://www.cert.at/services/blog/20170120104523-1882.html
The Week in Ransomware - January 20th 2017 - Satan RaaS, Spora, Locky, and More
This week we continue to see more ransomware being released as well as changes in the distribution of the larger ransomware infections. For example, Locky has had a very low distribution lately since the holidays, but according to the Cisco Talos Group, it is starting to pick up again. [...]
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/
Sage 2.0 Ransomware, (Sat, Jan 21st)
Introduction On Friday 2017-01-20, I checked on a malicious spam (malspam) campaign that normally distributes Cerber ransomware. That Friday it delivered ransomware Id never seen before called Sage. More specifically, it was Sage 2.0." /> Shown above: Its always fun to find ransomawre thats not Cerber or Locky. Sage is yet another family of ransomware in an already crowded field. It was noted on BleepingComputer forums back in December 2016 [1, 2], and Sage is apparently a variant of...
https://isc.sans.edu/diary.html?storyid=21959&rss
Symantec schlampt erneut mit TLS-Zertifikaten
Offenbar haben mehrere von Symantec betriebene Certificate Authorities (CAs) unberechtigterweise über 100 TLS-Zertifikate ausgestellt. Das kann ein Auslesen des Datenverkehrs von HTTPS-geschützten Websites durch Dritte ermöglichen.
https://heise.de/-3604190
Android permissions and hypocrisy
I wrote a piece a few days ago about how the Meitu app asked for a bunch of permissions in ways that might concern people, but which were not actually any worse than many other apps. The fact that Android makes it so easy for apps to obtain data thats personally identifiable is of concern, but in the absence of another stable device identifier this is the sort of thing that capitalism is inherently going to end up making use of. Fundamentally, this is Googles problem to fix.
http://mjg59.dreamwidth.org/46403.html
Researchers predict upsurge of Android banking malware
Android users, beware: source code and instructions for creating a potent Android banking Trojan have been leaked on a hacker forum, and researchers are expecting an onslaught of malware based on it. In fact, one has already been spotted. Masquerading as a variety of benign apps (e.g. Google Play) on third-party Android app markets, the Trojan - dubbed Android.BankBot.149.origin by Dr. Web researchers - is eminently capable. It can: Send and intercept text messages (including...
https://www.helpnetsecurity.com/2017/01/23/upsurge-android-banking-malware/
Massive Twitter Botnet Dormant Since 2013
Researchers from the University College London have found a Twitter botnet of 350,000 bots that has been dormant since shortly after the accounts were registered.
http://threatpost.com/massive-twitter-botnet-dormant-since-2013/123246/
Heartbleed: OpenSSL hört nicht auf zu bluten
Eine Analyse der öffentlich im Internet erreichbaren Systeme zeigt, dass immer noch Hunderttausende für die OpenSSL-Lücke Heartbleed anfällig sind. Die bald drei Jahre alte Lücke findet sich demnach hauptsächlich in Mietservern der Cloud.
https://heise.de/-3605222
QNAP Storage Devices Firmware Update Flaw Lets Remote Users Access the Target System
http://www.securitytracker.com/id/1037663
DSA-3769 libphp-swiftmailer - security update
Dawid Golunski from LegalHackers discovered that PHP Swift Mailer, amailing solution for PHP, did not correctly validate user input. Thisallowed a remote attacker to execute arbitrary code by passingspecially formatted email addresses in specific email headers.
https://www.debian.org/security/2017/dsa-3769
DSA-3770 mariadb-10.0 - security update
Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.29. Please see the MariaDB 10.0 Release Notes for furtherdetails:...
https://www.debian.org/security/2017/dsa-3770
DFN-CERT-2017-0123: OpenJPEG: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0123/
Security Notice - Statement on Flanker Revealing Privilege Elevation Vulnerability in Huawei EMUI Keyguard Application
http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170123-01-emui-en
Vuln: Red Hat JBoss Enterprise Application Platform CVE-2016-8627 Remote Denial of Service Vulnerability
http://www.securityfocus.com/bid/95698
Security Advisories Relating to Symantec Products - Norton Download Manager DLL Loading
Symantec has released an update to address a DLL loading vulnerability detected in the Norton Download Manager for affected products
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2017&suid=20170117_00
Vuln: Brocade Network Advisor CVE-2016-8204 Directory Traversal Vulnerability
http://www.securityfocus.com/bid/95695
Vuln: Brocade Network Advisor CVE-2016-8205 Directory Traversal Vulnerability
http://www.securityfocus.com/bid/95694
Vuln: Brocade Network Advisor CVE-2016-8206 Directory Traversal Vulnerability
http://www.securityfocus.com/bid/95692
IBM Security Bulletins
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction (CVE-2016-5597, CVE-2016-5542)
http://www-01.ibm.com/support/docview.wss?uid=swg21997219
IBM Security Bulletin: IBM Forms Experience Builder could be susceptible to a server-side request forgery (CVE-2016-6001)
http://www-01.ibm.com/support/docview.wss?uid=swg21991280
IBM Security Bulletin: Vulnerability in OpenSSH affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099501
IBM Security Bulletin: HTTP Response Splitting in WebSphere Application Server affects IBM Virtualization Engine TS7700 (CVE-2016-0359)
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009661