Tageszusammenfassung - 04.12.2017

End-of-Day report

Timeframe: Freitag 01-12-2017 18:00 − Montag 04-12-2017 18:00 Handler: Robert Waldner Co-Handler: n/a

News

∗∗∗ Visualise Event Logs to Identify Compromised Accounts - LogonTracer ∗∗∗ JPCERT/CC has developed and released a tool “LogonTracer” which supports such event log analysis. This entry introduces how it works and how to launch it. ... LogonTracer associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.

http://blog.jpcert.or.jp/2017/11/visualise-event-logs-to-identify-compromised-accountslogontracer-.html ∗∗∗ Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’ ∗∗∗ Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats. Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for “living off the land”—staying away from the disk and using common tools to run code directly in memory.

https://blogs.technet.microsoft.com/mmpc/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/ ∗∗∗ Europäisches Parlament will Mediaplayer VLC sicherer machen ∗∗∗ EU-Projekt FOSSA (Free Open Source Software Analysis) ist für das Bug-Bounty-Programm mitverantwortlich.

https://heise.de/-3907536 ∗∗∗ An IRISSCON 2017 roundup ∗∗∗ This post contains links to many of the top-rated talks from the event, along with links to additional content.

https://blog.malwarebytes.com/security-world/2017/11/an-irisscon-2018-roundup/ ∗∗∗ Avalanche-Botnetz: BSI weitet Schutzmaßnahmen aus ∗∗∗ Das Bundesamt für Sicherheit in der Informationstechnik (BSI) weitet die Schutz- und Informationsmaßnahmen aus, die im Rahmen der Zerschlagung der weltweit größten Botnetzinfrastruktur Avalanche Ende 2016 initiiert wurden, und verlängert diese zudem. Das im Zuge der Avalanche-Abschaltung im Jahr 2016 vom BSI aufgesetzte Sinkholing-System wurde dabei um Domänen des Andromeda-Botnetzes erweitert.

https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Avalanche_Erweiterung_04122017.html

Vulnerabilities

∗∗∗ [openssl-announce] Forthcoming OpenSSL release ∗∗∗ The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.0.2n. ... This is a security-fix release. The highest severity issue fixed in this release is MODERATE.

https://mta.openssl.org/pipermail/openssl-announce/2017-December/000108.html ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Products ∗∗∗

http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-01-routers-en ∗∗∗ IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by vulnerabilities in Oracle MySQL (Multiple CVEs) ∗∗∗

http://www-01.ibm.com/support/docview.wss?uid=swg22010801 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by vulnerabilities in Oracle MySQL (Multiple CVEs) ∗∗∗

http://www-01.ibm.com/support/docview.wss?uid=swg22010702 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by vulnerabilities in Oracle MySQL (Multiple CVEs) ∗∗∗

http://www-01.ibm.com/support/docview.wss?uid=swg22010735 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by vulnerabilities in Oracle MySQL (Multiple CVEs) ∗∗∗

http://www-01.ibm.com/support/docview.wss?uid=swg22010736 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium (multiple CVEs) ∗∗∗

http://www-01.ibm.com/support/docview.wss?uid=swg22010421 ∗∗∗ IBM Security Bulletin: Open Source GNU glibc Vulnerabilities affects IBM Security Guardium (CVE-2017-1000366) ∗∗∗

http://www-01.ibm.com/support/docview.wss?uid=swg22008897 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-4658) ∗∗∗

http://www-01.ibm.com/support/docview.wss?uid=swg22010734 ∗∗∗ IBM Security Bulletin: Selection of Less-Secure Algorithm During Negotiation vulnerability affects IBM Security Guardium (CVE-2017-1271) ∗∗∗

http://www-01.ibm.com/support/docview.wss?uid=swg22010435 ∗∗∗ Asterisk chan_skinny Driver Bug Lets Remote Users Consume Excessive Memory Resources ∗∗∗

http://www.securitytracker.com/id/1039948