End-of-Shift report
Timeframe: Dienstag 21-02-2017 18:00 − Mittwoch 22-02-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
Avast Releases a Decryptor for Offline Versions of the CryptoMix Ransomware
Today, Avast released a decryptor for CryptoMix victims that were encrypted while in offline mode. Offline mode is when the ransomware runs and encrypts a victims computer while there is no Internet connection or the computer cannot connect to the ransomwares Command & Control server. [...]
https://www.bleepingcomputer.com/news/security/avast-releases-a-decryptor-for-offline-versions-of-the-cryptomix-ransomware/
[R1] Nessus 6.10.2 Fixes One Vulnerability
Nessus was found to contain a flaw that allowed a remote, authenticated attacker to upload a crafted file that could be written to anywhere on the system. This could be used to subsequently gain elevated privileges on the system (e.g. after a reboot). This issue only affects installations on Windows.
http://www.tenable.com/security/tns-2017-06
Financial cyberthreats in 2016
In 2016 we continued our in-depth research into the financial cyberthreat landscape. Weve noticed over the last few years that large financial cybercriminal groups have started to concentrate their efforts on targeting large organizations - such as banks, payment processing systems, retailers, hotels and other businesses where POS terminals are widely used.
http://securelist.com/analysis/publications/77623/financial-cyberthreats-in-2016/
Microsoft patcht Flash Player unter Windows außer der Reihe
Diesen Monat ist der Patchday trotz bekannter Sicherheitslücken in Windows ausgefallen. Nun liefert Microsoft zumindest Patches für kritische Lücken im Flash Player nach.
https://heise.de/-3632329
Security Advisory - Privilege Elevation Vulnerability Caused by Arbitrary File Upload in Huawei Themes
The Huawei Themes APP in some Huawei products has a privilege elevation vulnerability due to the lack of theme pack check. An attacker could exploit this vulnerability to upload theme packs containing malicious files and trick users into installing the theme packets, resulting in the execution of arbitrary code. (Vulnerability ID: HWPSIRT-2016-11073)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-2699.
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170222-01-theme-en
Website Uses "Add Extension to Leave" Popups to Infect Chrome Users
A malvertising campaign has specifically targeted and redirected Chrome users to a website they couldnt leave unless they agreed to install a rogue Chrome extension.
https://www.bleepingcomputer.com/news/security/website-uses-add-extension-to-leave-popups-to-infect-chrome-users/
Apple: Logic Pro X 10.3.1
Impact: Opening a maliciously crafted GarageBand project file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling.
https://support.apple.com/en-us/HT207519
Sysinternals Updates
Sysmon v6, Autoruns v13.7, AccessChk v6.1, Process Monitor v3.32, Process Explorer v16.2, LiveKd v5.61, and BgInfo v4.21
https://blogs.technet.microsoft.com/sysinternals/2017/02/17/update-sysmon-v6-autoruns-v13-7-accesschk-v6-1-process-monitor-v3-32-process-explorer-v16-2-livekd-v5-61-and-bginfo-v4-21/
RSA Conference 2017 Playlist
https://www.youtube.com/playlist?list=PLeUGLKUYzh_j1Q75yeae8upX-T1FLmZWf
Gefälschte A1-Rechnung verbreitet Schadsoftware
Kriminelle wollen mit einer scheinbar echten A1-Rechnung Schadsoftware auf fremden Computern hinterlegen. Damit sie das Ziel erreichen, fordern sie Empfänger/innen dazu auf, dass sie die angebliche Rechnung auf einer gefälschten A1-Website herunterladen. Wer die gefälschte Zahlungsaufstellung öffnet, installiert einen Trojaner. Er verschlüsselt Dateien und macht sie unbrauchbar.
https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-rechnung-verbreitet-schadsoftware-1/
Mobile Devices und Softwareupdates
Mobile Devices bestimmen in unserer modernen Gesellschaft zunehmend den Alltag. Das Lesen von Emails oder das Online-Banking: alltägliche Anwendungen werden immer öfter mit einem mobilen Endgerät umgesetzt, privat oder beruflich. Waren es bis vor kurzem nur Smartphones, welche das Handy abgelöst haben, oder Tablet-Computer, die ursprünglich als Bücher-Ersatz gedacht waren, so folgen heute beispielsweise die Uhr, die Brille, das Auto und viele mehr.
https://www.dfn-cert.de/aktuell/mobile_devices_software_updates.html
SSA-363881 (Last Update 2017-02-22): Web Vulnerabilities in RUGGEDCOM NMS
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-363881.pdf
SSA-623229 (Last Update 2017-02-22): DROWN Vulnerability in Industrial Products
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-623229.pdf
IBM Security Bulletins
IBM Security Bulletin: Mutiple vulnerabilities in zlib affect IBM ILOG CPLEX Optimization Studio
http://www.ibm.com/support/docview.wss?uid=swg21997946
IBM Security Bulletin: Multiple vulnerabilities in Brocade Network Advisor affect IBM PureApplication System.
http://www.ibm.com/support/docview.wss?uid=swg21998725
IBM Security Bulletin: Potential cross-site scripting in the Admin Console for WebSphere Application Server (CVE-2016-8934)
http://www-01.ibm.com/support/docview.wss?uid=swg21992315
IBM Security Bulletin: Vulnerabilities in OpenSource Spring Source/Pivotal Spring Framework affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2013-7315, CVE-2013-4152, CVE-2014-0054)
http://www-01.ibm.com/support/docview.wss?uid=swg21992651