End-of-Shift report
Timeframe: Mittwoch 01-03-2017 18:00 − Donnerstag 02-03-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
Kaspersky Releases Decryptor for the Dharma Ransomware
Kaspersky has tested a set of Dharma master decryption keys posted to BleepingComputer and has confirmed they are legitimate. These keys have been included in their RakhniDecryptor, which I have tested against a Dharma infection. The decryptor worked flawlessly! [...]
https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/
The Story of an Expired WHOIS Server
We write quite often about SEO spam injections on compromised websites, but this is the first time we have seen this blackhat tactic spreading into the WHOIS results for a domain name. If you are not familiar with "WHOIS", it is a protocol used to check who owns a specific domain name. These simple text records are publicly available and usually contain contact details for the website owner, i.e. their name, address, and phone number (unless the website owner purchased a WHOIS...
https://blog.sucuri.net/2017/03/story-expired-whois-server.html
Infected Apps in Google Play Store (its not what you think), (Thu, Mar 2nd)
Xavier pointed me towards a new issue posted on Palo Altos Unit 42 blog - the folks at PA found apps in the Google Play store infected with hidden-iframe type malware. 132 apps (so far) are affected, with the most popular one seeing roughly 10,000 downloads. But were not at the end of the trail of breadcrumbs yet .. these apps were traced back to just 7 developers, who arent in the same company, but all have a connection to Indonesia (the smoking gun here was the code signing certificate). But...
https://isc.sans.edu/diary.html?storyid=22139&rss
Researcher Breaks reCAPTCHA Using Googles Speech Recognition API
A researcher has discovered what he calls a "logic vulnerability" that allowed him to create a Python script that is fully capable of bypassing Googles reCAPTCHA fields using another Google service, the Speech Recognition API. [...]
https://www.bleepingcomputer.com/news/security/researcher-breaks-recaptcha-using-googles-speech-recognition-api/
Crypt0L0cker Ransomware is Back with Campaigns Targeting Europe
Crypt0L0cker, otherwise known as TorrentLocker, has started to make resurgence as it performs targeted campaigns at European countries. These attacks are also now using Italys PEC system to digitaly sign SPAM emails in order to make them look more official. [...]
https://www.bleepingcomputer.com/news/security/crypt0l0cker-ransomware-is-back-with-campaigns-targeting-europe/
Security Advisory - Buffer Overflow Vulnerability in the Boot Loaders of Huawei Mobile Phones
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170302-01-smartphone-en
DSA-3799 imagemagick - security update
This update fixes several vulnerabilities in imagemagick: Variousmemory handling problems and cases of missing or incomplete inputsanitising may result in denial of service or the execution of arbitrarycode if malformed TIFF, WPG, IPL, MPC or PSB files are processed.
https://www.debian.org/security/2017/dsa-3799
AES - Critical - Unsupported - SA-CONTRIB-2017-027
Advisory ID: DRUPAL-SA-CONTRIB-2017-027Project: AES encryption (third-party module)Version: 7.x, 8.xDate: 2017-March-01DescriptionThis module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm.The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be possible. The maintainer has opted not to fix these weaknesses. See solution...
https://www.drupal.org/node/2857028
Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025
Advisory ID: DRUPAL-SA-CONTRIB-2017-025Project: Remember Me (third-party module)Version: 7.xDate: 2017-March-01Description Remember me is a module that allows users to check "Remember me" when logging in. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read:
https://www.drupal.org/node/251466CVE identifier(s) issuedA CVE identifier will...
https://www.drupal.org/node/2857015
Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028
Advisory ID: DRUPAL-SA-CONTRIB-2017-028Project: breakpoint panels (third-party module)Version: 7.xDate: 2017-March-01Description Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will hide it from that breakpoint. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by...
https://www.drupal.org/node/2857073
IBM Security Bulletins
IBM Security Bulletin: IBM QRadar SIEM is vulnerable to missing authentication checks (CVE-2016-9729)
http://www.ibm.com/support/docview.wss?uid=swg21999545
IBM Security Bulletin: IBM QRadar SIEM is vulnerable to SQL injection (CVE-2016-9728)
http://www.ibm.com/support/docview.wss?uid=swg21999543
IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to cross site scripting (CVE-2016-9723, CVE-2017-1133)
http://www.ibm.com/support/docview.wss?uid=swg21999534
IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to cross-site request forgery (CVE-2016-9730)
http://www.ibm.com/support/docview.wss?uid=swg21999549
IBM Security Bulletin: IBM QRadar SIEM is vulnerable to XML Entity Injection (CVE-2016-9724)
http://www.ibm.com/support/docview.wss?uid=swg21999537
IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to OS command injection (CVE-2016-9726, CVE-2016-9727)
http://www.ibm.com/support/docview.wss?uid=swg21999542
IBM Security Bulletin: Malicious File Download vulnerability in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) CVE-2016-9693
https://www-01.ibm.com/support/docview.wss?uid=swg21998655
IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2016-7053, CVE-2016-7054, CVE-2016-7055)
http://www.ibm.com/support/docview.wss?uid=swg21998755
IBM Security Bulletin: IBM WebSphere MQ administration command could cause denial of service (CVE-2016-8971)
https://www-01.ibm.com/support/docview.wss?uid=swg21998663
IBM Security Bulletin: Vulnerability in dependent component shipped in IBM Development Package for Apache Spark (CVE-2016-4970)
http://www.ibm.com/support/docview.wss?uid=swg21999185
IBM Security Bulletin: Vulnerabilities in OpenSSL affect Sterling Connect:Express for UNIX (CVE-2016-7055, CVE-2017-3731 and CVE-2017-3732)
http://www-01.ibm.com/support/docview.wss?uid=swg21999470
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark
http://www.ibm.com/support/docview.wss?uid=swg21999561
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio
http://www-01.ibm.com/support/docview.wss?uid=swg21999668
IBM Security Bulletin: IBM Maximo Asset Management could allow a local attacker to obtain sensitive information using HTTP Header Injection (CVE-2017-1124)
http://www.ibm.com/support/docview.wss?uid=swg21998053
IBM Security Bulletin: Mozilla NSS as used in IBM QRadar SIEM is vulnerable to arbitrary code execution (CVE-2016-2834)
http://www.ibm.com/support/docview.wss?uid=swg21999532
IBM Security Bulletin: IBM QRadar SIEM is vulnerable to a denial of service (CVE-2016-9740)
http://www.ibm.com/support/docview.wss?uid=swg21999556
IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to information exposure (CVE-2016-9720)
http://www.ibm.com/support/docview.wss?uid=swg21999533
IBM Security Bulletin: IBM QRadar Incident Forensics is vulnerable to overly permissive CORS access policies (CVE-2016-9725)
http://www.ibm.com/support/docview.wss?uid=swg21999539