End-of-Shift report
Timeframe: Mittwoch 15-03-2017 18:00 − Donnerstag 16-03-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
Attackers target dozens of global banks with new malware
Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or 'watering holes' to infect pre-selected targets with previously unknown malware.
https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware
SEO Spam Campaign Exploiting WordPress REST API Vulnerability
Just over a week ago, WordPress released version 4.7.3 to patch multiple security issues. Despite the automatic update feature provided by many hosting companies, there are still many WordPress websites that have not been updated. In fact, we are seeing quite a few sites that are still using versions 4.7 and 4.7.1, which are vulnerable to the WordPress REST API vulnerability patched in early February (version 4.7.2). This more serious vulnerability allows attackers to create, delete, and modify ..
https://blog.sucuri.net/2017/03/seo-spam-via-wp-rest-api-vulnerability.html
Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001
Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.Download Drupal 8.2.7Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release.
https://www.drupal.org/SA-2017-001
Ransomware operators are hiding malware deeper in installer packages
We are seeing a wave of new NSIS installers used in ransomware campaigns. These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code. These changes are observed in installers that drop ransomware like Cerber, Locky, and others.
https://blogs.technet.microsoft.com/mmpc/2017/03/15/ransomware-operators-are-hiding-malware-deeper-in-installer-packages/
DFN-CERT-2017-0429/">Roundcube Webmail: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff
Ein entfernter, nicht authentifizierter Angreifer kann mit Hilfe einer Email, die ein speziell präpariertes SVG-Element enthält, einen Cross-Site-Scripting (XSS)-Angriff gegen Benutzer von Roundcube Webmail durchführen.
Der Hersteller stellt Roundcube Webmail 1.1.8 und 1.2.4 zur Behebung der Schwachstelle bereit.
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0429/
Using Intels SGX to Attack Itself
Researchers have demonstrated using Intels Software Guard Extensions to hide malware and steal cryptographic keys from inside SGXs protected enclave:Malware Guard Extension: Using SGX to Conceal Cache AttacksAbstract:In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine.
https://www.schneier.com/blog/archives/2017/03/using_intels_sg.html
[2017-03-16] Authenticated Command Injection in multiple Ubiquiti Networks products
The firmware of various Ubiquiti Networks devices contains a command injection vulnerability which can be exploited by luring an authenticated user to click on a malicious link or surf to a malicious website. Low privileged users can elevate their rights and use the vulnerability for further attacks.
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenticated_command_injection_v10.txt
Moodle 2.7.19 release notes
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
https://docs.moodle.org/dev/Moodle_2.7.19_release_notes
NexusLogger: A New Cloud-based Keylogger Enters the Market
NexusLogger is a cloud-based keylogger that uses the Microsoft .NET Framework and has a low level of sophistication. NexusLogger collects keystrokes, system information, stored passwords and will take screenshots. It also specifically seeks to harvest game credentials for UPlay, Minecraft, Steam, and Origin. ... All NexusLogger samples require communications with the nexuslogger[.]com domain via HTTPS, which makes it trivial for defenders to block.
http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/
Penetration Testing Node.Js Applications - Part-2
This article covers the left-over vulnerabilities from Part-1. In this article, we will have an in-depth look at some uncommon flaws and how to find them while doing performing code review of node.js applications.
http://resources.infosecinstitute.com/penetration-testing-node-js-applications-part-2/
Vuln: Palo Alto Networks Terminal Services CVE-2017-6356 Information Disclosure Vulnerability
http://www.securityfocus.com/bid/96925
Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation. Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide.
https://www.us-cert.gov/ncas/alerts/TA17-075A
Code Review of Node.Js Applications: Uncommon Flaws
This article covers the left-over vulnerabilities from Part-1. In this article, we will have an in-depth look at some uncommon flaws and how to find them while doing performing code review of node.js applications.
http://resources.infosecinstitute.com/penetration-testing-node-js-applications-part-2/
(Twitter) Keep Calm and Revoke Access
For the last 24 hours, the Twitter landscape has seen several official accounts hacked. ... How to protect against this kind of attack? First, do not link your Twitter account to untrusted or suspicious applications. ... Finally, the best advice is to visit the following link at regular interval:
https://twitter.com/settings/applications. During your first visit, you could be surprised to find so many applications linked to your account!
https://blog.rootshell.be/2017/03/15/keep-calm-revoke-access/
BSI warnt vor gefährdeten Cloud-Servern: über 20.000 deutsche ownCloud- und Nextcloud-Installationen veraltet
Das BSI ist auf viele veraltete Installationen von ownCloud und Nextcloud gestoßen. Obwohl die Betroffenen Bescheid wissen, haben bislang die wenigsten reagiert.
https://heise.de/-3656458
Microsoft To End Support For Windows Vista In Less Than a Month
In less than a months time, Microsoft will put Windows Vista to rest once and for all. If youre one of the few people still using it, you have just a few weeks to find another option before time runs out. (I mean, nobody will uninstall it from your computer, but.) From a report on PCWorld: After April 11, 2017, Microsoft will no longer support Windows Vista: no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates...
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/9XgfNI5PoWc/microsoft-to-end-support-for-windows-vista-in-less-than-a-month
Warnung vor kaufhaus-guenther.de
Kaufhaus Günther ist ein 'Online Kaufhaus'. Es wirbt mit Produkten für Haushalt, Technik und Möbel. Die verlangten Preise sind sehr günstig. Eine Bezahlung der Ware ist nur im Voraus möglich. Wer sie bezahlt, verliert Geld, denn kaufhaus-guenther.de ist ein Fake-Shop. Er liefert trotz Bezahlung keine Ware. Darüber hinaus droht ein Identitätsdiebstahl.
https://www.watchlist-internet.at/fake-shops/warnung-vor-kaufhaus-guentherde/
DFN-CERT-2017-0479/">McAfee Advanced Threat Defence (ATD): Eine Schwachstelle ermöglicht das Ausspähen von Informationen
Ein einfach authentisierter Angreifer im benachbarten Netzwerk mit erweiterten Privilegien kann die SQL-Abfragelogik der Advanced Threat Defense über speziell präparierte HTTP-Anfragen so manipulieren, dass unautorisierte Aktionen im Kontext der unterliegenden Datenbank möglich sind (SQL-Injection). Intel Security erwähnt die Möglichkeit, auf diese Weise Produktinformationen auszuspähen. Die Ausführung beliebigen SQL-Programmcodes ist ebenfalls denkbar, aber nicht bestätigt.
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0479/
Hackers Take Down Reader, Safari, Edge, Ubuntu Linux at Pwn2Own 2017
On the first day of Pwn2Own 2017 hackers poked holes in Adobe Reader, Apple Safari, Microsoft Edge, and Ubuntu Linux.
http://threatpost.com/hackers-take-down-reader-safari-edge-ubuntu-linux-at-pwn2own-2017/124362/
IBM Security Bulletins
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational ClearQuest
http://www-01.ibm.com/support/docview.wss?uid=swg21994995
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Netezza Host Management (CVE-2016-2183)
http://www-01.ibm.com/support/docview.wss?uid=swg21997019
IBM Security Bulletin: Vulnerabilities in Expat component shipped with IBM Rational ClearCase (CVE-2016-0718, CVE-2015-1283, CVE-2016-4472, CVE-2015-2716)
http://www-01.ibm.com/support/docview.wss?uid=swg21998042
IBM Security Bulletin: Vulnerabilities in Expat component shipped with IBM Rational ClearQuest (CVE-2016-0718, CVE-2015-1283, CVE-2016-4472, CVE-2015-2716)
http://www-01.ibm.com/support/docview.wss?uid=swg21998866
IBM Security Bulletin: Vulnerabilities in Perl component shipped with IBM Rational ClearQuest (CVE-2015-8608, CVE-2015-8853, CVE-2016-2381)
http://www-01.ibm.com/support/docview.wss?uid=swg21998868
IBM Security Bulletin: Vulnerabilities in Perl component shipped with IBM Rational ClearCase (CVE-2015-8608, CVE-2015-8853, CVE-2016-2381)
http://www-01.ibm.com/support/docview.wss?uid=swg21998046
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Liberty for Java for IBM Bluemix January 2017 CPU
http://www-01.ibm.com/support/docview.wss?uid=swg22000092
IBM Security Bulletin: Vulnerabilities in cURL component shipped with IBM Rational ClearCase (CVE-2016-8624, CVE-2016-8625)
http://www-01.ibm.com/support/docview.wss?uid=swg21996857
IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect Rational Insight
http://www-01.ibm.com/support/docview.wss?uid=swg22000124
IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect Rational Reporting for Development Intelligence
http://www-01.ibm.com/support/docview.wss?uid=swg22000123