End-of-Shift report
Timeframe: Freitag 17-03-2017 18:00 − Montag 20-03-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
Malicious Subdirectories Strike Again
In a previous post, we illustrated how attackers were fetching information from compromised sites under their control to display spam content on other hacked websites. By adding malicious files into a directory and using the victim's database structure, attackers were able to inject ads and promote their products. This time, attackers used a similar technique with a little bit more sophistication to achieve their goals. Essay Spam Campaign This technique is now being used to distribute
https://blog.sucuri.net/2017/03/malicious-subdirectories-strike-again.html
Mimikatz: Walkthrough
Security researchers have been obsessed with Windows security since the beginning of time. Various tools have been released over the years which try to weaken the security/bypass it in some way or the other. Mimikatz is a tool written in `C` as an attempt to play with Windows security.
http://resources.infosecinstitute.com/mimikatz-walkthrough/
Doctor Web: It is possible to decrypt files encrypted with Trojan.Encoder.10465
March 17, 2017 Doctor Web has developed an algorithm that successfully decrypts files encrypted by Trojan.Encoder.10465. Trojan.Encoder.10465 poses a threat to Windows computers. The Trojan is written in Delphi. The encoder appends the extension .crptxxx to the infected files and also saves to the disk a text file named HOW_TO_DECRYPT.txt, which contains the following content: Warning!!! All your files are encrypted with AESalgorithm!
http://news.drweb.com/show/?i=11211&lng=en&c=9
Sicherheitsupdate in Sicht: Gravierende Telnet-Lücke bedroht zahlreiche Cisco-Switches
Offensichtlich hat Cisco den Vault-7-Leak analysiert und ist auf eine kritische Lücke in über 300 Modellen seiner Switch-Reihe mit IOS-Betriebsystem gestoßen. Bislang gibt es nur einen Workaround - ein Patch soll folgen.
https://heise.de/-3658915
RIPS - Finding vulnerabilities in PHP application
The biggest fear of any developer has always been that their site may get hacked and occasionally it does end up being hacked. For a very long time, the most popular stack being used for the development of website has been the LAMP Stack (Linux, MySQL, PHP/Perl/Python).
http://resources.infosecinstitute.com/rips-finding-vulnerabilities-php-application/
Browser: Update der Ask.com-Toolbar verteilt Malware
Die meisten Nutzer dürften sich ohnehin nur fragen, wie sie die Ask.com-Toolbar im Browser am schnellsten wieder loswerden. Doch es gibt ein weiteres Problem: Der Update-Prozess des Programms ist notorisch für Sicherheitslücken anfällig. (Malware, Virus)
https://www.golem.de/news/browser-update-der-ask-com-toolbar-verteilt-malware-1703-126827-rss.html
Gefälschte Virenwarnung auf dem Smartphone
Während der mobilen Nutzung des Smartphones erscheinen angebliche Virenwarnungen. Sie geben vor, dass das Endgerät mit Schadsoftware infiziert sei. Abhilfe schafft ein Schutzprogramm aus einer unbekannten Quelle. Es kann Schadsoftware installieren oder zu einem Abovertrag führen.
https://www.watchlist-internet.at/handy-abzocke/gefaelschte-virenwarnung-auf-dem-smartphone/
Low Orbit Ion Cannon: Star-Trek-Ransomware tarnt sich als DDoS-Tool
Wer einen DDoS-Angriff starten will, sollte seine Werkzeuge gut auswählen. Bestimmte Versionen der Low Orbit Ion Cannon starten derzeit keinen Überlastungsangriff, sondern die Verschlüsselung der eigenen Festplatte. Teuer wird es auch, wenn Spock die Festplatte entschlüsseln soll. (Star Trek, Applikationen)
https://www.golem.de/news/low-orbit-ion-cannon-star-trek-ransomware-tarnt-sich-als-ddos-tool-1703-126799-rss.html
Cisco IOS and IOS XE Software Autonomic Networking Infrastructure Registrar Denial of Service Vulnerability
A vulnerability in the Autonomic Networking Infrastructure (ANI) registrar feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition.The vulnerability is due to incomplete input validation on certain crafted packets. An attacker could exploit this vulnerability by sending a crafted autonomic network channel discovery packet to a device that has all the following characteristics:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170320-ani
Cisco IOS and IOS XE Software IPv6 Denial of Service Vulnerability
A vulnerability in the Autonomic Networking Infrastructure (ANI) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.The vulnerability is due to incomplete input validation on certain crafted packets. An attacker could exploit this vulnerability by sending a crafted IPv6 packet to a device that is running a Cisco IOS Software or Cisco IOS XE Software release that
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170320-aniipv6
IBM Security Bulletins
IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by bash vulnerabilities
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024962
IBM Security Bulletin: Vulnerabilities in IBM Java SDK affects IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, and v1.0.2. (CVE-2016-2183, CVE-2016-5546, CVE-2016-5547,CVE-2016-5548, CVE-2016-5549)
http://www-01.ibm.com/support/docview.wss?uid=swg22000014
IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by php5 vulnerabilities (CVE-2016-9933, CVE-2016-9935)
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024961
IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by an International Components for Unicode (ICU) vulnerability (CVE-2014-9911)
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024958
IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by Query Parameter in SSL Request (CVE-2016-6102)
http://www.ibm.com/support/docview.wss?uid=swg22000359
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus
http://www.ibm.com/support/docview.wss?uid=swg22000536