End-of-Shift report
Timeframe: Dienstag 21-03-2017 18:00 − Mittwoch 22-03-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
Cybellum verkauft Autostart-Funktion als Zero-Day
Mit kräftigen Worten, einem eigenen Namen und Logo und dem Prädikat "Zero-Day" stellt Cybellum eine Technik vor, mit der sich Malware in einem Windows-System verankern lässt -- nachdem es bereits die Kontrolle übernommen hat.
https://heise.de/-3662090
QNAP Storage Devices Multiple Flaws Let Remote Users Inject SQL Commands, Steal Cookies, Conduct Cross-Site Scripting and Clickjacking Attacks, Obtain Potentially Sensitive Informaiton, and Execute Arbitrary Code
http://www.securitytracker.com/id/1038091
Vuln: Malware Information Sharing Platform CVE-2017-7215 Multiple Cross Site Scripting Vulnerabilities
http://www.securityfocus.com/bid/96997
Vuln: Rockwell Automation FactoryTalk Activation CVE-2017-6015 Local Privilege Escalation Vulnerability
http://www.securityfocus.com/bid/96996
Security Advisory - Information Leak Vulnerability in Huawei Hilink APP
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170322-01-hilinkapp-en
Security Advisory - Phone Finder Bypass Vulnerability in Some Huawei Smart Phones
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170322-01-smartphone-en
Phishingversuch bei der FH Oberösterreich
In einer gefälschten FH OOE IT-SERVICE DESK-Nachricht heißt es, dass Empfänger/innen ihr Webmail-Konto bestätigen müssen. Dazu sollen sie eine Website aufrufen und ihre Zugangsdaten bekannt geben. Es handelt sich um einen Phishingversuch. Wer der Aufforderung nachkommt, übermittelt Kriminellen die Zugangsdaten des FH OÖ-Webmailkontos.
https://www.watchlist-internet.at/phishing/phishingversuch-bei-der-fh-oberoesterreich/
Avatar Rootkit: Dropper Analysis Part 2
In this second article on the dropper, we will resume our analysis right where we left off: the decryption of the key and data. After the decryption, two structures are initialized. The equivalent pseudo-code is presented below.
http://resources.infosecinstitute.com/avatar-rootkit-dropper-analysis-part-2/
Security Advisory - Sixteen OpenSSL Vulnerabilities on Some Huawei products
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170322-01-openssl-en
Intermediate Mitigation Measures May be Required for Apache Struts Vulnerabilities
The general consensus among InfoSec professionals is to patch critical vulnerabilities such as Apache Struts as soon as a patch is made available by the vendor. So why mightn't your company simply patch Apache Struts and go on your merry way? Not all events can be remediated immediately. Very often, intermediate mitigation measures must be taken to lower the risk of exploit and protect assets very quickly.
https://www.alienvault.com/blogs/security-essentials/intermediate-mitigation-measures-may-be-required-for-apache-struts-vulnerabilities
Passwortklau-Lücke in Lastpass geschlossen (oder auch nicht)
Eine Sicherheitslücke im Passwort-Manager Lastpass erlaubt das Auslesen von Passwörtern. Unter Umständen kann der Angreifer auch Code ausführen. Es gibt Berichte, dass der Fix von Lasspass die Lücke bisher nicht erfolgreich geschlossen hat.
https://heise.de/-3661616
Code Execution Vulnerability Found in Libpurple IM Library
A severe vulnerability has been disclosed in libpurple, the library used in the development of a number of popular instant messaging clients, including Pidgin and Adium for the macOS platform. Adium 1.5.10.2 is vulnerable and can be exploited to run arbitrary code remotely. ... Pidgin has been patched in version 2.12.0.
https://threatpost.com/code-execution-vulnerability-found-in-libpurple-im-library/124448/
Vuln: D-Link DIR-600M CVE-2017-5874 Cross Site Request Forgery Vulnerability
http://www.securityfocus.com/bid/96999
Apple-Erpressung: Hacker drohen angeblich mit Fernlöschung von iPhones
Das Ändern der PIN aus der Ferne ist bei iPhone und iPad allerdings nur möglich, wenn der Nutzer keine Code-Sperre für sein Gerät eingerichtet hat - die Aktivierung der Code-Sperre ist auch deshalb dringend zu empfehlen. Um den Zugriff auf die eigenen iCloud-Daten besser zu schützen, sollte Apples Zwei-Faktor-Authentifizierung aktiviert werden. Die Sicherheitsfunktion hilft allerdings nicht gegen das Fernsperren und Fernlöschen...
https://www.heise.de/mac-and-i/meldung/Apple-Erpressung-Hacker-drohen-angeblich-mit-Fernloeschung-von-iPhones-3661884.html
SAP Vulnerability Puts Business Data at Risk for Thousands of Companies
Researchers at ERPScan today disclosed details and a proof-of-concept exploit for a SAP GUI remote code execution vulnerability patched last week.
http://threatpost.com/sap-vulnerability-puts-business-data-at-risk-for-thousands-of-companies/124473/
Cisco Security Advisories
Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-dhcpc
Cisco IOS XE Software for Cisco ASR 920 Series Routers Zero Touch Provisioning Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp
Cisco IOS XE Software HTTP Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-xeci
Cisco IOS XE Software Web User Interface Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-webui
Cisco IOS and IOS XE Software Layer 2 Tunneling Protocol Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-l2tp
Cisco IOx Data in Motion Stack Overflow Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-iox
Cisco Application-Hosting Framework Directory Traversal Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf1
Cisco Application-Hosting Framework Arbitrary File Creation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf2
IBM Security Bulletins
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5099552
IBM Security Bulletin: Vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-6056)
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010022
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for HP NonStop (CVE-2016-7055, CVE-2017-3732)
http://www-01.ibm.com/support/docview.wss?uid=swg22000456
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access
http://www.ibm.com/support/docview.wss?uid=swg21999797
IBM Security Bulletin: Vulnerabilities CVE-2016-0736, CVE-2016-2161 and CVE-2016-8743 in IBM i HTTP Server
http://www.ibm.com/support/docview.wss?uid=nas8N1021918
IBM Security Bulletin: Multiple vulnerabilities in Open Source Samba, NTP and ISC BIND affect IBM Netezza Host Management
http://www-01.ibm.com/support/docview.wss?uid=swg21997024