Tageszusammenfassung - Mittwoch 5-04-2017

End-of-Shift report

Timeframe: Dienstag 04-04-2017 18:00 − Mittwoch 05-04-2017 18:00 Handler: Stephan Richter Co-Handler: n/a

WordPress Security - Unwanted Redirects via Infected JavaScript Files

We've been watching a specific WordPress infection for several months and would like to share details about it. The attacks inject malicious JavaScript code into almost every .js file it can find. Previous versions of this malware injected only jquery.js files, but now we remove this code from hundreds of infected files. Due to a bug in the injector code, it also infects files whose extensions contain ".js" (such as .js.php or .json).

https://blog.sucuri.net/2017/04/wordpress-security-unwanted-redirects-via-infected-javascript-files.html

Encryption inside Utility Industrial Control Systems (ICS) communication protocols: a must to preserve the confidentiality of information and reliability of the industrial process, (Tue, Apr 4th)

Industrial control systems are sensitive systems that must make decisions in real time to ensure the operation of the industrial process they govern. The latency and reliability in packet transmission is fundamental, since the protocols are connection-oriented but because of the main speed goal, many of them do not have included error recovery schemes other than those included in the TCP / IP stack. Where is it possible to use encryption without affecting the operation of the industrial control...

https://isc.sans.edu/diary.html?storyid=22260&rss

Schneider Electric still shipping passwords in firmware

Youd think a vendor of critical infrastructure would at least pretend to care about security That "dont use hard-coded passwords" infosec rule? Someone needs to use a needle to write it on the corner of Schneider Electrics developers eyes so they dont forget it.

http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/schneider_istilli_shipping_passwords_in_firmware/

Internetplattform unterstützt Opfer von digitaler Erpressung

Für Betroffene von digitaler Erpressung ist es besonders wichtig, ihre Dateien schnell und einfach wiederherzustellen. Unter www.nomoreransom.org können verschiedene Entschlüsselungstools nun auch auf Deutsch aufgerufen werden.

http://www.bmi.gv.at/cms/bmi/_news/bmi.aspx?id=537A58584930536354666F3D&page=0&view=1

500.000 US-Dollar Lösegeld: Ransomware-Gangs nehmen Unternehmen aufs Korn

Sicherheitsforscher haben mindestens acht Gruppen ausgemacht, die sich auf Ransomware-Attacken auf Unternehmen spezialisiert haben. Je nach Anzahl der infizierten PCs und Server steigt das Lösegeld. Summen von bis zu 500.000 US-Dollar sind im Spiel.

https://heise.de/-3675612

Whitelists: The Holy Grail of Attackers, (Wed, Apr 5th)

As a defender, take the time to put yourself in the place of a bad guy for a few minutes. Youre writing some malicious code and you need to download payloads from the Internet or hide your code on a website. Once your malicious code spread in the wild, it will be quickly captured by honeypots, IDS, ... (name your best tool) and analysed automatically of manually by the good guys. Their goal of this is to extract abehavioural analysis of the code and generate indicators (IOCs) which will help to...

https://isc.sans.edu/diary.html?storyid=22262&rss

Broadcom-Sicherheitslücke: Angriff über den WLAN-Chip

Googles Project Zero zeigt, wie man ein Smartphone per WLAN übernehmen kann. WLAN-Chips haben heute eigene Betriebssysteme, denen jedoch alle modernen Sicherheitsmechanismen fehlen.

https://www.golem.de/news/broadcom-sicherheitsluecke-angriff-ueber-den-wlan-chip-1704-127151-rss.html

Report: 30% of malware is zero-day, missed by legacy antivirus

At least 30 percent of malware today is new, zero-day malware that is missed by traditional antivirus defenses, according to a new report."Were gathering threat data from hundreds of thousands of customers and network security appliances," said Corey Nachreiner, CTO at WatchGuard Technologies. "We have different types of malware detection services, including a signature and heuristic-based gateway antivirus. What we found was that 30 percent of the malware would have been missed...

http://www.cio.com/article/3187734/network-security/report-30-of-malware-is-zero-day-missed-by-legacy-antivirus.html#tk.rss_security

Changes coming to TLS: Part Two

In the first part of this two-part blog we covered certain performance improving features of TLS 1.3, namely 1-RTT handshakes and 0-RTT session resumption. In this part we shall discuss some security and privacy improvements.Remove Obsolete and insecure cryptographic primitivesRemove RSA HandshakesWhen RSA is used for key establishment there is no forward secrecy, which basically means that an adversary can record the encrypted conversation between the client and the server and later if it is...

https://access.redhat.com/blogs/766093/posts/2978671

Broadcom: Heap overflow in TDLS Teardown Request while handling Fast Transition IE

[...] Then, if the IE is present, its contents are copied into a heap-allocated buffer of length 256. The copy is performed using the length field present in the IE, and at a fixed offset from the buffers start address. Since the length of the FTIE is not verified prior to the copy, this allows an attacker to include a large FTIE (e.g., with a length field of 255), causing the memcpy to overflow the heap-allocated buffer.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1046

Citrix XenServer Multiple Security Updates

A number of security issues have been identified within Citrix XenServer. The most significant of these issues could, if exploited, allow a malicious administrator of a 64-bit PV guest VM to compromise the host.

https://support.citrix.com/article/CTX222565

Django Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting and Open Redirect Attacks

http://www.securitytracker.com/id/1038177

HPE Business Process Monitor Unspecified Flaw Lets Remote Users Access Data on the Target System

http://www.securitytracker.com/id/1038176

Asterisk Buffer Overflow in Processing CDR User Data Lets Remote Authenticated Users Execute Arbitrary Code

http://www.securitytracker.com/id/1038175

Security Advisory - Multiple Buffer Overflow Vulnerabilities in Bastet of Huawei Smart Phone

http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170405-01-smartphone-en

Security Advisory - Information Leak Vulnerability in Some Huawei Smart Phones

http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170405-02-smartphone-en

Schneider Electric Interactive Graphical SCADA System Software

This advisory contains mitigation details for a DLL hijacking vulnerability in Schneider Electric's Interactive Graphical SCADA System Software.

https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01

Marel Food Processing Systems

This advisory contains mitigation details for hard-coded passwords and unrestricted upload vulnerabilities in Marel's Food Processing Systems.

https://ics-cert.us-cert.gov/advisories/ICSA-17-094-02

Rockwell Automation Allen-Bradley Stratix and Allen-Bradley ArmorStratix

This advisory contains mitigation details for an improper input validation vulnerability in Rockwell Automation's Allen-Bradley Stratix and ArmorStratix Industrial Ethernet and Distribution switches.

https://ics-cert.us-cert.gov/advisories/ICSA-17-094-03