End-of-Shift report
Timeframe: Donnerstag 18-05-2017 18:00 − Freitag 19-05-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
How did the WannaCry Ransomworm spread?
Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. How did it all happen?
https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/
Who's responsible for fixing SS7 security issues?
The WannaCry ransomware onslaught has overshadowed some of the other notable happenings this month, including the spectacular Google-themed phishing/spamming attack, and the news that attackers have managed to exploit vulnerabilities in the SS7 protocol suite to bypass German banks' two-factor authentication and drain their customers' bank accounts. According to the reports, the attackers were able to pull this scheme off by gaining access to the network of a foreign mobile network [...]
https://www.helpnetsecurity.com/2017/05/19/ss7-security-issues/
Number of HTTPS phishing sites triples
When, in January 2017, Mozilla and Google made Firefox and Chrome flag HTTP login pages as insecure, the intent was to make phishing pages easier to recognize, as well as push more website owners towards deploying HTTPS. But while the latter aim was achieved, and the number of phishing sites making use of HTTPS has increased noticeably, the move also had one unintended consequence: the number of phishing sites with HTTPS has increased, too.
https://www.helpnetsecurity.com/2017/05/19/number-https-phishing-sites-triples/
Hintergrund: Chrome blockt ab sofort Zertifikate mit Common Name
Wenn der seit Jahren etablierte, hauseigene Dienst plötzlich den HTTPS-Zugang verwehrt, liegt das vermutlich an einer Neuerung der aktuellen Chrome-Version: Google erzwingt den Einsatz der RFC-konformen "Subject Alt Names" und viele Admins müssen deshalb jetzt Hand anlegen.
https://heise.de/-3717594
Bypassing Application Whitelisting with BGInfo
TL;DR: BGinfo.exe older than version 4.22 can be used to bypass application whitelisting using vbscript inside a bgi file. This can run directly from a webdav server.
https://msitpros.com/?p=3831
"Four Keys to Effective ICS Incident Response"
While incident response in Information Technology (IT) and Operational Technology (OT) or Industrial Control Systems (ICS) may appear to be very similar, incident response in an ICS environment has different considerations and priorities. Many organizations leverage their existing IT incident response capabilities in an OT environment which may not be ideal for successful incident response [...]
http://ics.sans.org/blog/2017/05/19/four-keys-to-effective-ics-incident-response
ETERNALBLUE vs Internet Security Suites and nextgen protections
Due to the recent #wannacry ransomware events, we initiated a quick test in our lab. Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010). Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)!
https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nextgen-protections/
Forensik-Tool soll gelöschte Notizen aus iCloud auslesen können
Der Softwareanbieter Elcomsoft hat seine App "Phone Breaker" um eine Funktion erweitert, die den Umstand ausnutzt, dass Apple offenbar auch vom Nutzer eigentlich vernichtete Notizen länger aufbewahrt.
https://heise.de/-3718361
MS17-010 (Ransomware WannaCry) Impact to Cisco Products
The Cisco PSIRT Team is continuing to investigate the impact of this vulnerability on Cisco products that have not reached end of software maintenance support and that do not support automated or manual updates of the Microsoft patch for these vulnerabilities. Investigation is expected to be completed by Friday, May 19th.
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170515
HPESBGN03748 rev.1 - HPE Cloud Optimizer, Remote Disclosure of Information
A potential security vulnerability has been identified in HPE Cloud Optimizer. The vulnerability could be remotely exploited resulting in disclosure of information.
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03748en_us
Bugtraq: Nextcloud/Owncloud - Reflected Cross Site Scripting in error pages
http://www.securityfocus.com/archive/1/540569
DSA-3855 jbig2dec - security update
Multiple security issues have been found in the JBIG2 decoder library,which may lead to denial of service, disclosure of sensitive informationfrom process memory or the execution of arbitrary code if a malformedimage file (usually embedded in a PDF document) is opened.
https://www.debian.org/security/2017/dsa-3855
Indicators Associated With WannaCry Ransomware (Update C)
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01B Indicators Associated With WannaCry Ransomware that was published May 17, 2017, on the NCCIC/ICS-CERT web site.
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01C
McAfee Network Data Loss Prevention Multiple Bugs Let Remote Users Conduct Session Hijacking and Cross-Site Scripting Attacks and Obtain Potentially Sensitive Information
http://www.securitytracker.com/id/1038523
VMSA-2017-0009
VMware Workstation update addresses multiple security issues
https://www.vmware.com/security/advisories/VMSA-2017-0009.html
DFN-CERT-2017-0885: Red Hat JBoss Enterprise Application Platform, RESTEasy: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0885/
IBM Security Bulletins
IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2125, CVE-2016-2126)
http://www.ibm.com/support/docview.wss?uid=ssg1S1010052
IBM Security Bulletin: IBM Cisco Switches and Directors vulnerable to Sweet32 Birthday attacks (CVE-2016-2183 CVE-2016-6329).
http://www.ibm.com/support/docview.wss?uid=ssg1S1010239
IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg22002356
IBM Security Bulletin: Multiple vulnerabilities in Network Security Services (NSS) component affect SAN Volume Controller, Storwize family and FlashSystem V9000 products.
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010118
IBM Security Bulletin: Open redirect vulnerability in IBM Business Process Manager (CVE-2017-1159)
http://www-01.ibm.com/support/docview.wss?uid=swg22000253
IBM Security Bulletin: Vulnerability in OpenSSL affect IBM SONAS (CVE-2017-3731)
http://www.ibm.com/support/docview.wss?uid=ssg1S1010136