End-of-Shift report
Timeframe: Mittwoch 31-05-2017 18:00 − Donnerstag 01-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
Aufgepasst: Googles AMP wird zur Tarnung von Phishing-Angriffen missbraucht
Russische Hacker benutzen Googles AMP-Dienst, um böse URLs als Google-Dienste zu tarnen. Es ist nur eine Frage der Zeit, bis das Schule macht.
https://heise.de/-3731578
Cisco, Netgear Readying Patches for Samba Vulnerability
Cisco is prepping fixes for two of its products affected by last weeks Samba vulnerability. Netgear has also pushed out a fix for NAS devices that were affected.
http://threatpost.com/cisco-netgear-readying-patches-for-samba-vulnerability/125974/
Sharing Private Data with Webcast Invitations, (Thu, Jun 1st)
Last week, at a customer, we received a forwarded emailin a shared mailbox. It was somebody from another department that shared an invitation for a webcast that could be interesting for you, guys!. This time, no phishing attempt, no malware, just a regular email sent from a well-known security vendor. A colleague was interested in the webcast and clicked on the registration link. He was redirected to a page and was surprised to see all the fields already prefilled with the personal details of [...]
https://isc.sans.edu/diary.html?storyid=22478&rss
Motorcycle Gang Busted For Hacking and Stealing Over 150 Jeep Wranglers
An anonymous reader writes: "The FBI has arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California, which they later crossed the border into Mexico to have stripped down for parts," reports Bleeping Computer. What stands apart is how the gang operated. This involved gang members getting the Jeep Wrangler VIN (Vehicle Identification Number), accessing a proprietary Jeep database, and getting two codes needed to create a [...]
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/xYKBhycly0Q/motorcycle-gang-busted-for-hacking-and-stealing-over-150-jeep-wranglers
An Elegant Way to Ruin Your Company's Day - Introduction to Public AWS EBS Snapshots
TL;DR Creating public (unencrypted) EBS Snapshots might not be a great idea. Even if you are going to share them "just for a second". A lot can be fished out of these snapshots: ssh keys, tls/ssl certificates, aws credentials, private source code and internal (extremely) valuable HR/Accounting/IT documents.
https://www.nvteh.com/news/problems-with-public-ebs-snapshots
Credit Card Breach at Kmart Stores. Again.
For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in comment: They were all used at Kmart locations. Ask to respond to rumors about a card breach, [...]
https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-again/
NCSC releases factsheet Indicators of Compromise
In order to observe malicious digital activities within an organisation, Indicators of Compromise (IoCs) are a valuable asset. With IoCs, organisations can gain quick insights at central points in the network into malicious digital activities. When your organisation observes these activities, it is important to know what you can do to trace back which system is infected. Obtain as much contextual information with an IoC as possible, so that you get a clear picture of what is happening and how
https://www.ncsc.nl/english/current-topics/news/ncsc-releases-factsheet-indicators-of-compromise.html
WannaCry Development Errors Enable File Recovery
Researchers at Kaspersky Lab have found a number of programming errors in the WannaCry ransomware code that put file recovery within reach of sysadmins.
http://threatpost.com/wannacry-development-errors-enable-file-recovery/126002/
OneLogin suffers data breach, again
OneLogin, a popular single sign-on service that allows users to access thousands of popular cloud-based apps with just one password, has suffered what seems to be a serious data breach. According to a short blog post by the company's Chief Information Security Officer Alvaro Hoyos, they discovered the breach when, on Wednesday, they detected unauthorized access to OneLogin data in their US data region.
https://www.helpnetsecurity.com/2017/06/01/onelogin-data-breach/
[webapps] OV3 Online Administration 3.0 - Remote Code Execution
OV3 Online Administration 3.0 - Remote Code Execution
https://www.exploit-db.com/exploits/42096/?rss
Indicators Associated With WannaCry Ransomware (Update H)
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01G Indicators Associated With WannaCry Ransomware that was published May 30, 2017, on the NCCIC/ICS-CERT web site.
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01H
Security Advisory - Multiple Security Vulnerabilities in HedEx product
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-01-hedex-en
DFN-CERT-2017-0945: Red Hat CloudForms Management Engine: Zwei Schwachstellen ermöglichen u.a. das Ausspähen von Informationen
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0945/
IBM Security Bulletins
IBM Security Bulletin: IBM Maximo Asset Management could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier (CVE-2016-9977)
http://www.ibm.com/support/docview.wss?uid=swg22003981
IBM Security Bulletin: Multiple vulnerabilities in expat, nss, bind , policycoreutils, sudo shipped with SmartCloud Entry Appliance
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025119
IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2016-6816, CVE-2016-6817, CVE-2016-8735 )
http://www.ibm.com/support/docview.wss?uid=ssg1S1009962
IBM Security Bulletin: IBM Spectrum Protect (formerly Tivoli Storage Manager) Windows Client password exposure (CVE-2016-8939)
http://www.ibm.com/support/docview.wss?uid=swg22003738
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware
http://www.ibm.com/support/docview.wss?uid=swg22003673
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager
http://www-01.ibm.com/support/docview.wss?uid=swg22004078
IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Storage FlashCopy Manager VMware (CVE-2016-6303, CVE-2016-2182, CVE-2016-2177, CVE-2016-2183, CVE-2016-6309, CVE-2016-7052, CVE-2016-2178, CVE-2016-6306)
http://www.ibm.com/support/docview.wss?uid=swg22000589
IBM Security Bulletin: A vulnerability in the GSKit library affects IBM Cognos Metrics Manager
http://www-01.ibm.com/support/docview.wss?uid=swg22004075
IBM Security Bulletin: Multiple Security vulnerabilities in WebSphere Application Server Community Edition
http://www-01.ibm.com/support/docview.wss?uid=swg22002267
IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS
http://www.ibm.com/support/docview.wss?uid=ssg1S1010243
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cognos Metrics Manager
http://www-01.ibm.com/support/docview.wss?uid=swg22004074
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager
http://www-01.ibm.com/support/docview.wss?uid=swg22004077
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows
http://www-01.ibm.com/support/docview.wss?uid=swg22002135
IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM RackSwitch Products
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5099592
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset Analyzer
http://www-01.ibm.com/support/docview.wss?uid=swg22003418
IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2017-3731, CVE-2016-7055)
http://www.ibm.com/support/docview.wss?uid=swg22003793
IBM Security Bulletin: Vulnerabilities in libX11 affect IBM BladeCenter Advanced Management Module (AMM)
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099581
IBM Security Bulletin: Vulnerability in libxml2 affects IBM BladeCenter Advanced Management Module (AMM)
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099579
IBM Security Bulletin: Vulnerabilities in cURL/libcurl affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099588
IBM Security Bulletin: Vulnerability in OpenSSL affects MegaRAID Storage Manager (CVE-2016-8610)
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5099575
IBM Security Bulletin: Vulnerabilities in dosfstools affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099593
IBM Security Bulletin: IBM Development Package for Apache Spark update of IBM SDK Java Technology Edition
http://www-01.ibm.com/support/docview.wss?uid=swg22003200
IBM Security Bulletin: IBM Cognos Business Intelligence Server 2017Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities.
http://www.ibm.com/support/docview.wss?uid=swg22004036