End-of-Shift report
Timeframe: Freitag 09-06-2017 18:00 − Montag 12-06-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
Banking trojan executes when targets hover over link in PowerPoint doc
Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file.
The method - which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit - is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload.
https://arstechnica.com/security/2017/06/malicious-powerpoint-files-can-infect-targets-when-hovering-over-hyperlinks/
RSA Identity Management and Governance Input Validation Flaws Let Remote and Remote Authenticated Users Conduct Cross-Site Scripting Attacks
http://www.securitytracker.com/id/1038648
FIRST announces availability of new Common Vulnerability Scoring System (CVSS) release
Third version aims to make the system more applicable to modern concerns
https://www.first.org/newsroom/releases/20150610
[remote] Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution
https://www.exploit-db.com/exploits/42158/?rss
DFN-CERT-2017-0993/">libgcrypt: Eine Schwachstelle ermöglicht das Ausspähen von Informationen
Ein entfernter, nicht authentisierter Angreifer, der den EdDSA-Sitzungsschlüssel während eines Signaturprozesses in einer Seitenkanalattacke abgreifen kann, kann daraus den 'Long Term Secret Key' rekonstruieren und nachfolgend die Sicherheitsvorkehrung der Sitzungsverschlüsselung umgehen, um Informationen aus Sitzungen auszuspähen.
Der Hersteller stellt libgcrypt 1.7.7 als Sicherheitsupdate bereit.
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0993/
Bugtraq: [security bulletin] HPESBUX03759 rev.1 - HP-UX CIFS Sever using Samba, Multiple Remote Vulnerabilities
Potential security vulnerabilities have been identified in HPE HP-UX CIFS
server using Samba. The vulnerabilities can be exploited remotely to allow
authentication bypass, code execution, and unauthorized access.
References: CVE-2017-7494
http://www.securityfocus.com/archive/1/540701
Bugtraq: [SECURITY] [DSA 3877-1] tor security update
Package : tor
CVE ID : CVE-2017-0376
Debian Bug : 864424
It has been discovered that Tor, a connection-based low-latency
anonymous communication system, contain a flaw in the hidden service
code when receiving a BEGIN_DIR cell on a hidden service rendezvous
circuit. A remote attacker can take advantage of this flaw to cause a
hidden service to crash with an assertion failure (TROVE-2017-005).
http://www.securityfocus.com/archive/1/540705
Bugtraq: [security bulletin] HPESBHF03730 rev.2 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities
Potential security vulnerabilities have been identified in HPE Aruba
ClearPass Policy Manager. The vulnerabilities could be remotely exploited to allow access restriction bypass, arbitrary command execution, cross site
scripting (XSS), escalation of privilege and disclosure of information.
References: CVE-2017-5824, CVE-2017-5825, CVE-2017-5826, CVE-2017-582, CVE-2017-5828, CVE-2017-5829, CVE-2017-5647
http://www.securityfocus.com/archive/1/540704
Security Advisory - Memory Double Free Vulnerability in Touch Panel Driver of Some Huawei Smart Phones
The Touch Panel (TP) driver of some Huawei smart phones has a memory double free vulnerability. An attacker with the root privilege of the Android system tricks a user into installing a malicious application, and the application can start multiple threads and try to free specific memory, which could triggers double free and causes a system crash or arbitrary code execution. (Vulnerability ID: HWPSIRT-2017-04111)
CVE-2017-8141.
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-01-smartphone-en
Security Advisory - Multiple Vulnerabilities in UMA Products
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-01-uma-en
Linux Muldrop.14: Cryptomining-Malware befällt ungeschützte Raspberry Pi
Eine neue Malware befällt ausschließlich Raspberry Pi und nutzt die Geräte, um Cryptowährungen zu minen. Nutzer können sich relativ leicht dagegen schützen. (Security, Malware)
https://www.golem.de/news/linux-muldrop-14-cryptomining-malware-befaellt-ungeschuetzte-raspberry-pi-1706-128321-rss.html
Vuln: VMware Horizon View Client CVE-2017-4918 Command Injection Vulnerability
http://www.securityfocus.com/bid/98984
DFN-CERT-2017-1012/">Sophos UTM: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe
Mehrere Schwachstellen in den Komponenten BIND, Kernel, NTP, OpenSSL und OpenVPN ermöglichen einem entfernten, in vielen Fällen nicht authentisierten Angreifer verschiedene Denial-of-Service (DoS)-Angriffe auf Sophos UTM.
Sophos veröffentlicht die Sophos UTM Software in Version 9.501 als Maintenance Release zur Behebung der genannten Schwachstellen. Darüber hinaus werden verschiedene weitere Programmfehler aus den Bereichen AWS, Basesystem, Confd, Email, Network, Reporting, RESTD, Sandboxd, WAF, Web, WebAdmin und WiFi behoben.
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1012/
Pwn2Own: Safari sandbox part 1 - Mount yourself a root shell
Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year's Pwn2Own competition.
https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc
Industroyer: Fortgeschrittene Malware soll Energieversorgung der Ukraine gekappt haben
Sicherheitsforscher haben nach eigenen Angaben eine Art zweites Stuxnet entdeckt: Einen Trojaner, der auf die Steuerung von Umspannwerken zugeschnitten ist. Er soll für Angriffe auf den ukrainischen Stromversorger Ukrenergo verantwortlich sein.
https://heise.de/-3740606
CSIRT maturity evaluation process - How is CSIRT maturity assessed?
ENISA has published a new practical guide for CSIRTs so that they are better prepared to protect their constituencies and improve teams maturity.
https://www.enisa.europa.eu/news/enisa-news/csirt-maturity-evaluation-process-how-is-csirt-maturity-assessed
Vuln: D-Link DIR-615 Wireless N 300 Router CVE-2017-9542 Authentication Bypass Vulnerability
http://www.securityfocus.com/bid/98992
Healthcare Industry Cybersecurity Report
New US government report: "Report on Improving Cybersecurity in the Health Care Industry." Its pretty scathing, but nothing in it will surprise regular readers of this blog.Its worth reading the executive summary, and then skimming the recommendations. Recommendations are in six areas.The Task Force identified six high-level imperatives by which to organize its recommendations and action items. The imperatives are:Define and streamline leadership, governance, and expectations for
https://www.schneier.com/blog/archives/2017/06/healthcare_indu.html
Behind the CARBANAK Backdoor
In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK (aka Anunak). Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution. With these details, we will then draw some conclusions about the operators of CARBANAK. For some additional background on the CARBANAK backdoor, see the papers by Kaspersky and Group-IB and Fox-It.
http://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html
Erste SambaCry-Angriffe: Trojaner schürft Kryptowährung auf Linux-Servern
Sicherheitsforscher haben einen Trojaner entdeckt, der durch die vor kurzem entdeckte Samba-Lücke in Linux-Server einbricht und dann mit deren Hardware Kryptogeld erzeugt.
https://heise.de/-3740976
OSX/MacRansom; analyzing the latest ransomware to target macs
Looks like somebody on the dark web is offering Ransomware as a Service...that's designed to infect Macs!
https://objective-see.com/blog/blog_0x1E.html
IBM Security Bulletins
IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology
http://www.ibm.com/support/docview.wss?uid=swg22004534
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Insight
http://www-01.ibm.com/support/docview.wss?uid=swg22003367
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Reporting for Development Intelligence
http://www-01.ibm.com/support/docview.wss?uid=swg22003366
IBM Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Management Module (IMM) for System x & BladeCenter
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5099597
IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module (IMM) for System x & BladeCenter
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099595
IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Quality Manager
http://www.ibm.com/support/docview.wss?uid=swg22004428
IBM Security Bulletin: IBM Maximo Asset Management could allow a remote authenticated attacker to execute arbitrary commands on the system as administrator (CVE-2016-9984)
http://www.ibm.com/support/docview.wss?uid=swg21998608
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-5597 CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 CVE-2016-2183)
http://www.ibm.com/support/docview.wss?uid=swg21998779
IBM Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-9736, CVE-2016-8934, CVE-2016-8919)
http://www.ibm.com/support/docview.wss?uid=swg21999544
IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0636)
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010085
IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0603)
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010086