End-of-Shift report
Timeframe: Dienstag 13-06-2017 18:00 − Mittwoch 14-06-2017 18:00
Handler: Robert Waldner
Co-Handler: n/a
Internet hygiene still stinks despite botnet and ransomware flood
Millions of must-be-firewalled services sitting wide open Network security has improved little over the last 12 months - millions of vulnerable devices are still exposed on the open internet, leaving them defenceless to the next big malware attack.
http://go.theregister.com/feed/www.theregister.co.uk/2017/06/14/rapid7_device_scanning_audit/
June 2017 security update release
Microsoft releases additional updates for older platforms to protect against potential nation-state activity Today, as part of our regular Update Tuesday schedule, we have taken action to provide additional critical security updates to address vulnerabilities that are at heighted risk of exploitation due to past nation-state activity and disclosures. Some of the releases today are...
https://blogs.technet.microsoft.com/msrc/2017/06/13/june-2017-security-update-release/
When Your Plugins Turn Against You
Every day we face countless cases of sites getting compromised and infected by an attacker. From there, the sites can be used for various operations like spam campaigns, malware spreading or simply to damage your SEO ranking among other events. The threat may not always come from outside though. There are occasions where we are indirectly the ones responsible for the infection and may never find out until we get blacklisted by a search engine, or alerted of malicious code from our users.
https://blog.sucuri.net/2017/06/when-your-plugins-turn-against-you.html
MSRT June 2017: Removing sneaky Xiazai
In the June release of the Microsoft Software Removal Tool (MSRT), we're adding Xiazai, a widespread family of browser modifiers that we have blocked and removed from millions of computers since 2015. Xiazai is a software bundler that can sneak in additional changes. Xiazai does not install itself or make autostart registry entries, but the...
https://blogs.technet.microsoft.com/mmpc/2017/06/13/msrt-june-2017-removing-sneaky-xiazai/
ZDI-17-396: Trend Micro Maximum Security tmusa Time-Of-Check/Time-Of-Use Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privilege on vulnerable installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/FQzTY0SrpbU/
ZDI-17-395: Trend Micro Maximum Security tmusa Kernel Driver Untrusted Pointer Dereference Denial of Service Vulnerability
This vulnerability allows local attackers to deny service on vulnerable installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/hoecBsyhda4/
Nmap 7.50 released: New NSE scripts, 300+ fingerprints, new Npcap
Nmap 7.50 is the first big release since last December and has hundreds of improvements. One of the things the developers have worked on recently is the Npcap packet capturing driver and library for Windows. It is a replacement for WinPcap, which is no longer maintained. Npcap uses newer APIs for better performance and compatibility, including Windows 10 support. Developers also added loopback packet capture and injection, raw wireless sniffing, and extra security features ...
https://www.helpnetsecurity.com/2017/06/14/nmap-7-50-released/
Patchday: Microsoft sichert XP und Vista ab, warnt vor neuem WannaCry
In einem bisher nicht dagewesenen Schritt hat Microsoft am Patchday Updates für Windows-Versionen ausgeliefert, die nicht mehr unterstützt werden. Die Firma entschloss sich dazu, da sie weitere WannaCry-ähnliche Attacken befürchtet.
https://heise.de/-3743004
Gefälschte Netflix-Nachricht: Problem with your Membership
In einer gefälschten Netflix-Nachricht behaupten Kriminelle, dass es Probleme mit den Kreditkartendaten von Kund/innen gäbe. Aus diesem Grund sollen sie auf einer Website ihre Zahlungsmethode erneuern. Kund/inenn, die der Aufforderung nachkommen, übermitteln ihre Bankdaten an Kriminelle und werden Opfer eines Datendiebstahls.
https://www.watchlist-internet.at/phishing/gefaelschte-netflix-nachricht-problem-with-your-membership/
Mozilla Firefox Multiple Bugs Let Remote Users Spoof URLs, Obtain Potentially Sensitive Information, and Execute Arbitrary Code and Let Local Users Gain Elevated Privileges
A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain elevated privileges on the target system.
A local user can modify files on the target system.
A remote user can obtain files on the target system.
A remote user can spoof the address bar.
Solution: The vendor has issued a fix (ESR 52.2; 54.0).
http://www.securitytracker.com/id/1038689
Wegen Sicherheitsproblemen: Kein SMB1 in Windows-Neuinstallationen
Microsoft plant den nächsten Schritt zur Abschaffung des SMB1-Protokolls. Nach den Updates im Herbst soll das über 30 Jahre alte Protokoll in Neuinstallationen von Windows standardmäßig deaktiviert sein.
https://heise.de/-3743127
Security Advisory - Permission Control Vulnerability in Smart Phones
Some Huawei Smart phones have a permission control vulnerability. Due to improper authorization on specific processes, an attacker with the root privilege of a mobile Android system can exploit this vulnerability to obtain some information of the user. CVE-2017-8216
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170614-01-smartphone-en
DDoS-Drohungen
Seit gestern werden weltweit E-Mails mit einem Erpressungsversuch und einer angedrohten Denial of Service-Attacke verschickt. Diese E-Mails stammen von einer Gruppe, die sich HACKER TEAM - Meridian Collective nennt ... Es kann davon ausgegangen werden, dass - wie in der Vergangenheit - diesen Drohungen keinerlei tatsächliche Angriffe folgen werden. Den Forderungen sollte daher nicht nachgekommen werden.
https://www.dfn-cert.de/aktuell/ddos-drohungen.html
FIRST Releases Framework for Product Security Incident Response Teams
The leading association of incident response and security teams released a draft of the Product Security Incident Response Teams (PSIRT) Services Framework for public input. This is a formal list of services a PSIRT may consider implementing to address the needs of their constituency. Public input is welcomed until August 31, 2017 via
psirt-comments at first.org.
https://www.first.org/newsroom/releases/20170614
HIDDEN COBRA - North Korea's DDoS Botnet Infrastructure
... DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea's distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders ...
https://www.us-cert.gov/ncas/alerts/TA17-164A
EMC
Vuln: EMC RSA BSAFE Cert-C CVE-2017-4981 Denial of Service Vulnerability
http://www.securityfocus.com/bid/99044
Vuln: EMC Secure Remote Services Virtual Edition CVE-2017-4986 Authentication Bypass Vulnerability
http://www.securityfocus.com/bid/99036
Vuln: EMC VNX1/VNX2 OE for File CVE-2017-4984 Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/99039
Vuln: EMC VNX1/VNX2 OE for File CVE-2017-4985 Local Privilege Escalation Vulnerability
http://www.securityfocus.com/bid/99037
IBM Security Bulletins
IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Algo One Counterparty Credit Risk (CVE-2016-8745)
http://www.ibm.com/support/docview.wss?uid=swg22000795
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director.
http://www.ibm.com/support/docview.wss?uid=isg3T1025202
IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Express.
http://www.ibm.com/support/docview.wss?uid=swg22002268