End-of-Shift report
Timeframe: Donnerstag 29-06-2017 18:00 − Freitag 30-06-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
Eternal Champion Exploit Analysis
Recently, a group named the ShadowBrokers published several remote server exploits targeting various protocols on older versions of Windows. In this post we are going to look at the EternalChampion exploit in detail to see what vulnerabilities it exploited, how it exploited them, and how the latest mitigations in Windows 10 break the exploit as-written....
https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/
Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone
A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya. [...]
https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/
Sicherheitsupdates angekündigt: Ciscos IOS-System ist für Schadcode anfällig
Bisher können Betroffene die Bedrohung durch neu entdeckte Schwachstellen in Ciscos IOS und IOS EX nur über Workarounds eindämmen. Sicherheitspatches sollen folgen.
https://heise.de/-3759927
e-Government in Deutschland: Kritische Schwachstellen in zentraler Transportkomponente
You can find the English version of this post here containing further technical details.Die "OSCI-Transport" Java-Bibliothek ist eine Kernkomponente im deutschen e-Government. Schwachstellen in dieser Komponente erlauben es einem Angreifer, bestimmte zwischen Behörden ausgetauschte Informationen zu entschlüsseln oder zu manipulieren bzw. sogar Daten von Behördenrechnern auszulesen.OSCI-Transport ist ein Protokoll, das dazu dient Daten zwischen Behörden sicher [...]
http://blog.sec-consult.com/2017/06/e-government-in-deutschland-schwachstellen.html
Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation
On May 12, there was a major outbreak of WannaCrypt ransomware. WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers. Using ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven't...
https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/
Eternal Blues: A free EternalBlue vulnerability scanner
It is to be hoped that after the WannaCry and NotPetya outbreaks, companies will finally make sure to install - on all their systems - the Windows update that patches SMB vulnerabilities leveraged by the EternalBlue and EternalRomance exploits. These exploits are currently available to practically any hacker who might want to use them, and protecting systems against them should be a must for every organization. But while bigger ones might have an IT department [...]
https://www.helpnetsecurity.com/2017/06/30/eternal-blues-eternalblue-vulnerability-scanner/
Cyber Europe 2016: Key lessons from a simulated cyber crisis
Today marks the end of the latest cyber crisis exercise organised by ENISA, with the release of the after action report and closure video of Cyber Europe 2016.
https://www.enisa.europa.eu/news/enisa-news/cyber-europe-2016-key-lessons-from-a-simulated-cyber-crisis
TeleBots are back: supply-chain attacks against Ukraine
The latest Petya-like outbreak has gathered a lot of attention from the media. However, it should be noted that this was not an isolated incident: this is the latest in a series of similar attacks in Ukraine. This blogpost reveals many details about the Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya) outbreak and related information about previously unpublished attacks.
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
How Malicious Websites Infect You in Unexpected Ways
You probably spend most of your time on a PC browsing, whether that is Facebook, news or just blogs or pages that appeal to your particular interest. If a malicious hacker wants to break into your computer and scramble the kilobytes that make up your digital life, his starting point will be to create a [...]
https://heimdalsecurity.com/blog/malicious-websites/
SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software
The Simple Network Management Protocol(SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp
Schneider Electric U.motion Builder
This advisory contains mitigation details for SQL injection, path traversal, improper authentication, use of hard-coded password, improper access control, denial of service, and information disclosure vulnerabilities in Schneider Electric's U.motion Builder.
https://ics-cert.us-cert.gov/advisories/ICSA-17-180-02
BIND TSIG Authentication Bugs Let Remote Users Bypass Authentication to Transfer or Modify Zone Conetnt
http://www.securitytracker.com/id/1038809
SSA-545214 (Last Update 2017-06-29): Vulnerability in ViewPort for Web Office Portal
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-545214.pdf
SSA-874235 (Last Update 2017-06-29): Intel Vulnerability in Siemens Industrial Products
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235.pdf
2017-06-16 (updated 2017-06-30): Cyber Security Notification - CrashOverride/Industroyer Malware
http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&LanguageCode=en&DocumentPartId=&Action=Launch
[2017-06-30] Multiple critical vulnerabilities in OSCI-Transport library 1.2 for German e-Government
The OSCI-transport library 1.2, a core component of Germanys e-government infrastructure, is affected by XXE, padding oracle and signature wrapping. These vulnerabilities could be used to read local files from OSCI-systems, decrypt certain parts of a message or, under specific circumstances, even to forge messages.
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170630-0_KOSIT_XOEV_OSCI-Transport_library_critical_vulnerabilities_german_egovernment_v10.txt
IBM Security Bulletins
IBM Security Bulletin:OpenSource ICU4C Vulnernabilties in IBM eDiscovery Analyzer
https://www-01.ibm.com/support/docview.wss?uid=swg21996949
IBM Security Bulletin:Cross-site scripting vulnerability in WebSphere Application Server admin console in IBM Content Collector for Email
https://www-01.ibm.com/support/docview.wss?uid=swg21998348
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer
https://www-01.ibm.com/support/docview.wss?uid=swg21996957
IBM Security Bulletin: WebSphere Application Server vulnerability with malformed SOAP requests in IBM Content Collector for Email
https://www-01.ibm.com/support/docview.wss?uid=swg21998347
IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections
https://www-01.ibm.com/support/docview.wss?uid=swg21999097
IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Microsoft SharePoint
https://www-01.ibm.com/support/docview.wss?uid=swg21999099
IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for File Systems
https://www-01.ibm.com/support/docview.wss?uid=swg21999105
IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Email
https://www-01.ibm.com/support/docview.wss?uid=swg21999106
IBM Security Bulletin: Open Source Apache PDFBox Vulnerability in IBM eDiscovery Analyzer
https://www-01.ibm.com/support/docview.wss?uid=swg21991027
IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections
https://www-01.ibm.com/support/docview.wss?uid=swg21999098
IBM Security Bulletin: zlib vulnerability may affect IBM SDK, Java Technology Edition
http://www-01.ibm.com/support/docview.wss?uid=swg22004465
IBM Security Bulletin: Vulnerability in Intel Ethernet Controller XL710 affects IBM MQ Appliance
http://www-01.ibm.com/support/docview.wss?uid=swg22002763
IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Security Guardium (CVE-2017-1256)
http://www-01.ibm.com/support/docview.wss?uid=swg22004461
IBM Security Bulletin: Multiple vulnerabilities in openssl, gnutl, mysql, kernel, glibc, ntp shipped with SmartCloud Entry Appliance
http://www.ibm.com/support/docview.wss?uid=isg3T1025342
IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect Content Collector for IBM Connections
https://www-01.ibm.com/support/docview.wss?uid=swg22001465
IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM eDiscovery Analyzer
https://www-01.ibm.com/support/docview.wss?uid=swg22001458
IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Microsoft SharePoint
https://www-01.ibm.com/support/docview.wss?uid=swg22001455
IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for File Systems
https://www-01.ibm.com/support/docview.wss?uid=swg22001463
IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Email
https://www-01.ibm.com/support/docview.wss?uid=swg22001460
IBM Security Bulletin: WebSphere Application Server vulnerability in IBM Content Collector for Email
https://www-01.ibm.com/support/docview.wss?uid=swg21998346
IBM Security Bulletin: SQL Injection vulnerability affects IBM Security Guardium (CVE-2017-1269)
http://www-01.ibm.com/support/docview.wss?uid=swg22004462
IBM Security Bulletin: Missing Authentication for Critical Function affects IBM Security Guardium (CVE-2017-1258)
http://www-01.ibm.com/support/docview.wss?uid=swg22004309
IBM Security Bulletin: IBM InfoSphere Guardium is affected by Cleartext Transmission of Sensitive Information vulnerability (CVE-2016-0238 )
http://www-01.ibm.com/support/docview.wss?uid=swg21989124
IBM Security Bulletin: Vulnerability in IBM HTTP Server affects Netezza Performance Portal (CVE-2015-8743)
http://www-01.ibm.com/support/docview.wss?uid=swg22003173