End-of-Shift report
Timeframe:   Mittwoch 05-07-2017 18:00 − Donnerstag 06-07-2017 18:00
Handler:     Stephan Richter
Co-Handler:  n/a
Decryptor Released for the Mole02 CryptoMix Ransomware Variant
It is always great to be able to announce a free decryptor for victims who have had their files encrypted by a ransomware. This is the case today, where a decryptor for the Mole02 cryptomix variant was released. [...]
https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-mole02-cryptomix-ransomware-variant/
Evolution of Conditional Spam Targeting Drupal Sites
Last year we took a look at how attackers were infecting Drupal installations to spread their spam and keep their campaigns going by just including a malicious file in each visitor's session. It's quite common for attackers to evolve their techniques and add new variations of hidden backdoors to make it harder to get rid of the infection. These evasion and reinfection techniques can also make it difficult to modify the malicious code, which is what has exactly happened in this case, [...]
https://blog.sucuri.net/2017/07/drupal-conditional-spam-evolved.html
New BTCWare Ransomware Decrypter Released for the Master Variant
Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version. [...]
https://www.bleepingcomputer.com/news/security/new-btcware-ransomware-decrypter-released-for-the-master-variant/
Sicherheitsupdates: Cisco kämpft gegen statische und unverschlüsselte Zugangsdaten
Der Netzwerkausrüster stopft zum Teil kritische Sicherheitslücken in seinem Elastic Services Controller und seinem Ultra Services Framework.
https://heise.de/-3765238
M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013
Servers and infrastructure belonging to Intellect Service, the company behind the M.E.Doc accounting software, were grossly mismanaged, being left without updates since 2013, and getting backdoored on three separate occasions during the past three months. [...]
https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoored-3-times-servers-left-without-updates-since-2013/
The MeDoc Connection
The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was [...]
http://blog.talosintelligence.com/2017/07/the-medoc-connection.html
Fritzbox-Lücke erlaubt delikate Einblicke ins lokale Netz
Durch ein Informationsleck können Webseiten offenbar viele Details über das Heimnetz eines Fritzbox-Nutzers erfahren. Zu den abfischbaren Daten zählen die Netzwerknamen aller Clients, IP- und Mac-Adresssen und die eindeutige ID der Fritzbox.
https://heise.de/-3764885
FIRST announces release of Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure
The Forum of Incident Response and Security Teams announces the release of a set of guidelines and norms for vulnerability disclosure that affects multiple parties.
https://www.first.org/newsroom/releases/20170706
APWG Global Phishing Survey 2016: Trends and Domain Name Use
This report comprehensively examines a large data set of more than 250,000 phishing attacks detected in 2015 and 2016. By quantifying this cybercrime activity and understanding the patterns that lurk therein, we have learned more about what phishers have been doing, and how they have accomplished their schemes.
https://apwg.org/resources/apwg-reports/domain-use-and-trends
https://docs.apwg.org/reports/APWG_Global_Phishing_Report_2015-2016.pdf
Gefälschte Anwaltsschreiben verbreiten Schadsoftware
In gefälschten Anwaltsschreiben behaupten Kriminelle, dass Adressat/innen Schulden bei einem Unternehmen haben. Weiterführende Informationen zu der offenen Geldforderung sollen sich im Dateianhang der Nachricht finden. In Wahrheit verbirgt er Schadsoftware.
https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-anwaltsschreiben-verbreiten-schadsoftware/
BadGPO - Using Group Policy Objects for Persistence and Lateral Movement
[...] Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain.
http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_052_Willi_GPO.pdf
ZDI-17-452: (0Day) Advantech WebOP Designer Project File Heap Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebOP Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://www.zerodayinitiative.com/advisories/ZDI-17-452/
Android Security Bulletin July 2017
https://source.android.com/security/bulletin/2017-07-01.html
BlackBerry powered by Android Security Bulletin July 2017
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000045142
Petya Malware Variant (Update B)
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-181-01A Petya Ransomware Variant that was published July 3, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk [...]
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01B
rsyslog: remote syslog PRI vulnerability CVE-2014-3634
rsyslog: remote syslog PRI vulnerability CVE-2014-3634. Security Advisory. Security Advisory Description. rsyslog before ...
https://support.f5.com/csp/article/K42903299
DFN-CERT-2017-1171: LibTIFF: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe
https://portal.cert.dfn.de/adv/DFN-CERT-2017-1171/
Security Advisories for Drupal Third-Party Modules
SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055
https://www.drupal.org/node/2890357
DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057
https://www.drupal.org/node/2892404
OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056
https://www.drupal.org/node/2892400
IBM Security Bulletins
IBM Security Bulletin: A Security vulnerability in IBM Java SDK affects IBM Tivoli System Automation for Multiplatforms (CVE-2017-1289).
http://www.ibm.com/support/docview.wss?uid=swg22005058
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183)
http://www-01.ibm.com/support/docview.wss?uid=swg22002336
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183)
http://www.ibm.com/support/docview.wss?uid=swg22002335
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand
http://www-01.ibm.com/support/docview.wss?uid=swg22000488
Siemens Security Advisories
SSA-804859 (Last Update 2017-07-06): Denial of Service Vulnerability in SIMATIC Logon
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-804859.pdf
SSA-874235 (Last Update 2017-07-06): Intel Vulnerability in Siemens Industrial Products
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235.pdf
SSA-275839 (Last Update 2017-07-06): Denial-of-Service Vulnerability in Industrial Products
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839.pdf
SSA-931064 (Last Update 2017-07-06): Authentication Bypass in SIMATIC Logon
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-931064.pdf
Cisco Security Advisories
Cisco Nexus Series Switches Telnet CLI Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-nss1
Cisco Nexus Series Switches CLI Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-nss
Cisco FireSIGHT System Software Arbitrary Code Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-FireSIGHT
Cisco Wide Area Application Services Central Manager Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-waas1
Cisco Wide Area Application Services Core Dump Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-waas
Cisco Ultra Services Framework Staging Server Arbitrary Command Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-usf3
Cisco Ultra Services Framework AutoVNF Log File User Credential Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-usf2
Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-usf1
Cisco Ultra Services Framework UAS Unauthenticated Access Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-uas
Cisco StarOS Border Gateway Protocol Process Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-staros
Cisco Prime Network Privilege Escalation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-prime
Cisco Identity Services Engine Guest Portal Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ise2
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ise1
Cisco IOS XR Software Multicast Source Discovery Protocol Session Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-iosxr
Cisco IOS XR Software Incorrect Permissions Privilege Escalation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-ios
Cisco Elastic Services Controller Unauthorized Access Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc2
Cisco Elastic Services Controller Arbitrary Command Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc1
Cisco Prime Network Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-cpn
Cisco StarOS CLI Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-asrcmd