News

Google Docs OAUTH Phishing E-Mails https://isc.sans.edu/forums/diary/OAUTH+phishing+against+Google+Docs+beware/22372/ Review Google App Permissions https://myaccount.google.com/u/0/permissions?pli=1 SS7 Exploits Documented in Banking Attacks http://www.sueddeutsche.de/digital/it-sicherheit-schwachstelle-im-mobilfunknetz-kriminelle-hacker-raeumen-konten-leer-1.3486504 http://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

Scans Sighted for Ports Used by Intel Remote Management Interface https://isc.sans.edu/port.html?port=16992 https://isc.sans.edu/port.html?port=16993 Outlook Forms Can Run Macros https://sensepost.com/blog/2017/outlook-forms-and-shells/ Jenkins Vulnerability https://jenkins.io/security/advisory/2017-04-26/ Google Android May Patchday https://source.android.com/security/bulletin/2017-05-01 IBM Storwize USB Stick Malware http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028-_-OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206-_-E

Intel AMT, SBT and ISM Escalation of Privilege Vulnerability https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/ Local Root Exploit in chkrootkit https://lepetithacker.wordpress.com/2017/04/30/local-root-exploit-in-chkrootkit/ Escape Sequence Exploits in Various Linux Terminals http://www.openwall.com/lists/oss-security/2017/05/01/13

Simple Javascript Word Macro Not Recognized By Many AV Products https://isc.sans.edu/forums/diary/Another+Day+Another+Obfuscation+Technique/22354/ OS X Malware Adds Proxy To Intercept HTTPS http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/ OVH Vulnerability Put Servers at Risk https://jrwr.io/doku.php?id=blog:ovh_vrack_security_issue

VISA IP Block Hijacked By Russian ISP https://isc.sans.edu/forums/diary/BGP+Hijacking+The+Internet+is+StillAgain+Broken/22350/ Antminer "Checking" DoS Vulnerability http://www.antbleed.com Symantec Offers Audits To Stave Off Google's CA Blacklisting https://www.symantec.com/connect/blogs/symantec-ca-proposal NoMX Security E-Mail Appliance Pentest https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/ vendor response: www.nomx.com SANS Defending Web Applications https://www.sans.org/dev522

Bots Disrupts US ISP https://www.bleepingcomputer.com/news/security/us-isp-goes-down-as-two-malware-families-go-to-war-over-its-modems/ Samsung Smart TV Wi-Fi Direct Exploit http://seclists.org/fulldisclosure/2017/Apr/101 Adobe Publishes ColdFusion Update https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html SNMP Misconfiguration Eliminates Community String Validation https://stringbleed.github.io/#

CAA Records and Certificate Issuance https://isc.sans.edu/forums/diary/CAA+Records+and+Certificate+Issuance/22342/ Hyundai Blue Link Infomration Disclosure https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed HP, Philips, Fujitsu Display Software Privilege Escalation http://blog.sec-consult.com/2017/04/what-unites-hp-philips-and-fujitsu-one.html

Android Malware MilyDoor Builds Backdoor Into Networks Via SSH/SOCKS http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-android-malware-finds-successor-milkydoor/ Remote Code Execution Flaw in Squirrelmail http://seclists.org/fulldisclosure/2017/Apr/81 Atlassian Confluence Update https://confluence.atlassian.com/doc/confluence-security-advisory-2017-04-19-887071137.html TCP Proxy Over Named Pipes / SMB https://github.com/dxflatline/flatpipes

Increase in Port 81 Traffic https://isc.sans.edu/forums/diary/WTF+tcp+port+81/22332/ Analyzing a Document and Malware Trying to Exploit CVE-2017-0199 (HTA) https://isc.sans.edu/forums/diary/Malicious+Documents+A+Bit+Of+News/22334/ DOUBLEPULSAR Detected on Tens of Thousands of Systems http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/ NVidia Includes Node.js Server With Drivers http://blog.sec-consult.com/2017/04/application-whitelisting-application.html Android SMSVova Spyware Survives in Google Play Store for 3 Years https://www.zscaler.com/blogs/research/android-spyware-smsvova-posing-system-update-play-store

Detecting Covert DNS Channels https://isc.sans.edu/forums/diary/DNS+Query+Length+Because+Size+Does+Matter/22326/ Ambient Light Sensors May Become Accessible Via JavaScript https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/ BIND Name Server Update https://kb.isc.org/article/AA-01491 Entropy As A Service https://www.getnetrandom.com Webcast: NoSQL Doesn't Make You NoVulnerable https://www.sans.org/webcasts/nosql-doesnt-novulnerable-104897

Hunting and Analyzing Malicious Excel Files https://isc.sans.edu/forums/diary/Hunting+for+Malicious+Excel+Sheets/22322/ Bose May Be Spying on Listeners https://www.scribd.com/document/345620278/Bose-Privacy-Complaint Microsoft No-Password Sign In https://blogs.technet.microsoft.com/enterprisemobility/2017/04/18/no-password-phone-sign-in-for-microsoft-accounts/ Owncloud/Nextcloud Bug Reports Include Passwords https://blog.hboeck.de/archives/885-Passwords-in-the-Bug-Reports-OwncloudNextcloud.html Fuzzing Used to Find a Tcpdump Vulnerability https://www.softscheck.com/en/identifying-security-vulnerabilities-with-cloud-fuzzing/ DNS Homograph Detection https://github.com/dutchcoders/homographs For Friday's (and other upcoming webcasts), see https://www.sans.org/webcasts

Details about how to exploit CVE-2017-0199 https://rewtin.blogspot.com.au/2017/04/cve-2017-0199-practical-exploitation-poc.html User Provided Patch To Help Update Old Operating Systems on New CPU https://github.com/zeffy/kb4012218-19 Forensics Tools and Issues With Windows 10 Compact OS https://www.heise.de/security/artikel/Forensik-Tools-patzen-bei-neuer-Windows-Kompression-3676075.html

Detecting IDN Phishing Domains https://isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/ Old Linux Kernel Bug Allows for Remote Code Execution via UDP https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=197c949e7798fbf28cfadc69d9ca0c2abbf93191 Microsoft Edge JavaScript "fetch" Function Can Be Used to Leak User Data http://mov.sx/2017/04/16/microsoft-edge-leaks-url.html

Detecting SMB Cover Channel "Doublepulsar" https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/ ETERNALBLUE: Windows SMBv1 Exploit https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/

Packet Captures Filtered By Process https://isc.sans.edu/forums/diary/Packet+Captures+Filtered+by+Process/22296/ C-LDAP Used to Amplify DDoS Attack https://isc.sans.edu/forums/diary/Akamai+reports+UDP+DDOS+Using+CLDAP+reaching+24Gbps/22300/ Juniper Updates https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES SAP Patches Code Injection in TREX https://erpscan.com/press-center/press-release/critical-vulnerability-affects-sap-hana-dozen-sap-applications/ More Details About Dallas Siren Hack https://duo.com/blog/the-dallas-county-siren-hack

Mole Ransomware Delivered via Fake USPS E-Mails https://isc.sans.edu/forums/diary/Malspam+on+20170411+pushes+yet+another+ransomware+variant/22290/ Identifying HTTPS-Protected Netflix Videos in Real-Time https://www.mjkranch.com/docs/CODASPY17_Kranch_Reed_IdentifyingHTTPSNetflix.pdf SMS Messages Used to Control Oven https://www.pentestpartners.com/blog/iot-Aga-cast-iron-security-flaw/ Android Hardening TLS Use https://android-developers.googleblog.com/2017/04/android-o-to-drop-insecure-tls-version.html

MSFT/Adobe Patch Tuesday https://isc.sans.edu/forums/diary/April+2017+Microsoft+Patch+Tuesday/22288/ Solaris 0-Day https://twitter.com/hackerfantastic/status/851555538597011460 OWASP Top 10 Update https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf

TPLink Modem Responds With Admin Password to SMS http://www.theregister.co.uk/2017/04/10/tplink_3gwifi_modem_spills_credentials_to_an_evil_text_message/ Fake Google Map Weblinks https://www.bleepingcomputer.com/news/google/thousands-of-fake-google-maps-listings-redirect-users-to-fraudulent-sites-each-month/ Apple Fixes Apple Music For Android http://seclists.org/bugtraq/2017/Apr/26 Dalles Sirens Hacked via Wireless Attacks http://www.theregister.co.uk/2017/04/10/hackers_set_off_dallas_emergency_siren_system/ NATO Discovers (finally?) that IPv6 Can be Used As a Covert Channel https://t.co/FvSSwhtUH7

Domain Whitelisting with Alexa and Umbrella Lists (and update) https://isc.sans.edu/forums/diary/Domain+Whitelisting+With+Alexa+and+Umbrella+Lists/22270/ https://isc.sans.edu/forums/diary/Domain+Whitelisting+With+Alexa+and+Umbrella+Lists+update/22274/ SANS Security West (San Diego) https://www.sans.org/event/sans-security-west-2017 Dallas Tornado Sirens Hacked https://www.washingtonpost.com/news/the-intersect/wp/2017/04/09/someone-hacked-every-tornado-siren-in-dallas-it-was-loud/?utm_term=.ca706deea318 Shadowbroker Files https://github.com/x0rz/EQGRP Word Vulnerability https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/

Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks https://www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf Cisco Aironet Default Credentials https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-ame Intercepting Two-Factor Authentication https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/ QNAP NAS Vulnerabilities https://sintonen.fi/advisories/qnap-qts-multiple-rce-vulnerabilities.txt