AUSCERT Week in Review for 29th March 2019 Greetings, Another eventful week in information security!  Apart from plenty of vulnerabilities disclosed and patched, we have seen much media discussion regarding the intersection of IT, foreign powers, social media companies and politics. In case you were not aware, there is a “World Backup Day”, and it is this Sunday, the day before April fool’s day! The site http://www.worldbackupday.com/en/ has some interesting stats regarding backups and some arguments as to why we should backup our important data. We have also published a short blog about backups here. Finally, another reminder regarding the upcoming AUSCERT conference.  There is just over 2 weeks left to register for the Early Bird prices.  For further details, please visit:  https://conference.auscert.org.au As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  US Congress proposes comprehensive federal data privacy legislation—finally Date:  March 28, 2019 Author:  David Ruiz Excerpt: “The United States might be the only country of its size – both in economy and population – to lack a comprehensive data privacy law protecting its citizens’ online lives. That could change this year. Never-ending cybersecurity breaches, recently-enacted international privacy laws, public outrage, and crisis after crisis from the world’s largest social media company have pushed US Senators and Representatives into rarely-charted territory: regulation.” — Title:  Commando VM: The First of Its Kind Windows Offensive Distribution Date:  March 28, 2019 Author:  Jacob Barteaux, Blaine Stancill, Nhan Huynh Excerpt: “For penetration testers looking for a stable and supported Linux testing platform, the industry agrees that Kali is the go-to platform. However, if you’d prefer to use Windows as an operating system, you may have noticed that a worthy platform didn’t exist. As security researchers, every one of us has probably spent hours customizing a Windows working environment at least once and we all use the same tools, utilities, and techniques during customer engagements. Therefore, maintaining a custom environment while keeping all our tool sets up-to-date can be a monotonous chore for all. Recognizing that, we have created a Windows distribution focused on supporting penetration testers and red teamers.” — Title:  Norsk Hydro ransomware incident losses reach $40 million after one week Date:  March 26, 2019 Author:  Catalin Cimpanu Excerpt:  “A week after suffering a crippling ransomware infection, Norwegian aluminum producer Norsk Hydro estimates that total losses from the incident have already reached $40 million. […] It now remains to be seen how much of the $40 million losses will be covered by Norsk Hydro’s cyber-insurance policy. Most cyber-insurance policies don’t necessarily cover revenue losses caused by loss of business capabilities. Instead, most cover costs directly generated by the cyber-incident, such as IT consulting, incident response costs, and replacing computers and software.” — Title: Tesla car hacked at Pwn2Own contest Date: March 23, 2019 Author:Catalin Cimpanu Excerpt: “A team of security researchers has hacked a Tesla Model 3 car on the last day of the Pwn2Own 2019 hacking contest that was held this week in Vancouver, Canada.  Team Fluoroacetate –made up of Amat Cama and Richard Zhu– hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car’s firmware and show a message on its entertainment system. As per contest rules announced last fall, the duo now gets to keep the car. Besides keeping the car, they also received a $35,000 reward.” — Here are some of this week’s noteworthy security bulletins (in no particular order): ESB-2019.1047 – [RedHat] libssh2: Execute arbitrary code/commands – Remote with user interaction SSH client-side arbitary code execution. ESB-2019.1026 – [Cisco] Cisco IOS: Multiple vulnerabilities Confidential data disclosure, arbitary code execution and root compromise for Cisco IOS. ESB-2019.0997 – [RedHat] Red Hat Ansible Tower: Multiple vulnerabilities Significant vulnerabilities for this popular configuration management tool. ESB-2019.0991 – [Apple iOS] iOS: Multiple vulnerabilities A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing” Stay safe, stay patched and have a good weekend! Marcus

AUSCERT Week in Review for 22nd March 2019 AUSCERT Week in Review22 March 2019 Greetings, Have you registered for the AUSCERT conference? There’s only 3 weeks until our Early Bird closing date – registrations and program details can be found on: https://conference.auscert.org.au Speaking of events, just yesterday we jointly hosted a public lecture from Major General Marcus Thompson AM, Deputy Chief Information Warfare Division (IWD) with the Australian Defence Force.  There were over 200 attendees, and the presentation was followed by a panel which attracted a lot of audience participation with a range of perspectives. https://wordpress-admin.auscert.org.au/events/2019-03-21-cyber-warfare-hear-major-general-marcus-thompson Did you catch us at BSides Canberra last weekend?  If not, you have another opportunity – our very own Mike Holm and Anthony Vaccaro will be presenting at BrisSEC next Friday.  Be sure to come up and say ‘hello’ to them afterwards!  Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Christchurch tragedy-related scams and attacksDate Published: 18 March 2019URL: https://www.cert.govt.nz/businesses-and-individuals/recent-threats/christchurch-tragedy-related-scams-and-attacks/Author: CERT NZ “CERT NZ has received reports of different opportunistic online scams and attacks in the wake of the tragic events in Christchurch last week. This includes online donation fraud, malicious video files, defacement of NZ websites, and website disruption.”—– Spam Warns about Boeing 737 Max Crashes While Pushing MalwareDate Published: 16 March 2019URL: https://www.bleepingcomputer.com/news/security/spam-warns-about-boeing-737-max-crashes-while-pushing-malware/Author: Lawrence Abrams “A new malspam campaign is underway that is trying to utilize the tragic Boeing 737 Max crashes as a way to spread malware on a recipient’s computer. These spam emails pretend to be leaked documents about imminent crashes that the sender states should be reviewed and shared with loved ones to warn them.”—– The Government wants to free up your bank data. Here’s what that means for youDate Published: 20 March 2019URL: https://www.abc.net.au/news/science/2019-03-20/consumer-data-right-bank-transactions-privacy/10898060Author: Ariel Bogle “The Consumer Data Right (CDR), which begins to come online mid-year, aims to give Australians more agency to access and control parts of their personal information.The government calls it a “game changer”, but critics fear that without careful consideration, it could have serious privacy implications, among other concerns.”—– Fake CIA emails requesting Bitcoin payment or arrestDate Published: 20 March 2019URL: https://www.staysmartonline.gov.au/alert-service/fake-cia-emails-requesting-bitcoin-payment-or-arrestAuthor: Stay Smart Online “The Australian Cyber Security Centre (ACSC) is aware of malicious emails claiming to be from the Central Intelligence Agency (CIA) being received by Australians.The emails state that the recipient’s personal details, addresses, contact information and information relating to their relatives are contained in a case file about the distribution and storage of pornographic electronic materials involving underage children.The emails advise that arrests are scheduled and that a payment of $10,000 USD in Bitcoin will prevent further action or contact.”—– Facebook Stored Hundreds of Millions of User Passwords in Plain Text for YearsDate Published: 21 March 2019URL: https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/Author: Brian Krebs “Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. “—– Here are this week’s noteworthy security bulletins: ESB-2019.0880 – ESB-2019.0885 [Win][UNIX/Linux] Moodle: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.0880Multiple serious vulnerabilities have been patched in Moodle, so we recommend upgrading as soon as convienient. ASB-2019.0082 – [Win][UNIX/Linux] Mozilla Firefox: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ASB-2019.0082Several vulnerabilities have been identified in Mozilla Firefox prior to version 66.0 [1], and Firefox ESR prior to version 60.6. Updates are available through most package managers. ESB-2019.0920 – [Win][UNIX/Linux] Drupal modules: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.0920Three Drupal modules have been patched for remote code execution and cross site scripting. ESB-2019.0915 – [Appliance] Cisco IP Phone 7800 and 8800 Series: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.0915Vulnerabilities in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. ESB-2019.0950 – Medtronic Conexus telemetry: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.0950Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.—- Stay safe, stay patched and have a good weekend! Charelle

AUSCERT Week in Review for 15th March 2019 AUSCERT Week in Review15 March 2019 Greetings, Well this week has been interesting.  Watch out which games you play as they could be backdoored from way up the supply chain. Exaggerating a bit on the controls over USBs, you could start either tethering them to your personnel or consider thermite upon their removal of circulation. But things does not stop there. At work, this patch-cycle-week, plenty of systems had to be updated to avoid being abused.  Also, Monero mining was thought to slow down but with the incorporation in to malicious code with worm-like behaviour, mining will move into a new gear. Had enough and have the thought of applying for a job else where? Bad luck, as databases overseas also get compromised.So we all need you to rest for the weekend, recuperate, cause it will have to be all-hands-on-deck next week. As for news, here’s a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week: ——-  Title: Game Development Companies Backdoored in Supply-Chain AttacksURL: https://www.bleepingcomputer.com/news/security/game-development-companies-backdoored-in-supply-chain-attacks/Author : Sergiu GatlanDate: 11th March 2019 Excerpt:“Two popular games and a gaming platform developed by Asian companies were compromised following a series of successful supply-chain attacks which allowed the attackers to include a malicious payload designed to provide them with a backdoor. The malware used in the supply chain attacks is designed to check the region of the compromised machines before dropping the payload and, if it’s a Chinese or a Russian computer, it will automatically stop the infection process hinting at the fact that the cybercriminals behind this supply chain attack have a very specific list of victims they need to target.” ——-  Title: CVE-2019-0797 Windows Zero-Day exploited by FruityArmor and SandCat APT GroupsURL: https://securityaffairs.co/wordpress/82345/apt/cve-2019-0797-fruitarmor-sandcat.htmlAuthor : Pierluigi PaganiniDate: 13th March 2019 Excerpt:“One of the flaws, tracked as CVE-2019-0808, was disclosed by Google’s Threat Analysis Group after it has observed targeted attacks exploiting the issue alongside a recently addressed flaw in Chrome flaw (CVE-2019-5786). The second zero-day, tracked as CVE-2019-0797, was reported to Microsoft by experts at Kaspersky Lab, which states the issue has been exploited by several threat actors, including FruityArmor and SandCat APT groups.” ——-  Title: What do sexy selfies, search warrants, tax files have in common? They’ve all been found on resold USB sticksURL: https://www.theregister.co.uk/2019/03/14/usb_recoverable_data/Author : Thomas ClaburnDate: 14th March 2019 Excerpt:“You do know just dragging stuff to the delete folder doesn’t wipe stuff, right? Apparently not.About two-thirds of USB memory sticks bought secondhand in the US and UK have recoverable and sometimes sensitive data, and in one-fifth of the devices studied, the past owner could be identified.” ——-  Title: Unsecured Database Exposed 33 Million Job Profiles in ChinaURL: https://www.bleepingcomputer.com/news/security/unsecured-database-exposed-33-million-job-profiles-in-china/Author : Lawrence AbramsDate: 14th March 2019 Excerpt:“A large database with approximately 33 million profiles for people seeking jobs in China has been fully accessible and unprotected online. This information included sensitive information that could have been used for scammers and identity theft. The database was discovered by Sanyam Jain, a security researcher and member of GDI.Foundation, who found the database using the Shodan search engine.” ——-  Title: Malware Spreads As a Worm, Uses Cryptojacking Module to Mine for MoneroURL: https://www.bleepingcomputer.com/news/security/malware-spreads-as-a-worm-uses-cryptojacking-module-to-mine-for-monero/Author : Sergiu GatlanDate: 12th March 2019 Excerpt:“A modular malware with worm capabilities exploits known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from one server to another and mine for Monero cryptocurrency. Systemctl.exe, the worm module of the malware named PsMiner by the 360 Total Security researchers, is a Windows binary written in the Go language which bundles all the exploit modules used to hack into vulnerable servers it can find on the Internet.” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2019.0834 – [Appliance] Power 9 Systems: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/77154“…could allow the host full access to BMC memory and flash… 2.    ESB-2019.0782 – [Linux][HP-UX][Solaris][AIX] IBM MQ: Execute arbitrary code/commands – Existing account https://portal.auscert.org.au/bulletins/76906“..a local user to inject code that could be executed with root privileges..” 3.    ESB-2019.0806 – [Win][Linux][HP-UX][Solaris][AIX] IBM Db2: Increased privileges – Existing accounthttps://portal.auscert.org.au/bulletins/77042“…potentially giving low privilege user full access to root…” 4.     ASB-2019.0077 – [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/76950“CVE-2019-0797   Elevation of Privilege   Important” Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

AUSCERT Week in Review for 8th March 2019 AUSCERT Week in Review08 March 2019 Greetings, This has been an action packed week and with so many variety of events that it is hard to piece this week with one single smooth story on a Friday afternoon.  To name a few of the things that have happened, there are botnets launched and taken down, cryptojacking using vulnerable installation utilities, zero-day on a popular browser, a new analysis tool being released, another “can’t-fix-quick” vulnerability from a popular CPU manufacturer, a SIEM solution that can be potentially crashed from afar, and the list continues to be nothing short of amazing, bewildering and Friday comes as a cliffhanger for the next week’s events.Have a good rest this weekend as next week could turn out even more exciting. As for news, here’s a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week: ——-  Title:  Serious Chrome zero-day – Google says update “right this minute”Date:  March 6th 2019Author: Paul DucklinURL: https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/ Excerpt:“Precise information about the Chrome CVE-2019-5786 zero-day is hard to come by at the moment – as Google says: ‘Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.’ According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader…it looks as though attackers can take much more general control, allowing them to pull off what’s called Remote Code Execution, or RCE.…Just tricking you into looking at a booby-trapped web page might be enough for crooks to take over your computer remotely.” ——-  Title:  Vulnerable Docker Hosts Actively Abused in Cryptojacking CampaignsDate:  March 4th, 2019Author: Sergiu GatlanURL: https://www.bleepingcomputer.com/news/security/vulnerable-docker-hosts-actively-abused-in-cryptojacking-campaigns/ Excerpt:“Hundreds of vulnerable and exposed Docker hosts are being abused in cryptojacking campaigns after being compromised with the help of exploits designed to take advantage of the CVE-2019-5736 runc vulnerability discovered last month. The CVE-2019-5736 runc flaw triggers a container escape and it allows potential attackers to access the host filesystem upon execution of a malicious container, overwrite the runc binary present on the system, and run arbitrary commands on the container’s host system.” ——-  Title:  All Intel chips open to new Spoiler non-Spectre attack: Don’t expect a quick fixDate:  March 5th 2019Author: Liam TungURL: https://www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/ Excerpt:“Researchers have discovered a new flaw affecting all Intel chips due to the way they carry out speculative execution for CPU performance gains.   Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets.” ——-  Title:  WordPress Comprises 90% of Hacked Sites: ReportDate:  March 5th 2019Author: Phil MuncasterURL: https://www.infosecurity-magazine.com/news/wordpress-comprises-90-of-hacked-1-1/ Excerpt:“The GoDaddy-owned security vendor analyzed 18,302 infected websites and over 4.4m cleaned files to compile its latest Hacked Website Trend report. It revealed that WordPress accounted for 90% of hacked websites in 2018, up from 83% in 2018. There was a steep drop before Magento (4.6%) and Joomla (4.3%) in second and third. The latter two had dropped from figures of 6.5% and 13.1% respectively in 2017.” ——-  Title:  NSA puts ‘Ghidra,’ its reverse-engineering tool for malware, in the hands of the publicDate:  March 5th 2019Author: Sean LyngaasURL: https://www.cyberscoop.com/ghidra-nsa-tool-public/ Excerpt:“After years lurking in the shadows, the National Security Agency’s tool for reverse-engineering malware is now out in the open. The software framework has moved from classified status into use by military analysts and contractors in sensitive-but-unclassified settings, and now it’s available to anyone with an internet connection.” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ASB-2019.0066.2 – UPDATED ALERT [Win][Linux][Mac] Google Chrome: Execute arbitrary code/commands – Remote with user interaction https://portal.auscert.org.au/bulletins/76398Exploit in the wild has been reported. 2.    ESB-2018.1689.4 – UPDATED ALERT [Cisco] Cisco Adaptive Security Appliance Web Services: Denial of service – Remote/unauthenticated https://portal.auscert.org.au/bulletins/63666Attempted exploitation of this vulnerability in the wild. 3.    ESB-2019.0696 – [Linux] IBM QRadar SIEM: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/76558..a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. 4.    ESB-2019.0739 – [Win][Linux][HP-UX][Solaris][AIX] IBM Db2: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/76734could allow an authenticated local attacker to execute arbitrary code on the system as root 5.    ESB-2019.0734 – [Appliance] IBM Lotus Protector for Mail Security: Execute Arbitrary Code/Commands – Remote/Unauthenticated https://portal.auscert.org.au/bulletins/76714would allow the attacker to bypass disabled exec functions Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

AUSCERT Week in Review for 1st March 2019 AUSCERT Week in Review01 March 2019 Greetings, This week was marked by solution providers running-for-the-hills with runc as more can be done with the call than what was documented.  The vulnerability is being patched and the solutions are being rolled out. Also the final days of Coin-Hive are able to be counted on two hands. The reason for the shutdown is that the business model “isn’t economically viable anymore.”.  Somehow a permutation of it, with a different currency-algorithm pair, coupled with the fact that new APIs in browsers may continue to trudge on through even after the browser is closed, a new service is bound to emerge. This type of service, may be taking a break, but mining on other’s computers is bound to come back. After all, that’s where the money is these days.    As for news, here’s a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week: ——- Title:  Cisco Fixes Critical RCE Vulnerability in RV110W, RV130W, and RV215W RoutersURL: https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-rce-vulnerability-in-rv110w-rv130w-and-rv215w-routers/Date:  28th February 2019 Author: Sergiu Gatlan Excerpt:“Cisco fixed a critical remote code execution vulnerability present in the web-based management interface of the RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router devices. Cisco’s security advisory rates the vulnerability currently tracked under CVE-2019-1663 as critical and assigns it a 9.8 base score based on the Common Vulnerability Scoring System (CVSS) 3.0 given that it could allow potential unauthenticated attackers to remotely execute arbitrary code on any of the three vulnerable routers.” ——- Title:  Coinhive to Mine Its Last Monero in March  URL: https://threatpost.com/coinhive-monero-shutdown/142290/Date:   28th February 2019Author: Tara Seals Excerpt:“It seems like a good model on the surface, but in the notice on its website, posted on Tuesday, Coinhive management said that a 50 percent drop in the hash rate after the latest Monero fork “hit us hard.” The hash rate refers to the speed at which a mining operation is completed – i.e., how long it takes to uncover one block of currency.” ——- Title: Drupal RCE Flaw Exploited in Attacks Days After PatchURL: https://www.securityweek.com/drupal-rce-flaw-exploited-attacks-days-after-patchDate:  26th February 2019Author: Eduard Kovac Excerpt:“A vulnerability patched recently in the Drupal content management system (CMS) has been exploited in the wild to deliver cryptocurrency miners and other payloads. The attacks started just three days after a fix was released.…The patches released on February 20 were quickly analyzed and technical details and proof-of-concept (PoC) code were released roughly two days later.” ——- Title: Malspam Exploits WinRAR ACE Vulnerability to Install a Backdoor  URL: https://www.bleepingcomputer.com/news/security/malspam-exploits-winrar-ace-vulnerability-to-install-a-backdoor/Date:  25th February 2019 Author: Lawrence Abrams Excerpt:“Researchers have discovered a malspam campaign that is distributing a a malicious RAR archive that may be the first one to exploit the newly discovered WinRAR ACE vulnerability to install malware on a computer. Last week, Checkpoint disclosed a 19 year old vulnerability in the WinRAR UNACEV2.DLL library that allows a specially crafted ACE archive to extract a file to the Window Startup folder when it is extracted. This allows the executable to gain persistence and launch automatically when the user next logs in to Windows.” ——- Title: New browser attack lets hackers run bad code even after users leave a web page URL: https://www.zdnet.com/article/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page/Date:  25th February 2019Author:  Catalin Cimpanu Excerpt:“Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users’ browsers even after users have closed or navigated away from the web page on which they got infected.…This is possible because modern web browsers now support a new API called Service Workers. This mechanism allows a website to isolate operations that rendering a page’s user interface from operations that handle intense computational tasks so that the web page UI doesn’t freeze when processing large quantities of data.“ ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2019.0621 – [Win] Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools: Administrator compromise – Existing account https://portal.auscert.org.au/bulletins/76234“An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.” 2.    ESB-2019.0625 – [RedHat] Red Hat Ansible Engine: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/76258“path traversal vulnerability which allows copying and overwriting files…” 3.    ESB-2019.0622 – [Appliance] Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/76242“could allow an unauthenticated, remote attacker to execute arbitrary code…” 4.    ESB-2019.0597 – [Appliance] Moxa IKS and Moxa EDS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/76138“The devices use plaintext transmission of sensitive data, which may allow an attacker to capture sensitive data such as an administrative password.” 5.    ESB-2019.0559 – [SUSE] kernel-firmware: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/75986“..in Bluetooth where the elliptic curve parameters were not sufficiently validated during Diffie-Hellman key exchange.” Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

AUSCERT Week in Review for 22nd February 2019 Greetings, This week, North Korea decides to poke the bear which handed them nukes and Adobe patches a patch. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: North Korean APT Lazarus Targets Russian Entities with KEYMARBLE BackdoorDate Published: February 19, 2019Author: Sergiu Gatlan Excerpt: “Bluenoroff, a subdivision of the North Korean sponsored APT group Lazarus, recently switched its sights to Russian entities as unveiled by a newly discovered campaign which uses malicious Office documents specifically crafted to target Russian organizations.This is especially interesting considering that Lazarus (also known as HIDDEN COBRA, Guardians of Peace, ZINC, and NICKEL ACADEMY) which became active during 2009 traditionally targeted only entities from countries that oppose the North Korean regime.”—– Title: Almost Half A Million Delhi Citizens’ Personal Data Exposed OnlineDate Published: February 21 2019 Author: Mohit Kumar Excerpt: February 21 2019 “A security researcher has identified an unsecured server that was leaking detailed personal details of nearly half a million Indian citizens… thanks to another MongoDB database instance that company left unprotected on the Internet accessible to anyone without password.In a report shared with The Hacker News, Bob Diachenko disclosed that two days ago he found a 4.1 GB-sized highly sensitive database online, named “GNCTD,” containing information collected on 458, 388 individuals located in Delhi, including their Aadhaar numbers and voter ID numbers.”—– Title: Microsoft Edge lets Facebook run Flash code behind users’ backsDate Published: February 20, 2019Author: Catalin Cimpanu Excerpt: “Microsoft’s Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users’ backs.The whitelist allows Facebook Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand. Prior to February 2019, the secret Flash whitelist contained 58 entries, including domains and subdomains for Microsoft”s main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ, just to name the biggest names on the list.Microsoft trimmed down the list to two Facebook domains earlier this month after a Google security researcher discovered several security flaws in Edge”s secret Flash whitelist mechanism.”—– Title: Adobe Releases Second Patch for Data Leakage Flaw in ReaderDate Published: February 21, 2019 Author:  Eduard Kovacs Excerpt: “The security hole, identified by Alex Infuhr from Cure53, allows a specially crafted PDF document to send SMB requests to the attacker’s server when the file is opened.The vulnerability, similar to CVE-2018-4993, allows a remote attacker to steal a user”s NTLM hash included in an SMB request, and it can be leveraged to alert an attacker when their malicious PDF document has been opened by the targeted user. Adobe released a fix for CVE 2019-7089 with its February 2019 Patch Tuesday updates, but Infuhr quickly discovered that it could be bypassed.”—– Title: Toyota Australia hit by cyber attackDate Published: Feb 21 2019Author: Ry Crozier Excerpt:“Toyota Australia has suffered an ‘attempted cyber attack’ that has taken out its email and other online systems. The carmaker said in a statement that it is still investigating the source of the attack. “The threat is being managed by our IT department who is working closely with international cyber security experts to get systems up and running again,” the company said.”—– Here are this week”s noteworthy security bulletins: 1) ESB-2019.0536 – [Cisco] Cisco Prime Collaboration Assurance: Unauthorised access – Remote/unauthenticated     Prime Collaboration Assurance (PCA) Software could allow an unauthenticated, remote attacker to access the system as a valid user. 2) ESB-2019.0529 – [Win][UNIX/Linux] Drupal: Execute arbitrary code/commands – Remote with user interaction   Allows an unauthenticated, remote attacker to arbitrary code as the webservers current user.  3) ESB-2019.0551 – [Win][Mac] Adobe: Multiple vulnerabilities    Allows a remote attacker to steal a user”s NTLM hash included in an SMB request.   4) ESB-2019.0488.2 – UPDATE [Cisco] Cisco Systems: Root compromise – Existing account   This vulnerability requires user interaction or an existing account. However successful exploitation could allow the attacker to overwrite the host’s runc binary file with a malicious file, escape the container, and execute arbitrary commands with root privileges on the host system. Stay safe, stay patched and have a great weekend, Rameez Agnew

AUSCERT Week in Review for 15th February 2019 Greetings, This week in security, we enjoy the rare sight of sysadmins running to their terminals for Microsoft’s Patch Tuesday and Optus calling their customers “Vladimir” for valentines day. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Optus disables My Account site after users complain of privacy breachDate Published:  February 15, 2019 Author: Corinne Reichert Excerpt: “Optus has confirmed that its My Account website is back up and running after temporarily disabling access following complaints from users that they were seeing the wrong customer information after logging in. According to Optus, it disabled the site “as a precaution”.“Optus is aware some customers reported seeing incorrect information when activating their Prepaid service, and when logging into My Account to pay their bill yesterday,” an Optus spokesperson said on Friday. “The Optus My Account website is now operational, and Optus is working with our third-party vendors to identify the cause of yesterday’s issue.””—– Title: RunC Vulnerability Gives Attackers Root Access on Docker, Kubernetes HostsDate Published: February 11, 2019Author: Sergiu Gatlan Excerpt: “A container breakout security flaw found in the runc container runtime allows malicious containers (with minimal user interaction) to overwrite the host runc binary and gain root-level code execution on the host machine.runc is an open source command line utility designed to spawn and run containers and, at the moment, it is used as the default runtime for containers with Docker, containerd, Podman, and CRI-O.According to Aleksa Sarai, Senior Software Engineer (Containers) SUSE Linux GmbH, one of the runc maintainers:The level of user interaction is being able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these contexts:Creating a new container using an attacker-controlled image.Attaching (docker exec) into an existing container which the attacker had previous write access to.”—– Title: Govt moves to extend encryption-busting powers to anti-corruption agenciesDate Published: Feb 13 2019Author: Justin Hendry Excerpt: “The federal government has revealed planned changes to Australia’s controversial encryption-busting legislation that will give anti-corruption bodies similar powers to other law enforcement agencies.Amendments to the Assistance and Access Act introduced to parliament on Wednesday afternoon propose extending the industry assistance powers to eight additional agencies, including state corruption watchdogs.The Australian Federal Police, Australian Crime Commission and state and territory police forces are the only law enforcement agencies afforded the powers as the Act currently stands.”—– Title: Email provider hack destroys nearly two decades’ worth of dataDate Published: Author: Abrar Al-Heeti Excerpt: “All US data from email provider VFEmail was destroyed by an unknown hacker, deleting nearly two decades’ worth of emails, VFEmail said Tuesday.The email provider, which was founded in 2001, scans each email for viruses and spam before they get to someone’s inbox. If a virus is found, it’s blocked from getting onto VFEmail’s servers.“Yes, @VFEmail is effectively gone,” VFEmail owner Rick Romero said on Twitter. “It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.””—– Title: It’s now 2019, and your Windows DHCP server can be pwned by a packet, IE and Edge by a webpage, and so onDate Published:  13 Feb 2019 Author: Shaun Nichols Excerpt: “Patch Tuesday Microsoft and Adobe have teamed up to give users and sysadmins plenty of work to do this week.The February edition of Patch Tuesday includes more than 70 CVE-listed vulnerabilities from each vendor – yes, each – as well as a critical security fix from Cisco. You should patch them as soon as it is possible. For Redmond, the February dump covers 77 CVE-listed bugs across Windows, Office, and Edge/IE.Among the most potentially serious was CVE-2019-0626, a remote code execution vulnerability in the Windows Server DHCP component.”—– Here are this week’s noteworthy security bulletins: 1) ASB-2019.0054 – [Win] Windows: Multiple vulnerabilities     Microsoft patches 32 vulnerabilities for windows desktop and windows server. 2) ASB-2019.0055 – [Win][UNIX/Linux] Mozilla Firefox and Firefox ESR: Multiple vulnerabilities      Mozilla patches 3 new vulnerabilities in Firefox/ESR.   3) ESB-2019.0436 – [Linux][Ubuntu] snapd: Root compromise – Existing account     A privilege escalation exploit in Linux, named dirty_sock.   4) ESB-2019.0438 – [Win][Linux][OSX] Adobe Flash Player: Access confidential data – Remote with user interaction     An Adobe Flash Player information disclosure vulnerability affecting Windows, Linux, OSX and Chrome OS. Stay safe, stay patched and have a great weekend, Rameez Agnew

AUSCERT Week in Review for 8th February 2019 Greetings, This week Apple patched the high-profile FaceTime vulnerability that made the news from last week, and a researcher goes public with a Mac OS key-chain vulnerability that allows a user access to its plaintext credentials without restriction. One in, one out for news-worthy Apple vulnerabilities. To dramatically cap off this week, the Australian Parliament was subject to a cyber attack, the extent of which is still being investigated. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: China link possible in cyber attack on Australian Parliament computer system, ABC understands08 February 2019Author: Stephanie Borys Excerpt: “Australia’s security agencies are investigating a cyber breach of the Federal Parliament’s computer network that the ABC understands is likely the result of a foreign government attack. The agencies are looking into whether China is behind the incident. In a statement, Federal Parliament’s presiding officers said authorities were yet to detect any evidence data had been stolen in the breach.” —— Apple puts bullet through ‘Do Not Track’, FaceTime snooping bug and iOS vulnerabilities07 February 2019Author: Thomas Claburn Excerpt: “Today, Apple also emitted security fixes for iOS 12.1.4. This fixes the FaceTime eavesdropping bug (CVE-2019-6223) found by 14-year-old Grant Thompson of Catalina Foothills High School and Daven Morris of Arlington, Texas. We understand the teen and his family will get some compensation from Apple, which will also pay toward his education. The OS update also fixes two elevation-of-privilege holes (CVE-2019-7286 in Foundation, CVE-2019-7286 in IOKit), and a vague problem with Live Photos in FaceTime (CVE-2019-7288). Meanwhile, FaceTime has been fixed in macOS, too.” —— Researcher reveals huge Mac password flaw to protest Apple bug bounty06 February 2019Author: Jeremy Horwitz Excerpt: “Apple’s operating systems have recently had more than their fair share of serious security issues, and the latest problem will be enough to rattle millions of Mac users. Previously credible researcher Linuz Henze has revealed an exploit that in one button press can reveal the passwords in a Mac’s keychain. Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze’s KeySteal exploit grabs everything with a single press of a “Show me your secrets” button.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2019.0388 – [Apple iOS] iOS: Multiple vulnerabilities Apple has released its patch for the FaceTime group chat, alongside two elevation of privilege vulnerabilities. 2) ASB-2019.0046 – [Android] Android: Multiple vulnerabilities Android’s February update is out, with all the usual suspects getting fixes (RCE, EoP, DoS). 3) ESB-2019.0305 – [Win][UNIX/Linux][Debian] libreoffice: Execute arbitrary code/commands – Remote with user interaction Libreoffice documents would happily execute any Python script (and arguments!) in a document-supplied directory. Stay safe, stay patched and have a good weekend! Tim

AUSCERT Week in Review for 1st February 2019 Greetings, This week featured some very high-profile vulnerabilities, tech companies abusing each others’ trust, and a great upheaval in name-resolution – leaving unorthodox DNS servers out in the cold. A pass-the-hash vulnerability in Exchange was made public, which allows any user with a mailbox to elevate themselves to the Exchange user, which unsurprisingly, often runs with Domain Admin privileges. Microsoft have not released a patch, but mitigations are available. Apple was forced to suspend group chat functionality in FaceTime, after a teenager discovered its espionage potential. Calling a contact via FaceTime, and then adding yourself as an additional contact to the group would hot-mic the unsuspecting victim, before they had answered the call. Rather than let this capability fall into the hands of pranksters and nation states, Apple wisely disabled the function until a patch is ready. Apple was also forced to suspend Facebook and Google’s enterprise certificates, causing chaos internally as non-public applications (and development versions of their public app suites) would now refuse to run on iOS. This was a result of the companies using the intra-company certificate to bypass Apple’s privacy requirements on the app store, having created data-harvesting apps that lured users in with the promise of gift-cards. Apple has since worked to reinstate certificates for the companies, presumably satisfied that it had made its point. (On or around) February 1st is DNS Flag Day, and authoritative DNS servers that stray from the RFCs and fail to implement the EDNS extension will find themselves receiving the cold-shoulder from upstream servers. If you run such a non-compliant server after Flag Day, then your services had better have memorable IP addresses. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Cyber Alert: DNS Flag DayJanuary 30 2019Author: Center for Internet SecurityExcerpt: “On Friday, February 1, 2019, major Domain Name Systems (DNS) software and service providers will remove DNS workarounds that allow users to bypass the Extension Mechanisms Protocol for DNS (EDNS). EDNS is a set of extension mechanisms to expand the size of the DNS message as it goes through its query, which allows more information to be included in the communication between each host in the DNS resolution process. On Friday, several DNS resolver operators, including PowerDNS, Internet System Consortium, and Google, will release updates that implement stricter EDNS handling. This update will speed up the DNS process by forcing everyone to implement the EDNS protocol. Furthermore, the update will simplify the deployment of new features in the future. Consequently, if the update is not implemented on DNS servers, there will be no DNS response to any recursive servers’ request.” —— Severe vulnerability in Apple FaceTime found by Fortnite playerJanuary 30 2019Author: Charlie OsborneExcerpt: “Before the so-called Apple “Facepalm” bug hit the headlines, the mother of a 14-year-old boy from Arizona had been trying to warn the tech giant about the vulnerability for over a week. A FaceTime call made on 19 January by Michele Thompson’s son, as reported by sister site CNET, began the chain of events. The teenager added a friend to the group conversation and despite the fact that the friend had not yet picked up the phone, he was able to listen in to conversations taking place in the iPhone’s environment.” —— Furious Apple revokes Facebook’s enty app cert after Zuck’s crew abused it to slurp private dataJanuary 30 2019Author: Kieren McCarthyExcerpt: “The enterprise cert allows Facebook to sign iOS applications so they can be installed for internal use only, without having to go through the official App Store. It’s useful for intranet applications and in-house software development work. Facebook, though, used the certificate to sign a market research iPhone application that folks could install it on their devices. The app was previously kicked out of the official App Store for breaking Apple’s rules on privacy: Facebook had to use the cert to skirt Cupertino’s ban.” —— Microsoft Exchange vulnerable to ‘PrivExchange’ zero-dayJanuary 29 2019Author: Catalin CimpanuExcerpt: “Microsoft Exchange 2013 and newer are vulnerable to a zero-day named “PrivExchange” that allows a remote attacker with just the credentials of a single lowly Exchange mailbox user to gain Domain Controller admin privileges with the help of a simple Python tool. … According to the researcher, the zero-day isn’t one single flaw, but a combination of three (default) settings and mechanisms that an attacker can abuse to escalate his access from a hacked email account to the admin of the company’s internal domain controller (a server that handles security authentication requests within a Windows domain).” —— Here are this week’s noteworthy security bulletins: 1) ESB-2019.0285 – ALERT [Win] Microsoft Exchange Server: Increased privileges – Existing account Exchange pass-the-hash vulnerability, often leading to Domain Admin. 2) ASB-2019.0042 – [Win][UNIX/Linux] Mozilla Firefox: Multiple vulnerabilities Your usual suite of vulnerabilities for a browser update – RCE, DoS, increased privileges etc. 3) ASB-2019.0044 – [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities Not to be outdone, Chrome has also fixed your usual culprits in its latest release. Stay safe, stay patched and have a good weekend! Tim

AUSCERT Week in Review for 25th January 2019 AUSCERT Week in Review25 January 2019 Greetings, This week has been raining shells for all the lucky pentesters around the world. We’ve had Cisco, Debian and Apple release several patches to address a range of remote code execution vulnerabilities across their products. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: If you installed PEAR PHP in the last 6 months, you may be infectedDate Published: 1/24/2019URL: https://arstechnica.com/information-technology/2019/01/pear-php-site-breach-lets-hackers-slip-malware-into-official-download/Author: Dan Goodin Excerpt: “Officials with the widely used PHP Extension and Application Repository have temporarily shut down most of their website and are urging users to inspect their systems after discovering hackers replaced the main package manager with a malicious one.” “If you have downloaded this go-pear.phar [package manager] in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes,” officials wrote on the site’s blog. “If different, you may have the infected file.”—– Title: DHS issues security alert about recent DNS hijacking attacksDate Published: January 22, 2019URL: https://www.zdnet.com/article/dhs-issues-security-alert-about-recent-dns-hijacking-attacks/Author: Catalin CimpanuExcerpt: “The US Department of Homeland Security (DHS) has published today an “emergency directive” that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran.More security news The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed. The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers (a sign that a malicious actor has hijacked a government domain’s DNS records, and is now requesting TLS certificates in its).”—– Title: A vulnerability in Debian’s apt allows for easy lateral movement in data centersDate Published: January 23, 2019URL: https://www.guardicore.com/2019/01/a-vulnerability-in-debians-apt-allows-for-easy-lateral-movement-in-data-centersAuthor: Daniel GoldbergExcerpt: “A new vulnerability in Debian’s Advanced Package Tool (apt) is the latest big tool in the data center attacker’s arsenal. The vulnerability (CVE-2019-3462) is in Debian’s high-level package management system, which is used by system administrators to install, upgrade and remove software packages. The vulnerability can be exploited when administrators install or upgrade software package on vulnerable servers. The apt package management software is part of every Debian based Linux distribution, covering Debian, Ubuntu and a whole group of smaller distributions such as Kali, TailsOS and many others. Distrowatch lists over 100 active distributions (large and small) based on Debian. All of these are likely to be vulnerable.”—– Title: Internet experiment goes wrong, takes down a bunch of Linux routersDate Published: January 24, 2019URL: https://www.zdnet.com/article/internet-experiment-goes-wrong-takes-down-a-bunch-of-linux-routers/Author: Catalin CimpanuExcerpt: “Earlier this month, an academic experiment studying the impact of newly released security features for the Border Gateway Protocol (BGP) went horribly wrong and crashed a bunch of Linux-based internet routers. The experiment, organized by academics from all over the world, was first announced last year in mid-December and was described as “an experiment to evaluate alternatives for speeding up adoption of BGP route origin validation.” BGP Route Origin Validation, or ROV, is a newly released standard part of a three-pronged security pack for the BGP standard, together with BGP Resource Public Key Infrastructure (RPKI) and BGP Path Validation (also known as BGPsec).”—– Title: Targeted Attacks Abusing Google Cloud Platform Open RedirectionDate Published: Jan 24 2019URL: https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirectionAuthor: Ashwin VamshiExcerpt: “Netskope Threat Research Labs detected several targeted themed attacks across 42 customer instances mostly in the banking and finance sector. The threat actors involved in these attacks used the App Engine Google Cloud computing platform (GCP) to deliver malware via PDF decoys. After further research, we confirmed evidence of these attacks targeting governments and financial firms worldwide. Several decoys were likely related to an infamous threat actor group named ‘Cobalt Strike’. The attacks were carried out by abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload. This targeted attack is more convincing than the traditional attacks because the URL hosting the malware points the host URL to Google App Engine, thus making the victim believe the file is delivered from a trusted source like Google.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2019.0182 – ALERT [UNIX/Linux][Debian] apt: Root compromise – Remote/unauthenticated https://portal.auscert.org.au/bulletins/74386Man in the middle vulnerability which allows an attacker to man in the middle traffic between APT and the mirror, then inject malicious content into the connection. 2) ESB-2019.0228 – [Win] iTunes: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/74574A maliciously crafted SQL query may lead to arbitrary code and an out-of-bounds read which leads to privilege escalation 3)ESB-2019.0210 – [Cisco] Texas Instruments Bluetooth Low Energy: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/74498Broadcasting malformed BLE frames can cause memory corruption condition, which may result in remote code execution & denial of service. —– Stay safe, stay patched and have a great weekend, Rameez Agnew

AUSCERT Week in Review for 18th January 2019 Greetings, As another week comes to a close, we see a nice collection of data breaches. One leak containing 773 million email ID’s & 21.2 million unique, plain-text passwords with a total size of 87GB. There were numerous Oracle security vulnerabilities reported and fixes released, as always, here’s a summary of some of the more interesting stories we’ve seen this week.   Title: 773 million email IDs, 21 million passwords for anyone to see in massive data dump Date Published: 17 Jan 2019 Author: Tomáš Foltýn Excerpt: Nearly 773 million unique email addresses and more than 21.2 million unique, plain-text passwords were there for the taking recently in a massive data dump that’s been dubbed Collection #1. The news comes from security researcher Troy Hunt, who runs the Have I Been Pwned (HIBP) site that enables people to check and also receive alerts if any of their online accounts may have been the victim of a known breach. The stash of data was posted on file-sharing service MEGA and later also on an “unnamed popular hacking forum”, said Hunt. It comprises more than 12,000 files that weigh in at 87 gigabytes in total. —– Title: Employees sacked, CEO fined in SingHealth security breach Date Published: January 14, 2019 Author: Eileen Yu Excerpt: Two employees have been sacked and five senior management executives, including the CEO, were fined for their role in Singapore’s most serious security breach, which compromised personal data of 1.5 million SingHealth patients. Further enhancements will also be made to beef up the organisation’s cyber defence, so that it is in line with recommendations dished out by the committee following its review of the events leading up to the breach, according to Integrated Health Information Systems (IHIS). The IT agency responsible for the local healthcare sector that includes SingHealth, IHIS, said a lead in its Citrix team and a security incident response manager were found to be negligent and in non-compliance of orders. This had security implications and contributed to the “unprecedented” scale of the SingHealth security breach, the agency said in a statement Monday.  —– Title: Massive Oklahoma Government Data Leak Exposes 7 Years of FBI Investigations Date Published: Author: Thomas Brewster Excerpt: Another day, another huge leak of government information. Last December, a whopping 3 terabytes of unprotected data from the Oklahoma Securities Commission was uncovered by Greg Pollock, a researcher with cybersecurity firm UpGuard. It amounted to millions of files, many on sensitive FBI investigations, all of which were left wide open on a server with no password, accessible to anyone with an internet connection, Forbes can reveal. “It represents a compromise of the entire integrity of the Oklahoma department of securities’ network,” said Chris Vickery, head of research at UpGuard, which is revealing its technical findings on Wednesday. “It affects an entire state level agency. … It’s massively noteworthy.” —– Title: Hackers breach and steal data from South Korea’s Defense Ministry Date Published: Jan 16, 2019 Author: January 16, 2019 Excerpt: Hackers have breached the computer systems of a South Korean government agency that oversees weapons and munitions acquisitions for the country’s military forces. The hack took place in October 2018. Local press reported this week[1, 2, 3] that hackers breached 30 computers and stole internal documents from at least ten. The breached organization is South Korea’s Defense Acquisition Program Administration (DAPA), an agency part of the Ministry of National Defense. It is believed that the stolen documents contain information about arms procurement for the country’s next-generation fighter aircraft, according to a news outlet reporting on the cyber-attack. —– Title: Vulnerability Allowed Fortnite Account Takeover Without Credentials Date Published: January 16, 2019 Author: Kevin Townsend Excerpt: Hacking game accounts is a popular — and enriching — pastime. The rise of in-game marketplaces that can be used for buying and selling game commodities has attracted hackers who break into gamers’ accounts, steal their game commodities (and anything else they can find from personal data to parents’ bank card details) and sell them on for cash. The traditional route has always been to phish the gamers’ credentials — and obviously the bigger and more popular the game, the bigger the pool for phishing. Checkpoint recently discovered a vulnerability (now fixed) in the biggest game of all that allowed criminals to gain access to users’ accounts without requiring credentials. Here are this week’s noteworthy security bulletins —- 1) ESB-2019.0163 – [RedHat] Red Hat Enterprise Linux 6.7 EUS Final Retirement Notice Redhat issue their final retirement notice for Red Hat Enterprise Linux 6.7 EUS (Extended Update Support).   2) ASB-2019.0034 – [Win] Microsoft Team Foundation Server: Multiple vulnerabilities An information disclosure and cross-site scripting vulnerability has been found in Microsoft Team Foundation Server.   3) ASB-2019.0035 – [Win] Microsoft Skype for Business Server 2015 CU 8: Cross-site scripting – Remote with user interaction A cross-site scripting vulnerability has been discovered in Skype for Business 2015 server.   4) ESB-2019.0160 – [Ubuntu] irssi: Execute arbitrary code/commands – Remote with user interaction A denial of service and code execution vulnerability was discovered in Irssi due to the way Irssi incorrectly handles certain inputs. Stay safe, stay patched and have a great weekend, Rameez

AUSCERT Week in Review for 11th January 2019 Greetings, Judging by the traffic on the roads, most people have started working again! Welcome to 2019!We hope that this week has not been too difficult for you all! Fortunately, apart from some interesting vulnerabilities in Microsoft’s patch Tuesday, most vulnerabilities were quite “un-interesting”. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Hacker Uses Australian Early Warning Network to Send Spam AlertsDate Published: 7/1/2019Author: Lawrence AbramsExcerpt: “Over the weekend, a hacker gained unauthorized access to the Queensland EWN, or Early Warning Network, and used it to send a spam alert via SMS, landline, and email to the company’s subscribers. EWN is a service offered by Australian company Aeeris that allows Australian councils, or local governments, to send emergency alerts regarding extreme weather, fires, evacuation information, or incident responses. The unauthorized alerts stated that “EWN has been hacked. Your personal data is not safe.” They then went on to tell recipients to email support@ewn.com.au to unsubscribe from the service.”—– Title: Aussie electoral systems get 24×7 monitoring for 2019 electionDate Published: 8/1/2019Author: Justin HendryExcerpt: “Australia’s electoral systems will be actively monitored around the clock by a new security operations centre during the upcoming federal election. The Australian Electoral Commission has put out the call for vendors capable of providing “short-term, event based security monitoring” of its internal systems in a bid to protect against unauthorised interference.”—– Title: A YubiKey for iOS Will Soon Free Your iPhone From PasswordsDate Published: 8/1/2019Author: Brian BarrettExcerpt: “Over the last several years, Yubico has become close to ubiquitous in the field of hardware authentication. Its YubiKey token can act as a second layer of security for your online accounts and can even let you skip out on using passwords altogether. The only problem? It’s been largely unusable on the iPhone. That’s going to change soon.”—– Title: Samsung Phone Users Perturbed to Find They Can’t Delete FacebookDate Published: 8/1/2019Author: Sarah Frier Excerpt: “Nick Winke, a photographer in the Pacific northwest, was perusing internet forums when he came across a complaint that alarmed him: On certain Samsung Electronics Co. smartphones, users aren’t allowed to delete the Facebook app.”—– Title: New tool automates phishing attacks that bypass 2FADate Published: 9/1/2019Author: Catalin Cimpanu Excerpt: “A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). Named Modlishka –the English pronunciation of the Polish word for mantis– this new tool was created by Polish researcher Piotr Duszy?ski.”—– Title: SingHealth COI report made public: System vulnerabilities, staff lapses, skilled hackers led to cyberattackDate Published: 10/1/2019Author: Fann SimExcerpt: “A potent mix of pre-existing system vulnerabilities, staff lapses and extremely skilled hackers led to the cyberattack on SingHealth’s patient database last year, said a report from the Committee of Inquiry (COI) into the breach.”[…] ““To sum up, considerable initiative was shown by officers on the front line … It is a shame that such initiative was then smothered by a blanket of middle management mistakes,” the report said.”” Here are this week’s noteworthy security bulletins: 1) ESB-2019.0072 – [Win][Apple iOS][Android][Mac] Adobe Digital Editions: Access confidential data – Remote with user interaction An information disclosure vulnerability has been identified and resolved in Adobe Digital Editions. 2) ESB-2019.0073 – [Win][Linux] Adobe Connect: Access privileged data – Remote with user interaction A session token exposure vulnerability has been identified and resolved in Adobe Connect 3) ASB-2019.0003.3 – UPDATE [Win] Microsoft Windows: Multiple vulnerabilities 27 Vulnerabilities have been identified in Microsoft Windows OS. One of the more interesting ones is a memory corruption vulnerability in the Windows DHCP client where a specially crafted DHCP response could run arbitrary code on the client machine. Stay safe, stay patched and have a good weekend! Ananda