AUSCERT Week in Review for 13th July 2018 AUSCERT Week in Review13 July 2018 Two package compromises this week serve as a reminder that we all rely on each other’s code, which few of us have the luxury of auditing. ESLint, a linter for JavaScript-family languages, published a malicious package which stole Node Package Manager credentials from developers. (While I have this soapbox, linters are great and should be used for any code you write – even if that’s “only” shell scripting, try out ShellCheck!) Microsoft Patch Tuesday also took place this week, with more vulns which could hijack Edge purely from opening a malicious page. If your users ask why they’re advised to delete spam emails, you can point them to the presence of these bugs in almost every Patch Tuesday. In accordance with tradition, here are some interesting news articles from the week: Patch Tuesday, July 2018 EditionAuthor: Brian KrebsDate: 10 July 2018https://krebsonsecurity.com/2018/07/patch-tuesday-july-2018-edition/ Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat. Postmortem for Malicious Packages Published on July 12th, 2018Author: ESLint ProjectDate: 12 July 2018https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker. An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down. Malware Found in Arch Linux AUR Package RepositoryAuthor: Catalin CimpanuDate: 10 July 2018https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages.[…] No other malicious actions were observed, meaning the acroread package wasn’t harming users’ systems, but merely collecting data in preparation for… something else. Airport security card company reveals data hack as AFP investigatesAuthor: ABC NewsDate: 12 July 2018http://www.abc.net.au/news/2018-07-12/afp-investigating-airport-security-card-data-hack/9981796 A company that issues Aviation Security Identity Cards (ASICs) — designed to stop organised criminals and terrorists from accessing planes and other restricted airport zones — has been hacked, leading to concerns that Australian airport security may have been compromised as a result. Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2018.2011 – [Appliance] Universal Robots Robot Controllers: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65058 Industrial robots would execute arbitrary code sent to certain TCP ports. 2. ESB-2018.2021 – ALERT [UNIX/Linux][Debian] cups: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65098 The Common UNIX Printing System patched a root compromise vulnerability. 3. ESB-2018.1984 – [Apple iOS] Apple iOS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64922 Multiple memory corruption and data leak issues in WebKit, used by Safari & other browsers, plus a crash when a China-region phone received the Taiwanese flag emoji. 4. ESB-2018.1756.2 – UPDATE [Win][UNIX/Linux] BIND: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63966 Regression caused defaults to work incorrectly in the BIND nameserver, allowing denials of service (including DNS reflection attacks) and examining the DNS cache. Stay safe, stay patched and have a good weekend,David and the team at AUSCERT

AUSCERT Week in Review for 6th July 2018 AUSCERT Week in Review06 July 2018 Greetings, This week’s events have reminded us to be careful of the software we install. Between browser extensions gone rogue and a major software foundation’s GitHub account serving compromised content, consider whose code you might have run without knowing it. The AUSCERT bulletins service is nearly at number 2,000 by early July, making this the busiest year on record. If you want to change your subscription settings, your inbox may thank you. Log in to the member portal at https://wordpress-admin.auscert.org.au to make the change. If you get stuck or have any questions, contact us at auscert@auscert.org.au! In the news this week: ‘Stylish’ browser extension steals all your internet historyhttps://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/Date: 02 July 2018Author: Robert Heaton Unfortunately, since January 2017, Stylish has been augmented with bonus spyware that records every single website that I and its 2 million other users visit (EDIT – I am told that the Chrome version has had tracking since January 2017, but the Firefox version has only had it since March 2018). Stylish sends our complete browsing activity back to its servers, together with a unique identifier. This allows its new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie. … Stylish’s transition from visual Valhalla to privacy Chernobyl began when the original owner and creator of Stylish sold it in August 2016. In January 2017 the new owner sold it again, announcing that “Stylish is now part of the SimilarWeb family”. The SimilarWeb family’s promotional literature lists “Market Solutions To See All Your Competitors’ Traffic” amongst its interests. [AUSCERT adds: Recall also https://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/ from last year.] Gentoo GitHub Organization hackedhttps://wiki.gentoo.org/wiki/Github/2018-06-28Date: 01 July 2018 An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make various changes to content. Gentoo Developers & Infrastructure escalated to GitHub support and the Gentoo Organization was frozen by GitHub staff. Gentoo has regained control of the Gentoo GitHub Organization and has reverted the bad commits and defaced content. The entity attempted to wipe user content by adding “rm -rf” to various repositories; however this code was unlikely to be executed by end users due to various technical guards in place. Iranian APT Poses As Israeli Cyber-Security Firm That Exposed Its Operationshttps://www.bleepingcomputer.com/news/security/iranian-apt-poses-as-israeli-cyber-security-firm-that-exposed-its-operations/Author: Catalin CimpanuDate: 03 July 2018 According to Israeli cyber-security firm ClearSky Security, the company says the Iranian APT copied its official website and hosted on a lookalike domain at clearskysecurity.net (the official ClearSky website is located at ClearSkySec.com). “Charming Kitten built a phishing website impersonating our company,” ClearkSky said yesterday. “They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services.” “These sign-in options are all phishing pages that would send the victim’s credentials to the attackers,” ClearSky said. “Our legitimate website does not have any sign in option.” Another day, another data breach. Do you even care any more?http://www.abc.net.au/news/science/2018-07-06/data-breach-fatigue-ticketmaster-ticketfly-linkedin/9943720Author: ABC NewsDate: 05 July 2018 Dr Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack. After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction. In other words, Dr Chen said, “we can see that the public is gradually losing interest in reacting to this news”. Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2018.1949 – [Win][Linux] Drupal Universally Unique IDentifier: Create arbitrary files – Existing accounthttps://portal.auscert.org.au/bulletins/64782 A major Drupal module had an arbitrary file upload vulnerability. 2. ESB-2018.1952 – [Debian] dokuwiki: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/64794 Reflected file download vulnerability in DokuWiki allowed execution of arbitrary code. 3. ASB-2018.0145 – [Android] Google Android devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64650 Android’s July patch release fixed several critical bugs. 4. ESB-2018.1931 – [RedHat] python: Access confidential data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/64706 Python2.7 disables the insecure 3DES cypher suites by default.   Stay safe, stay patched and have a good weekend,AUSCERT

AUSCERT Week in Review for 29th June 2018 AUSCERT Week in Review29 June 2018 Greetings, Business Email Compromise (BEC) has been in the news this week, with a flurry of incidents and investigations. Do you have two-factor authentication enabled on your Outlook accounts? It’s the single easiest way to foil these attacks. Privacy and consent haven’t been solved yet, but the revelation that the HealthEngine booking system was selling personal health data to ambulance-chasers has made waves this week. The Drupalgeddon v3 vulnerability is still being exploited by cryptocurrency miners. If you haven’t patched yet, please make it a priority. Of the data breaches around the world, three caught our eye: Adidas, Exactis (a marketing and aggregation firm) and Ticketmaster. Exactis in particular may have exceeded the infamous Equifax breach in scope. In the news this week: MasterChef finalist caught in conveyancing hacker attackhttps://www.brisbanetimes.com.au/business/companies/masterchef-finalist-caught-in-conveyancing-hacker-attack-20180622-p4zn4o.html Date:    22 June 2018Author: Simon Johanson A former Masterchef contestant and her family are homeless after hackers stole $250,000 from their home sale. MasterChef finalist Dani Venn woke to a housing nightmare on Monday when it was confirmed $250,000 from the settlement of her semi-rural property on the outskirts of Melbourne was stolen after her conveyancer’s account was hacked. Two people charged over alleged email scamhttp://www.police.nsw.gov.au/news/news_article?sq_content_src=%2BdXJsPWh0dHBzJTNBJTJGJTJGZWJpenByZC5wb2xpY2UubnN3Lmdvdi5hdSUyRm1lZGlhJTJGNzEyNDQuaHRtbCZhbGw9MQ Date:    28 June 2018Author: NSW Police A man and woman will face court next month after being charged over alleged email scams netting more than $70,000. Detectives from the State Crime Command’s Cybercrime Squad established Strike Force Cabernet to investigate organised criminal groups committing large scale business email compromises. Medical appointment booking app HealthEngine sharing clients’ personal information with lawyershttp://www.abc.net.au/news/2018-06-25/healthengine-sharing-patients-information-with-lawyers/9894114 Date:    26 June 2018 Author: ABC News Health Minister Greg Hunt has ordered an “urgent review” of Australia’s biggest online doctor appointment booking service, HealthEngine. The ABC earlier reported that the HealthEngine app has funnelled hundreds of users’ private medical information to law firms seeking clients for personal injury claims. Hackers Exploit Drupal Flaw for Monero Mininghttps://www.securityweek.com/hackers-exploit-drupal-flaw-monero-miningAuthor: Ionut Arghire Date:    22 June 2018 Tracked as CVE-2018-7602 and considered a highly critical issue that could result in remote code execution, the vulnerability impacts Drupal’s versions 7 and 8 and was addressed in April this year. Last month, hackers were observed targeting both security vulnerabilities to deliver a variety of threats, including cryptocurrency miners, remote administration tools (RATs) and tech support scams. Trend Micro now says they noticed network attacks exploiting CVE-2018-7602 to turn affected systems into Monero-mining bots. As part of the observed incidents, the exploit fetches a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader. Articles about the most significant data breaches: Equifax: https://www.cnet.com/news/exactis-340-million-people-may-have-been-exposed-in-bigger-breach-than-equifax/Adidas: https://www.bloomberg.com/news/articles/2018-06-28/adidas-says-millions-of-u-s-customers-being-alerted-of-breachTicketmaster: https://security.ticketmaster.com.au Here are this week’s noteworthy security bulletins (in no particular order): 1. ASB-2018.0138 – [Win][UNIX/Linux][Mobile] Mozilla Firefox: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64390 Memory corruption leading to probable remote code execution, cross-site request forgery, crashes and a sandbox escape. 2. ESB-2018.1854 – [Win][UNIX/Linux] Jenkins plugins: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64390 Major plugins for Jenkins were subject to a mixed bag of vulnerabilities: cross-site request forgery, storage of credentials in plaintext, unauthorised config viewing, zip file directory traversal, etc. 3. ESB-2018.1865 – [RedHat] ansible: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/64430 Credentials were logged in cleartext. 4. ESB-2018.1874 – [RedHat] Red Hat Virtualization Manager: Access confidential data – Existing accounthttps://portal.auscert.org.au/bulletins/64466 More cleartext credential logging. 5. ESB-2018.1891 – [Appliance] F5 products: Denial of service – Existing accounthttps://portal.auscert.org.au/bulletins/64538 Linux kernel bug dating back to 2012 allowed authenticated (local) users to deny service.   Stay safe, stay protected and have a good weekend,David and the team at AUSCERT

AUSCERT Week in Review for 22nd June 2018 AUSCERT Week in Review22 June 2018 Greetings, As Friday 22nd June comes to a close, I’d like to bring your attention to an old read from 1996, but a good read titled “Smashing The Stack For Fun And Profit” [1].  Why bring to light this 1996 classic? Well, because it highlights that it is hard to wipe out a class of vulnerability.  Even, 22 years on, and a whole lot of smart people at the problem, with today’s automatic code checking, and secure coding frameworks, classes of vulnerabilities still get through to production.  Also, the time between a fix being available and news of it can be weeks. For example, Firefox was out with a release on the 6th June with [mfsa2018-14] and it seem to only make general news this week on Monday 18th June.  Surely nothing bad could really happen in a couple of weeks.Yes, incidents will happen and a function in an organisation that has its fingers on the pulse of these incidents, that can analyse the depth of the impact can be a worthwhile investment in cyber security.Incidents could be just a wake-up call, with port 8000 being suddenly and unusually requested “en masse”.  Could that function be able to find the relationship of those port requests with the “XiongMai uc-httpd 1.0.0 Buffer Overflow Exploit” and then check if it reached any exposed IoT in the organisation, with the vulnerable code.Sounds simple but the difficulty is in the detail. Just drop the words “Vulnerability Management” around the work place and look for the reaction.  Perhaps, you only need to fine tune your VM SOPs by adding a task of digesting some industry news and perhaps some advisories of the week.  Enjoy.   Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: ——- Title:  Google Developer Discovers a Critical Bug in Modern Web BrowsersURL:  https://thehackernews.com/2018/06/browser-cross-origin-vulnerability.htmlDate:  20th June 2018 Author: Mohit Kumar Excerpt:“Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.” ——- Title:  Botnets never Die, Satori REFUSES to Fade AwayURL:    http://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/Date:   15th June 2018Author: NetLab Excerpt:“Two days ago, on 2018-06-14, we noticed that an updated Satori botnet began to perform network wide scan looking for uc-httpd 1.0.0 devices. Most likely for the vulnerability of XiongMai uc-httpd 1.0.0 “ ——- Title:  Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted DrivesURL:    https://thehackernews.com/2018/06/apple-macos-quicklook.htmlDate:   18th June 2018Author: Swati Khandelwal Excerpt:“Security researchers are warning of almost a decade old issue with one of the Apple’s macOS feature which was designed for users’ convenience but is potentially exposing the contents of files stored on password-protected encrypted drives.” ——- Title:  SamSam ransomware: controlled distribution for an elusive malware URL:    https://blog.malwarebytes.com/threat-analysis/2018/06/samsam-ransomware-controlled-distribution/Date:   19th June 2018Author: Malwarebytes Labs Excerpt:“SamSam ransomware has been involved in some high profile attacks recently, and remains a somewhat elusive malware. In its time being active, SamSam has gone through a slight evolution, adding more features and alterations into the mix. These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing.” ——- Title:  All That Port 8000 Traffic This Week! Yeah, That’s Satori Looking for New BotsURL:    https://www.bleepingcomputer.com/news/security/all-that-port-8000-traffic-this-week-yeah-thats-satori-looking-for-new-bots/Date:   15th June 2018Author: Catalin Cimpanu Excerpt:“The PoC code was for a buffer overflow vulnerability (CVE-2018-10088) in XionMai uc-httpd 1.0.0, a lightweight web server package often found embedded inside the firmware of routers and IoT equipment sold by some Chinese vendors.The exploit allows an attacker to send a malformed package via ports 80 or 8000 and execute code on the device, effectively taking it over.” ——- Title:  Firefox fixes critical buffer overflowURL:    https://nakedsecurity.sophos.com/2018/06/18/firefox-fixes-critical-buffer-overflow/Date:   18th June 2018Author: Maria Varmazis Excerpt:“Earlier this month Mozilla announced a security advisory (MFSA2018-14) for its Firefox browser, noting that version 60.0.2 of both Firefox and Firefox Extended Support Release (ESR) as well as the legacy ESR (ESR 52.8.1) now have a fix for a critical-level buffer overflow vulnerability.” ——- Title:  Google’s Newest Feature: Find My HomeURL:    https://www.tripwire.com/state-of-security/vert/googles-newest-feature-find-my-home/#.WyfDEMLoy-g.twitterDate:   18th June 2018Author: Craig Young Excerpt:“Despite all of these efforts to thwart unwanted online tracking, it turns out that our connected gadgets may not only uniquely identify us but, in some cases, they can reveal precise physical locations. In this blog post, I will reveal a new attack against Google Home and Chromecast devices that does exactly that.” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2018.1810 – ALERT [Cisco] Cisco NX-OS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64198CVE-2018-0313 A successful exploit could allow the attacker to execute arbitrary commands with root privileges. 2.    ESB-2018.1809 – ALERT [Cisco] Cisco FXOS and Cisco NX-OS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64194CVE-2018-0304 …which could allow the attacker to read sensitive memory content, create a DoS condition, or execute arbitrary code as root. 3.    ESB-2018.1836 – [Win][Linux][IBM i][HP-UX][Solaris][AIX] IBM WebSphere Application Server: Multiple vulnerabilities    https://portal.auscert.org.au/bulletins/64302CVE-2014-0114 …to manipulate the ClassLoader and execute arbitrary code on the system. 4.    ESB-2018.1834 – [Win][UNIX/Linux] phpMyAdmin: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64294CVE-2018-12581 …attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin. 5.    ESB-2018.1829 – [Win] Delta Industrial Automation COMMGR: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64274CVE-2018-10594 This may allow remote code execution, cause the application to crash, or result in a denial-of-service condition in the application server. Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy P.S. Just as an exercise, of the bulletins AUSCERT processed this week, it may be instructive to count how many of them hints at the 1996 technique.

AUSCERT Week in Review for 15th June 2018 Greetings, This week demonstrated AI’s potential to assist humanity, as it came out from this month’s Microsoft Patch Tuesday that Cortana would helpfully execute code for you even when the system was locked. All that was required was for the executable to have been indexed, and Cortana was more than happy to run it for you with elevated privileges. The 3rd wave of speculative execution side-channels is upon us, dubbed “LazyFP”, but luckily is not quite as ubiquitous as its predecessors. Patches for some distributions have been released, so please make sure you’re up to date if a fix is available. The EU has passed a motion that would see it phasing out the use of the AV vendor Kaspersky’s products in its institutions. They join the list of governing bodies worried about the company’s susceptibility to Russian influence. For its part, Kaspersky have been an active contributor to several anti-cyber crime initiatives, and have been a frequent collaborator with Interpol. The company has suspended any further collaboration in response. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Meltdown-Like ‘LazyFP’ Vulnerability Impacts Intel CPUsPublished: 14 Jun 2018https://www.securityweek.com/meltdown-lazyfp-vulnerability-impacts-intel-cpus Author: Eduard KovacsExcerpt: “Intel and software vendors have started informing users about a new vulnerability involving side channel speculative execution that could be exploited by malicious actors to obtain sensitive information from the targeted system. Dubbed LazyFP, the security hole is related to the floating point unit (FPU), also known as the math coprocessor. The FPU is used by the operating system when switching between processes – it saves the state of the current process and restores the state of the new process.” —— Locked Win10 PCs can leak sensitive data via CortanaPublished: 14 Jun 2018https://www.itnews.com.au/news/locked-win10-pcs-can-leak-sensitive-data-via-cortana-493692 Author: Juha SaarinenExcerpt: “Researchers from security vendor McAfee have demonstrated a way to use Microsoft’s personal digital assistant Cortana as an attack vector to get into locked Windows 10 PCs.” —— Citation needed: Europe claims Kaspersky wares ‘confirmed as malicious’Published: 13 Jun 2018https://www.theregister.co.uk/2018/06/13/eu_kaspersky_cyber_defence_motion/ Author: Richard SpeedExcerpt: “The wide-ranging non-binding motion is primarily concerned with cyber defence, stating that “the EU and the Member States face an unprecedented threat in the form of politically motivated, state-sponsored cyber attacks”.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2018.1770 – [Linux][RedHat] kernel: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/64030 Red Hat has released patches for the new LazyFP side-channel vulnerability. 2) ESB-2018.1756 – [Win][UNIX/Linux] BIND: Denial of service – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/63966 A regression in how BIND handles its configuration could allow recursive queries where they should be denied. This would allow the server to be used for reflective DoS attacks. 3) ESB-2018.1758 – [Win][UNIX/Linux] OpenSSL: Denial of service – Remote with user interactionhttps://portal.auscert.org.au/bulletins/63974 During handshake negotiation, a malicious server could send a large prime to the client, which would leave it scratching its head trying to generate a key and cause a DoS. 4) ESB-2018.1739 – [Win][UNIX/Linux][Debian] perl: Modify arbitrary files – Remote with user interactionhttps://portal.auscert.org.au/bulletins/63874 The Tar archiving module in perl would happily traverse the filesystem as it pleased while extracting, allowing archives to contain such files as ../etc/passwd ../../etc/passwd etc. Stay safe, stay patched and have a good weekend! Tim

AUSCERT Week in Review for 8th June 2018 Greetings, AUSCERT is back to business as usual after the conference, and so is the security ecosystem. This week delivered the usual suspects in vulnerability reporting – a Flash 0day, updates for both Firefox and Chrome, an Android update, and a slew of Cisco updates. PageUp (a HR SaaS provider) has reported a breach of its systems, likely the largest in scope reported under the new mandatory breach notification laws. The company has as clients various Australian government departments, large Australian businesses across multiple sectors, and parts of the education sector. Clients such as Wesfarmers (Coles, Target, Kmart, amongst others), the Australian Red Cross, and Medibank have made statements that they have suspended access to the service pending further updates and assurances. Since the system is customisable, the data potentially exposed may vary by client. Australia Post has stated that it requested TFNs, bank and superannuation details, and driver licence numbers from successful candidates via the service. Though passwords were salted and hashed, users are recommended to change their passwords. No matter how heat-death-of-the-universe-scale your hashing algorithm’s time complexity is, it’s no match for “Password123”. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Malware hits HR software firm PageUp with possible data compromisehttps://www.zdnet.com/article/malware-hits-hr-software-firm-pageup-with-possible-data-compromise/ Author: Asha McLeanExcerpt: “Australia-based human resources firm PageUp has confirmed it found “unusual” activity on its IT infrastructure last month, which has resulted in the potential compromise of client data.” —— ATO becomes ASD Top 4 complianthttps://www.itnews.com.au/news/ato-becomes-asd-top-4-compliant-492588 Author: Justin HendryExcerpt: “The department reached full compliance with the Australian Signal’s Directorate’s (ASD) ‘top four strategies to mitigate cyber security incidents’ in November last year, after failing a cyber resilience audit only months earlier.” —— Aussie cyber security spend surged last yearhttps://www.arnnet.com.au/article/641899/aussie-security-spend-surged-last-year/ Author: Samira SarrafExcerpt: “A new report by Australia’s Cyber Emergency Response Team (AUSCERT) showed that 58 per cent of organisations in Australia and New Zealand surveyed increased their security spend in 2017 – with respondents’ figures representing a 35 per cent year-on-year increase in security investment.” —— Adobe Patches Zero-Day Flash Flawhttps://krebsonsecurity.com/tag/cve-2018-5002/ Author: Brian KrebsExcerpt: “Adobe has released an emergency update to address a critical security hole in its Flash Player browser plugin that is being actively exploited to deploy malicious software. If you’ve got Flash installed – and if you’re using Google Chrome or a recent version of Microsoft Windows you do – it’s time once again to make sure your copy of Flash is either patched, hobbled or removed.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2018.1706 – ALERT [Win][Linux][Mac] Adobe Flash Player: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63742 Another week, another Flash 0day. 2) ASB-2018.0126 – [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63714 Google has patched an issue in Chrome where the CSP header was handled incorrectly. No technical details yet, but always keep your browser up to date. 3) ESB-2018.1664 – [Debian] Debian 7: Reduced security – Unknown/unspecifiedhttps://portal.auscert.org.au/bulletins/63558 It had a good run, but Debian 7 has reached End of Life. Jessie and Stretch are eagerly awaiting your upgrade. 4) ESB-2018.1702 – [Cisco] Multiple Cisco Products: Denial of service – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/63722 Turns out more than a few Cisco products have unbounded log file sizes which can be exploited to DoS the products by consuming all available disk space. Stay safe, stay patched and have a good weekend! Tim

AUSCERT Week in Review for 1st June 2018 Greetings, This slightly belated Week in Review comes on the heels of a big week in the form of the AUSCERT2018 conference! It was that time once again for us to all come together and put names to faces, see some great talks, and hopefully learn some new skills. Big thank-you to everyone who was able to come and join us, but worry not for those who couldn’t, because planning for AUSCERT2019 has already begun! Just remember not to connect to any unsecured WiFi. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: AUSCERT and the Award for Information Security ExcellenceDate Published: 01 June 2018https://www.troyhunt.com/auscert-and-the-award-for-information-security-excellence/Author: Troy HuntExcerpt: “Yes, that guy is wearing a cape, it was a Star Wars thing.” —– AUSCERT 2018 – AwardsDate Published: 01 June 2018https://www.cso.com.au/article/641857/auscert-2018-awards/Author: Anthony CaruanaExcerpt: “AUSCERT’s annual awards, sponsored by the SANS Institute, night kicked off in spectacular fashion with fire-breathing commedian/musician Brian Brushwood carrying out his own version of a penetration test when he hammered a nail into his head through is nasal cavity.” —– Python May Let Security Tools See What Operations the Runtime Is PerformingDate Published: 28 May 2018https://www.bleepingcomputer.com/news/security/python-may-let-security-tools-see-what-operations-the-runtime-is-performing/Author: Catalin CimpanuExcerpt: “A new feature proposal for the Python programming language wants to add “transparency” to the runtime and let security and auditing tools view when Python may be running potentially dangerous operations.” —– Ghostery Tries to Comply With GDPR, but Ends Up Violating GDPR in the ProcessDate Published: 28 May 2018https://www.bleepingcomputer.com/news/technology/ghostery-tries-to-comply-with-gdpr-but-ends-up-violating-gdpr-in-the-process/Author: Catalin CimpanuExcerpt: “The company behind Ghostery, a privacy-focused browser and an ad-blocking browser extension, has apologized for a technical error that occurred last Friday when its staff was sending out GDPR-themed notification emails.” —– Here are this week’s noteworthy security bulletins: 1) ASB-2018.0123 – ASB-2018.0123 – [Win][Linux][Mac] Google Chrome: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63394 Another release of Chrome patches the usual culprits – RCE, XSS, DoS. 2) ESB-2018.1647 – [Linux][RedHat] xmlrpc3: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/63490 Deserialisation leading to RCE. 3) ESB-2018.1626 – [Ubuntu] apport: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/63406 Ubuntu’s crash reporting utility could lead to privilege escalation if expectedfiles were missing from /proc Code poorly and you might end up as root! 4) ESB-2018.1625 – [RedHat] Red Hat Enterprise Linux 7.3https://portal.auscert.org.au/bulletins/63402 RHEL 7.3 Extended Update Support is rapidly approaching end of life, and supportwill cease November 30, 2018. 5) ESB-2018.1619 – [Linux] VMware Horizon Client: Root compromise – Existing account SUID strikes again, in the form of a root compromise for Linux hosts with theVMWare Horizon Client installed. Stay safe, stay patched and have a good weekend! Tim

AUSCERT Week in Review for 25th May 2018 AUSCERT Week in Review25 May 2018 Greetings, Happy GDPR compliance deadline day!  I’m sure you’ve been receiving many privacy policy update emails this week.  Also this week we saw CVE-2018-3639 and CVE-2018-3640 announced, aka Spectre and Meltdown variants 3A and 4.  While they are hardware-level vulnerabilities which affect various processors from AMD, ARM, IBM POWER8, and  POWER9, and Intel, it’s still important to apply the latest microcode updates and software patches. With Microsoft’s $250,000 bounty, and more researchers looking at speculative execution vulnerabilities, it will be interesting to see how many more are discovered this year. AUSCERT has generated a new PGP/GPG Key to use for signing and receiving encrypted data, and this key comes into effect today. For more details: https://wordpress-admin.auscert.org.au/render.html?it=1967 Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Alert (TA18-141A) Side-Channel Vulnerability Variants 3a and 4Date Published: 21 May 2018https://www.us-cert.gov/ncas/alerts/TA18-141AAuthor: US-CERTExcerpt: “On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed. These variants–known as 3A and 4–can allow an attacker to obtain access to sensitive information on affected systems.” —– Server? What server? Site forgotten for 12 years attracts hacks, finesDate Published:  22 May 2018https://nakedsecurity.sophos.com/2018/05/22/server-what-server-site-forgotten-for-12-years-attracts-hacks-fines/Author: John E DunnExcerpt: “A web server set up by an enterprising student for a conference in 2004 and then forgotten about has left the University of Greenwich nursing a ?120,000 ($160,000) fine from Britain’s Information Commissioner (ICO).” —– Here’s Amazon’s explanation for the Alexa eavesdropping scandalDate Published:  24 May 2018https://www.recode.net/2018/5/24/17391480/amazon-alexa-woman-secret-recording-echo-explanationAuthor: Jason Del ReyExcerpt:  “Asked for more details, Amazon provided Recode with the following explanation: “Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right”. As unlikely as this string of events is, we are evaluating options to make this case even less likely.” —– Chrome to remove ‘secure’ and padlock icon for HTTPSDate Published: 18 May 2018https://www.itnews.com.au/news/chrome-to-remove-secure-and-padlock-icon-for-https-491217Author: Juha SaarinenExcerpt: “Google will treat Transport Layer Security encrypted pages as the default soon with no indications shown, and call out unencoded HTTP web content as unsafe.” —– ASADA latest to access smartphone-hacking tool raising fresh privacy concernsDate Published: 23 May 2018http://www.abc.net.au/news/science/2018-05-23/asada-access-cellebrite-smartphone-hacking-technology/9786106Author: Ariel BogleExcerpt: “Critics flagged concerns about potential misuse of the technology, after Fairfax Media reported in 2017 that Centrelink, the Australian Taxation Office and the Australian Securities and Investment Commission have also deployed it. The use of such tools typically requires a warrant.” —– Here are this week’s noteworthy security bulletins: 1) ASB-2018.0122 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63206 An XSS vulnerability has been identified in Joomla! in versions prior through 3.8.7 2) ASB-2018.0121 – ALERT [Win][UNIX/Linux][Virtual][Mobile] CPU Microcode: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/63066 Two new speculative execution side-channel vulnerabilities announced. 3) ESB-2018.1547 – [Win][UNIX/Linux] Zookeeper: Provide misleading information – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/63082 No authentication/authorization is enforced when a server attempts to join a quorum. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader. 4) ESB-2018.1543 – [Debian] Debian 8: Deprecationhttps://portal.auscert.org.au/bulletins/63062 This is an advance notice that regular security support for Debian GNU/Linux 8 (code name “jessie”) will be terminated on the 17th of June. 5) ASB-2018.0119 – [Win][UNIX/Linux] Mozilla Thunderbird: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63034 Multiple security vulnerabilities have been identified in Mozilla Thunderbird prior to version 52.8. Stay safe, stay patched and have a good weekend! Charelle

AUSCERT Week in Review for 18th May 2018 Greetings, We’ve seen a spate of bulletins this week following Twitter’s revelation that they were accidentally logging some passwords in clear-text, indicating that some products have also exposed sensitive data. NSW Family Planning has suffered a ransomware attack, leading to concerns that personal data may have been exposed. In other news, the AUSCERT 2018 conference is almost upon us!We look forward to seeing some of you there from Tuesday the 29th of May. In the news this week: ——————————————————————————– Family Planning NSW ransomware attack sees personal information of 8000 people at risk URL: https://www.healthcareit.com.au/article/family-planning-nsw-ransomware-attack-sees-personal-information-8000-people-risk-0 Author: Lynne Minion Excerpt: A ransomware attack on Family Planning NSW two weeks ago has potentially exposed the personal information of up to 8000 people, including women who sought information on abortions and contraception, but the reproductive and sexual health organisation claims medical records were never under threat. … In the attack on ANZAC Day, the hackers demanded a $15,000 ransom be paid in bitcoin. ——————————————————————————– Shadowy Hackers Accidentally Reveal Two Zero-Days to Security Researchers Date published: 15-05-2018 URL: https://www.bleepingcomputer.com/news/security/shadowy-hackers-accidentally-reveal-two-zero-days-to-security-researchers/ Author: Catalin Cimpanu Excerpt: An unidentified hacker group appears to have accidentally exposed two fully-working zero-days when they’ve uploaded a weaponized PDF file to a public malware scanning engine. The zero-days were spotted by security researchers from Slovak antivirus vendor ESET, who reported the issues to Adobe and Microsoft, which in turn, had them patched within two months. [These vulnerabilities have been patched in the last week.] ——————————————————————————– ‘Efail’ vulnerability lies in apps, not PGP and GnuPG Date published: 15-05-2018 Author: Juha Saarinen URL: https://www.itnews.com.au/news/efail-vulnerability-lies-in-apps-not-pgp-and-gnupg-490961 Excerpt: A security scare said to affect the popular Pretty Good Privacy (PGP) and Gnu Privacy Guard (GnuPG) protocols used to encrypt email messages is in fact caused by bugs in older mail apps. The issue arose after researchers from three German universities claimed to have devised an attack the called Efail, which they said would allow the decryption of current and past emails scrambled with PGP or GnuPG and exfiltration of the decoded content. But maintainers of the open source GnuPG set of encryption tools quickly issued a statement on Efail, pointing out that the issue affects older email applications and not the protocol itself. ——————————————————————————– WordPress releases GDPR features URL: https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-release/ Author: Allen Snook Excerpt: It’s important to understand that while the GDPR is a European regulation, its requirements apply to all sites and online businesses that collect, store, and process personal data about EU residents no matter where the business is located. … We’re committed to supporting site owners around the world in their work to comply with this important law. As part of that effort, we’ve added a number of new privacy features in this release. ——————————————————————————– And lastly, here are this week’s most noteworthy security bulletins: ESB-2018.1526 – [RedHat] sensu: Access privileged data – Existing account https://portal.auscert.org.au/bulletins/62978 Sensitive data, including passwords, was logged in clear-text. ——————————————————————————– ESB-2018.1468 – [Win][UNIX/Linux] IBM MQ Managed File Transfer: Access privileged data – Existing account https://portal.auscert.org.au/bulletins/62738 Passwords were logged in clear-text. ——————————————————————————– ESB-2018.1489 – [RedHat] ovirt-ansible-roles: Access privileged data – Existing account https://portal.auscert.org.au/bulletins/62822 Passwords were logged in clear-text. ——————————————————————————– ESB-2018.1506 – [Win][Mac] Adobe Acrobat & Reader: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/62898 Multiple vulnerabilities when handling malicious PDF files could lead to execution of arbitrary code or data leakage. ——————————————————————————– ASB-2018.0106.2 – UPDATE [Win][Mac] Microsoft Office products: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/62450 Multiple vulnerabilities in Microsoft Office when handling malicious files could lead to execution of arbitrary code. ——————————————————————————– ESB-2018.1419 – [Win][Linux][Mac] Adobe Flash Player: Execute arbitrary code/commands – Remote with user interaction https://portal.auscert.org.au/bulletins/62514 Flash also executes arbitrary code. ——————————————————————————– Stay safe, stay patched and have a great weekend.David

AUSCERT Week in Review for 11th May 2018 Greetings, Another week, another drink from the firehose of information security. Microsoft’s patch Tuesday was largely uneventful, but Chrome, Firefox and Safari have all received significant security updates. DLA Piper have published some discussion of the major NotPetya ransomware attack they endured. The AUSCERT conference is in three weeks – we look forward to seeing some of you there! This week in cybersecurity: ——————————————————————————- DLA Piper paid 15,000 hours of IT overtime after NotPetya attackhttps://www.itnews.com.au/news/dla-piper-paid-15000-hours-of-it-overtime-after-notpetya-attack-490495Date: May 8 2018Author: Ry Crozier Excerpt: Law firm DLA Piper has revealed its IT team put in 15,000 hours of paid overtime to recover from the NotPetya malware infection. The company was also forced to wipe its entire Windows environment and “start afresh” after the first two weeks showed nothing in the existing environment was “salvageable”. ——————————————————————————- Misinterpretation of Intel docs is the root cause for the CVE-2018-8897 flaw in Hypervisors and OSshttps://securityaffairs.co/wordpress/72323/hacking/cve-2018-8897-misinterpretation-intel-docs.htmlDate: May 10 2018Author: Pierluigi Paganini Excerpt: The CERT/CC published a security advisory to warn of the CVE-2018-8897 flaw that impact the Linux kernel and software developed by major tech firms including Apple, the DragonFly BSD Project, Red Hat, the FreeBSD Project, Microsoft, SUSE Linux, Canonical, VMware, and the Xen Project (CERT/CC published the complete list of companies whose products may be impacted). … Experts explained that in the case of Linux, the flaw can trigger a denial-of-service (DoS) condition or cause the crash of the kernel. According to Microsoft, an attacker can exploit the security flaw on Windows for privilege escalation. ——————————————————————————- baseStriker: Office 365 attack https://www.avanan.com/resources/basestriker-vulnerability-office-365Date: May 8 2018Author: Yoav Nathaniel Excerpt: In this example, Office 365 only performs the lookup on the base domain, ignoring the relative URL in the rest of the body. Because only part of the URL is tested, it mistakenly appears to not exist in the malicious URL database and the email is let through. Furthermore, Safelinks does not replace the malicious link, and the user get the original malicious link, can click it to get right to the phishing page.  ——————————————————————————- Drupal Sites Fall Victims to Cryptojacking Campaigns https://www.bleepingcomputer.com/news/security/drupal-sites-fall-victims-to-cryptojacking-campaigns/Date: May 8 2018Author: Catalin Cimpanu Excerpt: Their efforts and expectations were fully rewarded, as the two vulnerabilities —CVE-2018-7600 and CVE-2018-7602— left over one million websites vulnerable to hacks if they didn’t receive immediate updates. Some webmasters updated their sites, but many didn’t, and those websites quickly fell victims to backdoors and coinminers shortly after the publication of proof-of-concept attack code. ——————————————————————————- And lastly, here are this week’s most noteworthy security bulletins:   1. Adobe Flash Player update https://portal.auscert.org.au/bulletins/62514 Another remote code execution vulnerability if users run malicious content.   2. MOV/POP SS crash https://portal.auscert.org.au/bulletins/62466 A user running unprivileged code can crash the Linux kernel, and probably the Windows kernel, owing to a long-running misunderstanding of how certain CPU instructions work.   3. WebKit RCE from web content https://portal.auscert.org.au/bulletins/62398 WebKit and its Linux port WebKitGTK+ contained memory corruption bugs which could lead to remote code execution from a web browser.   4. Firefox vulnerabilities https://portal.auscert.org.au/bulletins/62570 Continuing the theme of RCEs from web browsers, more memory corruption issues were addressed in Firefox and Firefox Extended Support Release.   Stay safe, stay patched and have a good weekend. David

AUSCERT Week in Review for 4th May 2018 AUSCERT Week in Review04 May 2018 Greetings, Happy Friday all.Plenty of patches and some interesting security stories again this week. Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: Twitter to All Users: Change Your Password Now!Date Published: 03-05-2018URL: https://krebsonsecurity.com/2018/05/twitter-to-all-users-change-your-password-now/Author: Brian KrebsExcerpt:“Twitter just asked all 300+ million users to reset their passwords, citingthe exposure of user passwords via a bug that stored passwords in plain text” —– Title: Somebody Tried to Hide a Backdoor in a Popular JavaScript npm PackageDate Published: 03-05-2018URL: https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/Author: Catalin CimpanuExcerpt:“The Node Package Manager (npm) team avoided a disaster today when itdiscovered and blocked the distribution of a cleverly hidden backdoormechanism” —– Title: Australia’s Biggest Bank Loses 20 Million Customer RecordsDate Published: 03-05-2018URL: https://www.securityweek.com/australias-biggest-bank-loses-20-million-customer-recordsAuthor: AFPExcerpt:“Australia’s troubled Commonwealth Bank admitted Thursday it had lostfinancial records for almost 20 million customers in a major securityblunder — but insisted there was no need to worry.” —– Title: DDoS Attacks Go Down 60% Across Europe Following WebStresser’s TakedownDate Published: 02-05-2018URL: https://www.bleepingcomputer.com/news/security/ddos-attacks-go-down-60-percent-across-europe-following-webstressers-takedown/Author: Catalin CimpanuExcerpt:“Link11, a DDoS mitigation firm, says that DDoS attacks fell 60% acrossEurope following the takedown of WebStresser, the largest DDoS-for-hireportal on the market.” —– Title: Fancy Bear abuses LoJack security software in targeted attacksDate Published: 03-05-2018URL: https://securityaffairs.co/wordpress/72072/apt/fancy-bear-abuses-lojack.htmlAuthor: Pierluigi PaganiniExcerpt:“Recently, several LoJack agents were found to be connecting to serversthat are believed to be controlled by the notorious Russia-linked FancyBear APT group” —– Here are this week’s noteworthy security bulletins: 1) ESB-2018.1312 – ALERT [RedHat] Red Hat: Root compromise – Existing account https://portal.auscert.org.au/bulletins/62054 Red Hat released updates for Openshift Container Platforms versions 3.1,3.2 … 3.9 which had root compromise vulnerabilities.   2) ESB-2018.1381 – [Win] Philips Brilliance Computed Tomography (CT)System: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/62326 From the ICS-CERT’s advisory: “Successful exploitation of thesevulnerabilities may allow an attacker to attain elevated privilegesand access unauthorized system resources, including access to executesoftware or to view/update files including patient health information(PHI), directories, or system configuration.”   3) ESB-2018.1294 – [Mac] Safari: Execute arbitrary code/commands – Remotewith user interaction https://portal.auscert.org.au/bulletins/61978 Vulnerabilities in Webkit affected Safari in various Apple products.   4) ESB-2018.1363 – [Win][UNIX/Linux][Debian] jackson-databind: Executearbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/62258 Jackson-databind is a widely used Java library for parsing JSON and othedata formats, so this issue could have ramifications on many products andoperating systems.   5) ESB-2018.1337 – [Linux] IBM QRadar SIEM: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/62154 One of many IBM bulletins relating to Java vulnerabilities.   Stay safe, stay patched and have a good weekend! Marcus  

AUSCERT Week in Review for 27th April 2018 AUSCERT Week in Review27 April 2018 Greetings, We have reached the end of another week, so I hope that you can all havean enjoyable and relaxing weekend.As always, there were numerous security vulnerabilities reported andfixes released.Of particular note (especially to us in the Education sector) were thedrupal issues (https://www.drupal.org/sa-core-2018-004). Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: Hackers Don’t Give Site Owners Time to Patch, Start Exploiting New Drupal Flaw Within HoursDate Published: 25/04/2018URL:  https://www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours/Author: Catalin CimpanuExcerpt: “Five hours after the Drupal team published a security updatefor the Drupal CMS, hackers have found a way to weaponize the patchedvulnerability, and are actively exploiting it in the wild.”—– Title: Australia joins NATO Cyber Defence CentreDate Published: 24/04/2018URL: https://www.itnews.com.au/news/australia-joins-nato-cyber-defence-centre-489536Author: Juha SaarinenExcerpt: “Australia will take part in the North Atlantic TreatyOrganisation’s cyber warfare centre in Tallinn, Estonia, in order to practicehow to defend critical infrastructure against attacks from hostile nations.”—– Title: Hotel, motel, Holiday Inn? Doesn’t matter – they may need toupdate their room key softwareDate Published: 25/04/2018URL: https://www.theregister.co.uk/2018/04/25/hotel_room_key_security_flaw/Author: Kat HallExcerpt: “Infosec outfit F-Secure has uncovered security vulnerabilitiesin hotel keycard systems that can be exploited by miscreants to break intorooms across the globe.”—– Title: Researchers Hacked Amazon’s Alexa to Spy On Users, AgainDate Published: 25/04/2018URL: https://threatpost.com/researchers-hacked-amazons-alexa-to-spy-on-users-again/131401/Author: Lindsey O’DonnellExcerpt: “A malicious proof-of-concept Amazon Echo Skill shows how attackerscan abuse the Alexa virtual assistant to eavesdrop on consumers with smartdevices – and automatically transcribe every word said.”—– Title: Ransomware Hits HPE iLO Remote Management InterfacesDate Published: 25/04/2018URL: https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/Author: Lawrence AbramsExcerpt: “Attackers are targeting Internet accessible HPE iLO 4 remotemanagement interfaces, supposedly encrypting the hard drives, and thendemanding Bitcoins to get access to the data again.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2018.1279.2 – UPDATED ALERT [Win][UNIX/Linux] Drupal core: Executearbitrary code/commands – Existing accounthttps://portal.auscert.org.au/bulletins/61918 As expected, this vulnerability was being exploited in the wild withinhours of release so needed quick remediation. 2) ESB-2018.1285 – [Apple iOS] iOS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/61942 Included some RCE vulnerabilities. 3) ESB-2018.1281 – [RedHat] kernel: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/61922 Another linux kernel root compromise 4) ESB-2018.1257 – [RedHat] patch: Execute arbitrary code/commands –Remote with user interactionhttps://portal.auscert.org.au/bulletins/61830 “Malicious patch files cause ed to execute arbitrary commands” 5) ESB-2018.1252 – [RedHat] java-1.8.0-oracle: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/61810 There were also numerous fixes released for java 1.6, 1.7 and 1.8 inRHEL-based systems Stay safe, stay patched and have a good weekend! Marcus.