Week in review

AUSCERT Week in Review for 25th January 2018

25 Jan 2018

AUSCERT Week in Review for 25th January 2018 Greetings, It’s hard not to include a bunch of crypto currency related articles because it’s all happening in that sphere right now. Malware authors have targeted individuals who are keen to get into the crypto currency market. South Korea isn’t the only country taking action against crypto currency operators. Some cybercrime organisations have really got their house in order when it comes to managing their business operations. Though it’s taken a backseat to the Bitcoin wars, ransomware is by no means less of a threat this year, with new variants popping up every week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More Date Published: 24/01/2018 Authors:  CH Lei, Fyodor Yarochkin, Lenart Bermejo, Philippe Z Lin and Razor Huang Excerpt: “Few cybercrime groups have gained as much notoriety—both for their actions and for their mystique—as the Lazarus group. Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government, these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks—such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank—in recent history. Throughout the Lazarus group’s operational history, few threat actors have managed to match the group in terms of both scale and impact, due in large part to the wide variety of tools and tactics at the group’s disposal.” —– Large Scale Monero Cryptocurrency Mining Operation using XMRig Date Published: 24/01/2018 Author: Josh Grunzweig Excerpt: “Palo Alto Networks Unit 42 has observed a large-scale cryptocurrency mining operation that has been active for over 4 months. The operation attempts to mine the Monero cryptocurrency using the open-source XMRig utility. Based on publicly available telemetry data via bitly, we are able to estimate that the number of victims affected by this operation is roughly around 15 million people worldwide. This same telemetry provides insights into the most heavily targeted areas involving this campaign, which impacts southeast Asia, northern Africa, and South America the most.” —– Fake cryptocurrency wallet carries ransomware, leads to spyware Date Published: 23/01/2018 Author: Zeljka Zorz Excerpt: “The fake wallet is apparently being advertised on a variety of online forums. The link takes users to a page explaining what SpriteCoin is and offers a link to download the wallet. Once the victim downloads and installs the offered executable (spritecoind.exe), they are asked to enter a password for the wallet and to wait until the app downloads the blockchain:   Unfortunately for the victims, there is no real SpriteCoin, and the software does not download a blockchain.” —– Onecoin’s Bulgarian Offices Raided by Law Enforcement, No Arrests Made Date Published: 22/01/2018 Author: JP Buntinx Excerpt: “Surprisingly, this initiative was not something Bulgarian officials undertook on their own initiative. Instead, they were asked by German officials, where the Onecoin founder Ruja Ignatova has been taken to court. However, Ignatova was born in Bulgaria, which makes this raid a logical course of action. It is evident there are still plenty of skeletons in the closet of this company, and it is now up to law enforcement to bring them to light. Ignatova stepped down as the CEO of Onecoin a while ago, a move that clearly showed she knew what was eventually coming. With over three million people subscribing to the Onecoin “packages”, it is evident there is a very real chance that every single one of them has lost money in the process. This alone is a very worrisome thought, but it is also possible that the total number of defrauded victims is a lot higher. In Bulgaria, the company is suspected of money laundering, illegal payments, and commercial fraud. With this in mind, it seems to make little sense that no one has been arrested so far. At the same time, it is unclear if authorities are looking for specific individuals who may or may not work at the Bulgarian Onecoin office at this time” —- A Look into the Lazarus Group’s Operations Date Published: 24/01/2018 Authors:  Trend Micro Blog Excerpt: “What do the 2014 Sony hack and the 2016 Bangladeshi bank attacks have in common? Aside from being two of the most noteworthy cybercrime incidents of the past few years, these seemingly unrelated attacks are tied together by a common thread: their perpetrator, a cybercrime group called Lazarus. Few cybercrime groups throughout history have had as much disruptive power and lasting impact as the Lazarus Group. Ever since their first attacks, which involved DDoS operations against various organizations across different industries, the group has managed to step up their attacks even further. Two of the group’s most notable campaigns include the 2014 Sony hack, which involved sensitive company and personal information, and the 2016 Bangladeshi bankattack that stole millions of dollars from the financial institution.” —– desuCrypt Ransomware in the Wild with DEUSCRYPT and Decryptable Insane Variants Date Published: 22/01/2018 Author: Lawrence Abrams Excerpt: “When desuCrypt is executed, it will display a console windows that displays the current status of the encryption process. This window will stay open until the ransomware has finished encrypting the computer. According to Michael Gillespie, the creator of ID-Ransomware, at least the Insane variant of desuCrypt is encrypting files using RC4 encryption. This RC4 key is further encrypted using an embedded RSA-2048 key and then embedded at the end of each encrypted file.” Here are this week’s noteworthy security bulletins: 1) ESB-2018.0236 – [Apple iOS] Apple iOS: Multiple vulnerabilities Apple released security updates for numerous products, including this one for iOS. It contains a number of security fixes including one for a privilege escalation vulnerability that could grant root privileges to an attacker. 2) ESB-2018.0241 – [Win] Advantech WebAccess/SCADA: Multiple vulnerabilities Advantech released updates for its WebAccess/SCADA browser-based Human Machine Interface products, that are vulnerable to SQL injection attacks. Successful attacks could allow attackers to obtain confidential information from SCADA infrastructure. 3) ASB-2018.0036 – [Win][UNIX/Linux] Mozilla Firefox ESR: Multiple vulnerabilities Mozilla released updates for Firefox and Firefox ESR to address a large number of vulnerabilities in the web browsers. The most severe of these vulnerabilities could lead to remote code execution. These fixes have been incorporated into OS updates for RedHat, Debian and Ubuntu. Stay safe, stay patched, stay cool and have a good weekend! Nicholas

Learn more

Week in review

AUSCERT Week in Review for 19th January 2018

19 Jan 2018

AUSCERT Week in Review for 19th January 2018 Greetings, Move over Star Wars. The Coin Wars have begun! As if hijacking other peoples CPUs to mine cryptocurrency wasn’t bad enough, some actors have taken to utilising botnets to steal others hard earned bitcoins by misdirecting them from compromised cryptominers to their own wallets. Bitcoin driven malicious activity will certainly be something to look out for this year! Plus botnets usually in the business of spreading malware are sending spam to pump up interest in Swisscoin to aid its trading prices! Add to that a side serving of the battery of malware that are keen to take a peek into your private life, or worse, take over your life. On a happier note, Paper submissions for the AUSCERT 2018 conference close today at midnight, so grab those keyboards and get typing! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Art of Steal: Satori Variant is Robbing ETH BitCoin by Replacing Wallet Address Date Published: 17/01/2018 Author: 360 netlab Excerpt: “Starting from 2018-01-08 10:42:06 GMT+8, we noticed that one Satori’s successor variant (we name it Satori.Coin.Robber) started to reestablish the entire botnet on ports 37215 and 52869. What really stands out is something we had never seen before, this new variant actually hacks into various mining hosts on the internet (mostly windows devices) via their management port 3333 that runs Claymore Miner software, and replaces the wallet address in the hosts with its own wallet address.” —– Skygofree: Following in the footsteps of HackingTeam Date Published: 16/01/2018 Author: Nikita Buchka and Alexey Firsch Excerpt: ” At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. “ —– Downloaders on Google Play spreading malware to steal Facebook login details Date Published: 18/01/2018 Author: Alena Nohova Excerpt: “Multiple downloaders, malicious apps that download further malicious apps to infected devices, have made it onto the Google Play Store. The downloaders are capable of downloading further apps that pose as system apps, some of which are capable of stealing Facebook login credentials. To do so, the malicious apps use social engineering tactics to trick victims into giving them up.” —– Threat actors are delivering the Zyklon Malware exploiting three Office vulnerabilities Date Published: 18/01/2018 Author: Perluigi Paganini Excerpt: “Security experts from FireEye have spotted a new strain of the Zyklon malware that has been delivered by using new vulnerabilities in Microsoft Office. Researchers at FireEye reported the malware was used in attacks against organizations in the telecommunications, financial, and insurance sectors.” —- World’s Largest Spam Botnet Is Pumping and Dumping an Obscure Cryptocurrency Date Published: 17/01/2018 Author: Catalin Cimpanu Excerpt: “The cryptocurrency in question is Swisscoin, an altcoin that’s been described as a Multi-Level-Marketing (MLM) ponzi scheme in a report last year, and for which trading was recently suspended. Trading resumed on January 15, the same day the Necurs spam started spreading. Since the Necurs spam, the cryptocurrency lost 40% of its initial trading price. It’s unclear what is Necurs’ impact on the Swisscoin trading price, mainly because there was no previous trading to compare the impact against.” Here are this week’s noteworthy security bulletins: 1) ASB-2018.0034 – [Win][Linux][Virtual] GitLab Community Edition and Enterprise Edition: Multiple vulnerabilities GitLab Community Edition (CE) and Enterprise Edition (EE) received updates to fix a number of vulnerabilities including two remote code execution vulnerabilities. 2) ESB-2018.0168 – [RedHat] linux-firmware: Access privileged data – Existing account More reversions for the SPECTRE fixes! 3) ASB-2018.0018 – [Win][UNIX/Linux] Oracle Financial Services Applications: Multiple vulnerabilities Oracle released its January Critical Patch Update this week, with 238 security fixes across 20 product families, including this one for Oracle Financial Services applications. The most severe vulnerability allows for remote code execution by an authenticated attacker. 4) ESB-2018.0208 – ALERT [Win] Siemens SIMATIC WinCC: Multiple vulnerabilities ICS-CERT released a security advisory for Siemens SIMATIC WIN CC SCADA system used globally for monitoring automated processes in  critical infrastructure sectors such as chemical, energy, food and agriculture and waste management. The advisory addresses a serious remote code execution vulnerability and denial of service vulnerability that could be leveraged to introduce and execute APTs into automated processes and disable monitoring. An update has been released to fix these issues. 5) ESB-2018.0171 – [Win][UNIX/Linux][Debian] bind9: Denial of service – Remote/unauthenticated A remotely exploitable denial of service vulnerability in BIND was fixed in updates for Debian and Ubuntu. ISC has provided BIND 9 patches, which can be downloaded from ISC.org.   Stay safe, stay patched, stay cool and have a good weekend! Nicholas

Learn more

Week in review

AUSCERT Week in Review for 12th January 2018

12 Jan 2018

AUSCERT Week in Review for 12th January 2018 Greetings, Another week of new updates for Meltdown and Spectre with a false start for some of the patches with Ubuntu Kernel updates bricking machines and Windows patches also putting AMD led PCs into reboot loops.AUSCERT has published 152 Bulletins in the first two weeks that’s an average of 16.8 bulletins a day! This must be a new record! Please don’t forget to put in your paper submission for the AUSCERT 2018 conference. Submissions close on the 19th which is just a week away now! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Ubuntu takes two on Meltdown CPU patch after first one bricked machinesDate Published: 11/1/2018Author: Liam Tung (CSO Online)Excerpt: “Ubuntu maker Canonical on Wednesday released a second take on its kernel fix for the Meltdown CPU bug in Ubuntu 16.04 LTS after reports of machines failing to reboot after the update.”—– Title: Windows emergency Meltdown patch: Microsoft stops update for AMD PCs after crash reportsDate Published: 9/1/2018Author: Nick HeathExcerpt: “Microsoft has scaled back its rollout of Windows patches against the Meltdown and Spectre CPU flaws after reports the updates were crashing computers with AMD processors.”—– Title: Microsoft: How the Threat Landscape Will Shift This YearDate Published: 9/1/2018Author: Kelly SheridanExcerpt: “Unlike security professionals, who have stressed over digital threats for years, most average consumers didn’t recognize the importance of security until 2017.”—– Title: Where the CISO Should Sit on the Security Org Chart and Why It MattersDate Published: 9/1/2018Author: Christophe VeltsosExcerpt: “In early 2016, boards were starting to take cybersecurity more seriously and, in the process, increasing their interactions with chief information security officers (CISOs). How much has changed in the past two years? To whom do CISOs report today, and why does it matter?” —–Title: Healthcare breaches involving ransomware increase year-over-yearDate Published: 8/1/2018Author: @helpnetsecurityExcerpt:  “2017 has been a very challenging year for healthcare institutions as these organizations remain under sustained attack by cybercriminals that continue to target their networks.” —–Title: New Cryptocurrency Mining Malware Has Links to North KoreaDate Published: 8/1/2018Author: Jai VijayanExcerpt: “A security vendor has found another clue that North Korea may be turning to illegal cryptocurrency mining as a way to bring cash into the nation’s economy amid tightening international sanctions.AlienVault on Monday said it had recently discovered malware that is designed to stealthily install a miner for Monero, a Bitcoin-like cryptocurrency, on end-user systems and to send any mined coins to the Kim Il Sung University (KSU) in Pyongyang.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2018.0112 – [Apple iOS] General Motors and Shanghai OnStar (SOS) iOS Client: Multiple vulnerabilitiesDon’t jailbreak your iOS device if you own a recent General Motors vehicle and you control it with the Shanghai OnStar (SOS) iOS Client as someone may take control of your car for you! 2) ESB-2018.0121 – [UNIX/Linux][Ubuntu] irssi: Multiple vulnerabilitiesHaven’t migrated to Slack yet? Still using IRC? Is your favourite IRC chat client still IRSSI? Well you probably should patch that too! 3) ESB-2018.0131.2 – UPDATED ALERT [Win][UNIX/Linux] VMware Workstation and Fusion: Execute arbitrary code/commands – Existing accountA use-after-free vulnerability and an Integer-overflow vulnerability in VMware NAT service have been fixed in the latest versions of VMware Workstation and Fusion. However you wouldn’t have been affected unless you turned IPv6 mode for VMNAT on as it is off by default. 4) ESB-2018.0129 – [Juniper] Juniper Junos OS: Multiple vulnerabilitiesJuniper patched a whole array of vulnerabilities (including a few CRITICAL ones) on Junos OS and even managed to get the premium CVE numbers of CVE-2018-0001 to CVE-2018-0009. Stay safe, stay patched and have a good weekend! Ananda

Learn more

Week in review

AUSCERT Week in Review for 5th January 2018

5 Jan 2018

AUSCERT Week in Review for 5th January 2018 Greetings, Welcome back everyone! We hope that you all had a quiet and relaxing break since this first week of the year has been quite busy. Vulnerabilities (Meltdown and Spectre) in CPU hardware implementations have been disclosed and software mitigations are currently being released by all the major vendors. Please note that Microsoft, Mozilla and Google have confirmed that these vulnerabilities can be exploited through Internet Browsers.We have also observed attackers using remote coding execution vulnerabilities to install cryptocurrency miners in vulnerable hosts and more! Please don’t forget to put in your paper submission for the AUSCERT 2018 conference. Submissions close on the 19th. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Forever 21 Suffered 7-Month POS Malware AttackDate Published: 3/1/2018URL: https://www.bankinfosecurity.com/forever-21-suffered-7-month-pos-malware-attack-a-10555Author: Mathew J. SchwartzExcerpt: “Apparel retailer Forever 21 says point-of-sale systems in some of its stores were infected by malware for up to seven months, compromising shoppers’ payment card data.”—– Title: Attention, vSphere VDP backup admins: There is a little remote root hole you need to patch…Date Published: 3/1/2018URL: https://www.theregister.co.uk/2018/01/03/vmware_vsphere_vdp/Author: Thomas ClaburnExcerpt: “VMware on Tuesday published a security advisory for its vSphere Data Protection (VDP) backup and recovery product. The virtualization giant identified three vulnerabilities, one of which it deems critical, with the two others categorized as important. The issues affect VDP 5.x, 6.0.x, and 6.1.x.”—– Title: US Homeland Security breach compromised personal info of 200,000+ staffDate Published: 4/1/2018URL: https://www.theregister.co.uk/2018/01/04/us_homeland_security_breach_exposed_personal_info_of_200000_staff/Author: Rebecca HillExcerpt: “More than 240,000 current and former employees of the US Department of Homeland Security have had their personal details exposed in a data breach. In what it describes somewhat euphemistically as a “privacy incident”, the DHS said the breach could also affect anyone who was part of an investigation by the DHS Office of Inspector General between 2002 and 2014.”—– Title: Apple confirms iPhone, Mac affected by Meltdown-Spectre vulnerabilitiesDate Published: 5/1/2018URL: http://www.zdnet.com/article/apple-confirms-iphone-mac-affected-by-meltdown-spectre-vulnerabilities/Author: Asha McLeanExcerpt: “Apple has issued a statement regarding the Meltdown and Spectre vulnerabilities, confirming all Mac systems and iOS devices are affected, but saying there are no known exploits impacting customers at this time. Apple, like Microsoft, has urged users to download software only from trusted sources, such as the App Store. “—– Here are this week’s noteworthy security bulletins: 1) ESB-2018.0011 – [Win][UNIX/Linux] phpMyAdmin: Cross-site request forgery – Remote with user interactionhttps://portal.auscert.org.au/bulletins/56474A CSRF vulnerability has been fixed in the latest version of phpMyAdmin. 2) ESB-2018.0038 – ALERT [Virtual] VMware vSphere Data Protection (VDP): Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/56586A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems. 3) ASB-2018.0002.3 – UPDATED ALERT [Win][UNIX/Linux] Intel CPU Chip: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/56602Side-channel attacks due to CPU Microcode errors allows for kernel memory to be accessed from user space. 4) ESB-2018.0049 – ALERT [Win] Microsoft Products: Access privileged data – Existing account https://portal.auscert.org.au/bulletins/56634Microsoft has released an out of band patch to fix the CPU Microcode vulnerabilities (Spectre/Meltdown) 5) ASB-2018.0006 – [Win][UNIX/Linux] Mozilla Firefox: Access privileged data – Remote with user interactionhttps://portal.auscert.org.au/bulletins/56726Mozilla has released an update to Firefox to mitigate the Speculative execution side-channel attack (“Spectre”). Stay safe, stay patched and have a good weekend! Ananda

Learn more

Week in review

AUSCERT Week in Review for 22nd December 2017

22 Dec 2017

AUSCERT Week in Review for 22nd December 2017 Greetings, As 2017 draws to a close, we hope it’s been good to you and yours. AUSCERT news: The Call for Proposals is still open until January 19th for the AUSCERT 2018 conference. We analysed the 1.4-billion-credential breach compilation this week and notified ~90% of our members of new user credentials appearing online. Didn’t get an email? Congratulations! AUSCERT will be going into “holiday mode” from today until the 2nd of January. We will continue to operate the 24/7 member incident hotline.(That number is available to members who log in at https://wordpress-admin.auscert.org.au/contact). We’ve become a Fairy Penguin sponsor of linux.conf.au 2018. This week in cybersecurity: ——————————————————————————-Unsecured Amazon S3 Bucket Exposes Details on 123 Million American Householdshttps://www.bleepingcomputer.com/news/security/unsecured-amazon-s3-bucket-exposes-details-on-123-million-american-householdsDate: December 20 2017Author: Catalin Cimpanu Excerpt: More precisely, the database contained over 3.5 billion details for over 123 million American households. The data included both personally identifiable information such as addresses, home details, contact information, or homeowner ethnicity, but also financial details such as mortgage status, financial histories, and purchase behavior.——————————————————————————-Backdoor in Captcha Plugin Affects 300K WordPress Siteshttps://www.wordfence.com/blog/2017/12/backdoor-captcha-pluginDate: December 19 2017Author: Matt Barry Excerpt: If you have not read our previous post on Mason Soiza, I’d suggest you read that first, since he has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them.——————————————————————————-Fixing Data Breaches Part I: Educationhttps://www.troyhunt.com/fixing-data-breaches-part-1-educationDate: December 18 2017Author: Troy Hunt Excerpt: You know the old “prevention is better than cure” idiom? Nowhere is it truer than with data breaches and it’s the most logical place to start this series. The next 4 parts of “Fixing Data Breaches” are all about dealing with an incident once things go badly wrong, but let’s start by trying to stop that from happening in the first place.[Troy has published four articles so far of his five-part series, and they are worth reading.]——————————————————————————-U.S. declares North Korea carried out massive WannaCry cyberattackhttp://wapo.st/2yTFsPkDate: December 19 2017Author: Ellen Nakashima & Philip Rucker Excerpt: The Trump administration on Monday evening publicly acknowledged that North Korea was behind the WannaCry computer worm that affected more than 230,000 computers in more than 150 countries earlier this year.——————————————————————————- And lastly, here are this week’s most noteworthy security bulletins: 1. Chromium browser security updatehttps://portal.auscert.org.au/bulletins/56290 Chromium (and Chrome) 63.0.3239.108 address a flaw allowing a web page containing malicious content to cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. 2. otrs2 security updatehttps://portal.auscert.org.au/bulletins/56198 Two vulnerabilities were discovered in the Open Ticket Request System which could result in information disclosure or the execution of arbitrary shell commands by logged-in agents. 3. Security vulnerabilities patched in VMWare productshttps://portal.auscert.org.au/bulletins/56322 Successful exploitation of this issue could result in a low privileged user gaining root level privileges over the appliance base OS.[note: multiple issues exist] 4. Apache vulnerability announced and patched in F5 Networks Productshttps://portal.auscert.org.au/bulletins/56386 Apache modules apache_auth_token_mod and mod_auth_f5_auth_token.cpp allow possible unauthenticated bruteforce on the em_server_ip authorization parameter to obtain which SSL client certificates used for mutual authentication between BIG-IQ or Enterprise Manager (EM) and managed BIG-IP devices. Wishing you a merry Christmas and a happy New Year,David and the team at AUSCERT

Learn more

Week in review

AUSCERT Week in Review for 15th December 2017

15 Dec 2017

AUSCERT Week in Review for 15th December 2017 Greetings, We’ve had a “big” week in a few ways: A huge credential dump aggregating previous dumps has hit the limelight. The defendants in the Mirai case, 2016’s largest botnet, have pleaded guilty. Also, a 19-year-old RSA vulnerability has returned as the ROBOT attack, affecting many notable networking vendors.    The AUSCERT Conference’s Call for Proposals is open. Important Dates for submission——————————13 Nov 2017 – (Monday) – Call for Presentations submissions open19 Jan 2018 – (Friday) – Call for Presentations submission deadline19 Feb 2018 – (Monday) – Notifications from Program Committee Conference Date—————29 May 2018 – 01 Jun 2018 | AUSCERT2018 Conference   As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: How a Dorm Room Minecraft Scam Brought Down the Internethttps://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internetDate: December 13 2017Author: Garrett M. Graff Excerpt: Until then, a large DDoS attack was often considered to be 10 to 20 gigibits per second; vDOS had been overwhelming targets with attacks in the range of 50 Gbps. A follow-on Mirai attack against OVH hit around 901 Gbps. BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Deviceshttps://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/Date: December 11 2017Author: Catalin Cimpanu Excerpt: In an email sent today to Bleeping Computer, The Janit0r announced his sudden retirement and explained why he reached this decision. I believe that the project has been a technical success, but I am now starting to worry that it is also having a deleterious effect on the public’s perception of the overall IoT threat. Researchers keep issuing high profile warnings about genuinely dangerous new botnets, and a few weeks or even days later they are all but gone. Sooner or later people are going to start questioning the credibility of the research and the seriousness of the situation. Extended Validation is Brokenhttps://stripe.ian.shDate: December 12 2017Author: Ian Carroll Excerpt: One question may be how practical this attack is for a real attacker who desires to phish someone. First, from incorporation to issuance of the EV certificate, I spent less than an hour of my time and about $177. $100 of this was to incorporate the company, and $77 was for the certificate. It took about 48 hours from incorporation to the issuance of the certificate. Game-changing attack on critical infrastructure site causes outagehttps://arstechnica.com/information-technology/2017/12/game-changing-attack-on-critical-infrastructure-site-causes-outage/Date: December 15 2017Author: Dan Goodin Excerpt: The accidental outage was likely the result of the Triconex SIS, or “safety instrumented system.” The SIS shut down operations when it experienced an error that occurred as the hackers were performing reconnaissance on the facility. Although the hackers were likely seeking the ability to cause physical damage inside the facility, the November shutdown was likely not deliberate. Variation of 19-Year-Old Cryptographic Attack Affects Facebook, PayPal, Othershttps://www.bleepingcomputer.com/news/security/variation-of-19-year-old-cryptographic-attack-affects-facebook-paypal-others/Date: 12 December 2017Author: Catalin Cimpanu Excerpt: The ROBOT research team say that despite this being a variation for a 19-year-old attack, 27 of the Alexa Top 100 websites are vulnerable to the ROBOT attack. Vulnerable sites include Facebook and PayPal. The ROBOT attack scientific paper includes a case study how the research team decrypted Facebook traffic. 1.4 Billion Clear Text Credentials Discovered in a Single Databasehttps://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14Date: December 9 2017Author: Julio Casal Excerpt: The 41GB dump was found on 5th December 2017 in an underground community forum. The database was recently updated with the last set of data inserted on 11/29/2017. The total amount of credentials (usernames/clear text password pairs) is 1,400,553,869.   And lastly, here are this week’s most noteworthy security bulletins: 1. ASB-2017.0217 – Remote code execution patched in Palo Alto firewallshttps://portal.auscert.org.au/bulletins/56182 Through the exploitation of a combination of unrelated vulnerabilities, and via the management interface of the device, an attacker could remotely execute code on PAN-OS in the context of the highest privileged user. 2. ESB-2017.3160 – Thunderbird security updatehttps://portal.auscert.org.au/bulletins/55970 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. 3. ESB-2017.3200 – Jenkins patches race conditions during setuphttps://portal.auscert.org.au/bulletins/56154 On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases (we estimate less than 20% of new instances) result in failure to initialize the setup wizard on the first startup. Affected instances need to be configured to restrict access. 4. ESB-2017.3182.2 – TLS vulnerability discovered in Cisco products (ROBOT)https://portal.auscert.org.au/bulletins/56082 An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions. [Note that Cisco does not intend to fix this in all affected products, e.g.the ACE 4710 and ACE30.]   Wishing you all the best from AUSCERT and see you next week,David

Learn more

Week in review

AUSCERT Week in Review for 8th December 2017

8 Dec 2017

AUSCERT Week in Review for 8th December 2017 AUSCERT Week in Review08 December 2017 Greetings, Remember that the holiday season is the time we relax so don’t get caught by someone trying to take advantage of this. And the Call for Proposals for AUSCERT 2018 is now open.https://gems.eventsair.com/auscert2018-conference/presentation Important Dates for submission——————————13 Nov 2017 – (Monday) – Call for Presentations submissions open19 Jan 2018 – (Friday) – Call for Presentations submission deadline19 Feb 2018 – (Monday) – Notifications from Program Committee Conference Date—————29 May 2018 – 01 Jun 2018 | AUSCERT2018 Conference As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: ——————————————————————————- Title: Banking Apps Found Vulnerable to MITM Attacks issueURL: https://threatpost.com/banking-apps-found-vulnerable-to-mitm-attacks/129105/Date: December 07, 2017Author: Tom Spring Excerpt: “Using a free tool called Spinner, researchers identified certificate pinning vulnerabilities in mobile banking apps that left customers vulnerable to man-in-the-middle attacks” ——————————————————————————- Title: Uber hacker is a 20 yr-old Florida manURL: https://www.itnews.com.au/news/uber-hacker-is-a-20-yr-old-florida-man-479365 Date: Decemeber 07, 2017Author: Joseph Menn and Dustin Volz Excerpt: “Paid to keep quiet in bug bounty. A 20-year-old Florida man was responsible for a massive data breach at Uber last year and was paid by Uber to destroy the data through a bug bounty program, three people familiar with the events have told Reuters.” ——————————————————————————- Title: Bitcoin Miner NiceHash Hacked, Possibly Losing $62 Million in BitcoinURL: https://www.darkreading.com/cloud/bitcoin-miner-nicehash-hacked-possibly-losing-$62-million-in-bitcoin/d/d-id/1330585 Date: Decemeber 07, 2017Author: Dark Reading Excerpt: “Slovenia-based bitcoin mining company NiceHash has temporarily halted its operations while it investigates a security breach and determines how many bitcoins were stolen, the company announced Wednesday.” ——————————————————————————- Title: The Cumulative Effect of Major Breaches: The Collective Risk ofYahoo & EquifaxURL:http://www.securityweek.com/cumulative-effect-major-breaches-collective-risk-yahoo-equifax Date: Decemeber 07, 2017Author: Markus Jakobsson Excerpt: “While there are no signs today of criminals consolidating and reselling data from different breaches, it is an obvious concern as the value-add of the packaging would be substantial.” ——————————————————————————- And lastly, here are this week’s most noteworthy security bulletins: 1. ASB-2017.0210 – [Win][UNIX/Linux] Firefox: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/55934  A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content.This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. 2. ASB-2017.0209 – [Win][UNIX/Linux] Tenable Nessus: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/55930  Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found tocontain vulnerabilities, and updated versions have been made available by the providers. 3. ESB-2017.3144 – [Win][UNIX/Linux][FreeBSD] OpenSSL: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/55898  OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an “error state” mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. 4. ESB-2017.3117 – [SUSE] shibboleth-sp: Reduced security – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/55786 CVE-2017-16852: Fix critical security checks in the Dynamic MetadataProvider plugin in Shibboleth Service (bsc#1068689). Wishing all the best from AUSCERT and see you next week, Peter

Learn more

Week in review

AUSCERT Week in Review for 1st December 2017

1 Dec 2017

AUSCERT Week in Review for 1st December 2017 AUSCERT Week in Review 01 December 2017   Greetings,   Headline news this week was the flaw in Apple High Sierra that allows login with the user root and a blank password. And the Call for Proposals for AUSCERT 2018 is now open. As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:   ——————————————————————————-   Title:   Apple releases update to fix critical macOS High Sierra security issue URL: https://www.theverge.com/2017/11/29/16715246/apple-releases-high-sierra-root-security-patch Date:    November 29, 2017 Author:  Chris Welch  Excerpt: “Apple has just rolled out a security update for macOS High Sierra that fixes the major flaw that was publicly disclosed yesterday. A support page for the patch, Security Update 2017–001, confirms that it addresses the vulnerability that allowed admin access to a Mac computer without providing any password. The update breaks file sharing for some users, but Apple has released a fix for that as well.”   ——————————————————————————-   Title:   Cryptocurrency Mining Scripts Now Run Even After You Close Your Browser URL: https://thehackernews.com/2017/11/cryptocurrency-mining-javascript.html Date:    November 29, 2017 Author:  Swati Khandelwal   Excerpt: “Some websites have found using a simple yet effective technique to keep their cryptocurrency mining javascript secretly running in the background even when you close your web browser. Due to the recent surge in cryptocurrency prices, hackers and even legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of their visitor’s PC to mine Bitcoin or other cryptocurrencies.”   ——————————————————————————-   Title:   Cisco Patches Critical Playback Bugs In Webex Players URL: https://threatpost.com/cisco-patches-critical-playback-bugs-in-webex-players/129057/ Date:    November 30, 2017 Author:  Tom Spring Excerpt: “Cisco Systems issued a Critical alert on Wednesday warning of multiple vulnerabilities in its popular WebEx player. Six bugs were listed in the security advisory, each of them relating to holes in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files.   “A remote attacker could exploit these vulnerabilities by providing a user with a malicious ARF or WRF file via email or URL and convincing the user to launch the file,” according to Cisco.”   ——————————————————————————-   Title:   Classified Pentagon data leaked on the public cloud URL: http://www.bbc.com/news/technology-42166004?intlink_from_url=http://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-story Date:    November 29, 2017 Author:  Technology Excerpt: “Classified Pentagon data was mistakenly left exposed on an unsecured public cloud server, cyber-security researchers have discovered. The 100GB of data is from a failed joint intelligence-sharing programme run by the US Army and National Security Agency in 2013. The information was left on an unlisted but public Amazon Web Services storage server. It is likely to have been accessible to anyone on the internet for years.”   ——————————————————————————-   And lastly, here are this week’s most noteworthy security bulletins:   ASB-2017.0206 – [Win][UNIX/Linux] WordPress: Execute arbitrary code/commands – Existing account 30 November 2017 https://portal.auscert.org.au/bulletins/55550 WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack.     ASB-2017.0205 – ALERT [OSX] Apple High Sierra : Root compromise – Console/physical 29 November 2017 http://www.auscert.org.au/55378  Today, a security researcher twitted about a dangerous behaviour he found in the Apple High Sierra operating system: It is possible to get administrator rights (the “root” account on UNIX) by connecting without a password.    ASB-2017.0204 – [Win][UNIX/Linux] Thunderbird: Multiple vulnerabilities 27 November 2017 http://www.auscert.org.au/55322  Security vulnerabilities fixed in Thunderbird 52.5 A use-after-free vulnerability can occur when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations.     ESB-2017.3057 – [Cisco] Cisco WebEx Meeting Center: Unauthorised access – Remote with user interaction 30 November 2017 http://www.auscert.org.au/55538  A vulnerability in Cisco WebEx Meeting Center could allow an authenticated, remote attacker to initiate connections to arbitrary hosts.    Wishing all the best from AUSCERT and see you next week,   Cheers, Peter

Learn more

Week in review

AUSCERT Week in Review for 24th November 2017

24 Nov 2017

AUSCERT Week in Review for 24th November 2017 AUSCERT Week in Review24 November 2017 Greetings, Headline news this week is that security researchers discover multiple serious vulnerabilities in Intel firmware.If your cubicle needs more decoration, OWASP have published an updated Top Ten cheatsheet.And the Call for Proposals for AUSCERT 2018 is now open. As for more news, here’s a summary (including excerpts) of some of themore interesting stories we’ve seen this week: ——————————————————————————- Title: Intel Chip Flaws Leave Millions of Devices ExposedURL: https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/Date: November 20, 2017Author: David Paul Morris Excerpt:“SECURITY RESEARCHERS HAVE raised the alarm for years about the Intel remote administration feature known as the Management Engine. The platform has a lot of useful features for IT managers, but it requires deep system access that offers a tempting target for attackers; compromising the Management Engine could lead to full control of a given computer. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible.…[Intel] has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they’re exposed.” ——————————————————————————- Title: Four Years Later, We Have a New OWASP Top 10URL: https://www.bleepingcomputer.com/news/security/four-years-later-we-have-a-new-owasp-top-10/Date: November 21, 2017Author: Catalin Cimpanu Excerpt:“The OWASP has seen several iterations over the years. Versions of the OWASP Top 10 have been released in 2004, 2007, 2010, 2013, and 2017, respectively. As in previous years, injection remained the top application security risk, but there has been some shuffling in the ranking, with the appearance of three newcomers — XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging&Monitoring.” ——————————————————————————- Title: Uber Paid Hackers to Delete Stolen Data on 57 Million PeopleURL: https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-dataDate: November 22, 2017Author: Eric Newcomer Excerpt:“Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.” ——————————————————————————- Title: IBM, Nonprofits Team Up in New Free DNS ServiceURL: https://www.darkreading.com/analytics/ibm-nonprofits-team-up-in-new-free-dns-service/d/d-id/1330454Date: November 17, 2017Author: Kelly Jackson Higgins Excerpt:“Setting up the Quad9 service entails reconfiguring the DNS setting on networked devices to 9.9.9.9. When a user types an URL into his or her browser, or clicks on a website, the service checks it against IBM X-Force’s threat intelligence database, as well as nearly 20 other threat intelligence feeds including Abuse.ch, the Anti-Phishing Working Group, F-Secure, Proofpoint, and RiskIQ.” ——————————————————————————- And lastly, here are this week’s most noteworthy security bulletins: 1. ASB-2017.0203 – Apple iOS and MacOS: Root compromise – Existing account 21 November 2017http://www.auscert.org.au/55210 A vulnerability was addressed in iOS 11.1.2 and MacOS 10.13.1 which may have enabled arbitrary code execution with system privileges. 2. ESB-2017.2994 – libspring-ldap-java: Unauthorised access – Remote/unauthenticated http://www.auscert.org.au/55278 The library would, under certain circumstances, allow authentication with a correct username but an arbitrary password. 3. ESB-2017.2967 – libxml-libxml-perl: Execute arbitrary code/commands – Remote/unauthenticated 20 November 2017http://www.auscert.org.au/55158 Arbitrary code execution from a crafted file. 4. ESB-2017.2965 – procmail: Execute arbitrary code/commands – Remote/unauthenticated 20 November 2017http://www.auscert.org.au/55150 Malformed mail messages could crash the formail tool, or potentially execute arbitrary code. Wishing all the best from AUSCERT and see you next week, Cheers,David  

Learn more

Week in review

AUSCERT Week in Review for 17th November 2017

17 Nov 2017

AUSCERT Week in Review for 17th November 2017 AUSCERT Week in Review17 November 2017 Greetings, As Friday 17 November closes, Cisco have announced and addressed a bug with certain upgrade paths in their appliances which left a root user wide open. The world’s most mainstream security target, Apple’s latest iPhone, has been fooled by researchers with an affordable mask. JavaScript cryptocurrency miners have also hit the news, with implementations available for all sorts of currencies, becoming a new XSS favourite. As for more news, here’s a summary of some of the more interesting stories we’ve seen this week: Title:  Microsoft November Patch Tuesday Fixes 53 Security IssuesURL: https://www.bleepingcomputer.com/news/microsoft/microsoft-november-patch-tuesday-fixes-53-security-issues/Date:   14 November 2017Author: Catalin Cimpanu Excerpt:“No zero-days this monthDetails about four vulnerabilities were published online before today’spatches, but fortunately, none were exploited in real-world attacks.” ——– Title:    APCERT 2017 AGM and Conference: A Window into the CERT communityURL:    https://wordpress-admin.auscert.org.au/blog/2017-11-17-apcert-2017-agm-and-conference-window-c/Date:   17 November 2017Author: Anthony Vaccaro (of AUSCERT!) Excerpt:“Additionally, some external speakers were invited to give talks at the conference. Some highlights included a talk by Akamai representative Amol Mathur on attacks that target API services directly, bypassing many of the protections that are built into front-end applications, and an overview on using machine learning to analyse malware samples by Rajesh Nikam of Quick Heal. As malware campaigns grow in both size and number, we need to move away from manual analysis in order to process as many samples as possible, making use of technologies such as machine learning to automate the process.” ——– Title:    2,500+ Websites Are Now “Cryptojacking” To Use Your CPU Power And Mine CryptocurrencyURL:    https://fossbytes.com/2500-websites-are-now-cryptojacking-to-use-your-cpu-power-and-mine-cryptocurrency/Date:   10 November 2017Author: Adarsh Verma Excerpt:“Most of these websites are using a JavaScript-based miner from the website Coinhive. By simply pasting a code snippet on the website, any webmaster can start mining. They just need to share a small cut with Coinhive.”——– Title:    Researchers Fool iPhone X’s Face ID with $150 3D Printed FaceURL:    https://www.cso.com.au/article/629951/researchers-fool-iphone-x-face-id-150-3d-printed-face/Date:   14 November 2017Author: Liam Tung Excerpt:“The company hasn’t revealed exactly how it tricked Face ID but says it was possible because they understood how Apple’s Face ID artificial intelligence worked. Face ID requires the user look directly at the camera by directing the direction of the user’s gaze, and then uses neural networks for matching and anti-spoofing.” ——– And lastly, here are this week’s noteworthy security bulletins (in noparticular order): 1. ESB-2017.2953 – [Win][UNIX/Linux] OpenSAML2 metadata filter bypasshttps://portal.auscert.org.au/bulletins/55102 CVE-2017-16853: A filtering engine omits to run checks, leading to metadata exposure in a major SAML library. Expect to hear more on this. 2. ESB-2017.2931 – [Cisco] Known Root Credentials Enabled After Some Upgradeshttps://portal.auscert.org.au/bulletins/55010 The vulnerability occurs when a refresh upgrade or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password. Subsequent upgrades disable this flag. 3. ESB-2017.2913 – [Debian] mediawiki: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54938 Cross-site scripting, revealing account existence and a set of HTML mangling attacks. 4.  ASB-2017.0194 – [Win] Microsoft Edge: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54822 In seeking to speed up its Edge browser, Microsoft is producing and flattening RCEs. Wishing you the best from AUSCERT and hope to see you next week,David

Learn more

Week in review

AUSCERT Week in Review for 10th November 2017

10 Nov 2017

AUSCERT Week in Review for 10th November 2017 AUSCERT Week in Review10 November 2017 Greetings, As Friday 10th of November closes, DDE, a twenty four (24) year old feature in the Office suite, has taken the limelight in the method of executing code on victim’s computers.  Although this method requires heavy user interaction, it was finally addressed for mitigation, published by the vendor and pushed out to members in an AUSCERT bulletin. So, applying the mitigation and applying an other round of user education notices may do well to protect your organisation.  Another set of people that may need to be educated on the dangers of opening up fresh and untrusted code on the internet could be script kiddies, this being the lead to our top new story this week. As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Script Kiddie Nightmare: IoT Attack Code Embedded with BackdoorURL:    https://blog.newskysecurity.com/script-kiddie-nightmare-iot-attack-code-embedded-with-backdoor-39ebcb92a4bbDate:   November 8, 2017 Author: NewSky Security     Excerpt:“The IoT threat landscape is proving to be the fastest to evolve, with attacks shifting from basic password guessing, to using a variety of exploits as seen recently in the IoTroop/Reaper botnet. Enter the script kiddie?—?amateurish hackers that copy/paste code for quick results. “ ——- Title:  Windows Movie Maker Scam spreads massively due to high Google rankingURL:    https://www.welivesecurity.com/2017/11/09/eset-detected-windows-movie-maker-scam-2017/Date:   November 9, 2017 Author: Peter Stancik     Excerpt:“Scammers have been surprisingly successful at distributing a modified version of Windows Movie Maker that aims to collect money from unaware users. The spread of the scam (which itself is far from new) has been boosted by search engine optimization of the crooks’ website, as well as continuing demand for Windows Movie Maker, Microsoft’s free video editing software, discontinued since January 2017.” ——- Title:  Google Adds New Features in Chrome to Fight MalvertisingURL:    https://www.bleepingcomputer.com/news/security/google-adds-new-features-in-chrome-to-fight-malvertising/Date:   November 9, 2017 Author: Catalin Cimpanu     Excerpt:“Google announced plans today for three new Chrome security features that will block websites from sneakily redirecting users to new URLs without the user or website owner’s consent. While all three additions are welcomed, one of these features has the potential to stop a few malvertising campaigns dead in their tracks, and could potentially disrupt the malware scene in the next few months.” ——- Title:  Chinese Keyboard Developer Spies on User Through Built-in KeyloggerURL:    https://www.hackread.com/chinese-keyboard-developer-spies-on-user-through-built-in-keylogger/Date:   November 8, 2017Author: Waqas      Excerpt:“A Chinese mechanical keyboard manufacturer MantisTek has been caught in the middle of a controversy in which it’s being blamed for spying on users through built-in keylogger in its GK2 model and sending the data to a server apparently hosted on Alibaba Cloud server.” ——- Title:  Locky Ransomware Used to Target Hospitals EvolvesURL:    http://www.zdnet.com/article/locky-ransomware-used-to-target-hospitals-evolves/Date:   November 7, 2017Author: Charlie Osborne     Excerpt:“According to new research released by Cylance, a relatively new Locky variant, dubbed Diablo6, includes a few tweaks which are making detection of the ransomware more difficult for traditional antivirus solutions as well as end users.In a blog post, the team said Diablo6 performs an attack in two stages. The first is a typical attack vector for ransomware — a spear phishing email which contains a .zip archive, but something new for the Locky variant.While masquerading as a legitimate email and attachment, the file actually contains a VBS file which, when decompressed and opened, attempts to connect to Locky’s command-and-control (C&C) server for instructions.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1.    ASB-2017.0192 – [Win] Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fieldshttps://portal.auscert.org.au/bulletins/54686 An attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. 2.    ESB-2017.2807 – [SUSE] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54466 CVE-2015-9004: kernel/events/core.c in the Linux kernel mishandled counter grouping, which allowed local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions 3.    ESB-2017.2867 – [Appliance] IBM Security SiteProtector System: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54726 CVE-2017-10116: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system. 4.    ESB-2017.2865 – [Win] Schnedier Electric InduSoft Web Studio and Schneider Electric InTouch Machine Edition : Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/54718 CVE-2017-14024: The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges. 5.    ESB-2017.2855 – [BlackBerry] BlackBerry: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54670 CVE-2017-0862: Elevation of Privilege in Kernel                              — Wishing you the best from AUSCERT and hope to see you next week,Geoffroy

Learn more

Week in review

AUSCERT Week in Review for 3rd November 2017

3 Nov 2017

AUSCERT Week in Review for 3rd November 2017 AUSCERT Week in Review03 November 2017 Greetings, As Friday 3rd of November closes, a tally of the root compromises is more than I have seen this past year.  Let’s hope that the reason why we are indeed seeing an up tick in this type of vulnerability is only because security teams and their capabilities are indeed expanding. Well, at least this is the silver lining to be seen as this cloud of root compromise bulletins rolls over.  As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  If your websites use WordPress, put down that coffee and upgrade to 4.8.3. Thank us laterURL:    http://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/Date:   31st October 2017Author: Iain Thomson Excerpt:“The fix addresses a flaw that can be potentially exploited by hackers to hijack and take over WordPress-powered websites, by injecting malicious SQL database commands. The core installation of WordPress is not directly affected, we’re told, rather the bug is in a security function provided by the core to plugins and themes. In other words, a bug in the core leaves plugins and themes potentially at risk of being hacked, leading to whole sites being commandeered by miscreants.” ——- Title:  Just one day after its release, iOS 11.1 hacked by security researchersURL:    http://www.zdnet.com/article/ios-11-hacked-by-security-researchers-day-after-release/Date:   2nd November 2017Author: Zack Whittaker Excerpt:“A day after iOS 11.1 was released, security researchers have already broken the software. News of the exploits came from Trend Micro’s Mobile Pwn2Own contest in Tokyo, where security researchers found two vulnerabilities in Safari, the mobile operating system’s browser. “ ——- Title:  AI will not solve your security analytics issuesURL:    https://www.csoonline.com/article/3236025/artificial-intelligence/ai-will-not-solve-your-security-analytics-issues.htmlDate:   2nd November 2017Author: Alexander Poizner Excerpt:“Managing SOC is not pretty. Constant stress due to avalanche of tickets and vast amounts of data to analyze using often underpowered and sometimes outdated tools, combined with high turnover and low morale staff. It is understandable that in such environment everybody is looking for a miracle. Any new technology that has a capability to automate an analysis and detect anomalies gets attention of operations security. With an amount of hype surrounding AI, the temptation is great to jump into early adoption.” ——- Title:  Security Think Tank: Three areas of web security challengesURL:    http://www.computerweekly.com/opinion/Security-Think-Tank-Three-areas-of-web-security-challengesDate:   1st November 2017Author: Peter Wenham Excerpt:“Very few companies these days are without a website and those websites provide a portal from the internet that the bad people can exploit to attack a company’s infrastructure including the website itself. The security challenges posed by a web presence fall into the three broad categories of legal, technical and operational. On the legal side you need to have a privacy policy identifying what personal data is collected, how that data will be used and who that data might be shared with and why. The policy should be made compliant with the General Data Protection Regulation (GDPR) for which the compliance deadline is 25 May 2018, but this will require you to track GDPR guidance as it becomes available.” ——- Title:  Facebook pledges to double its 10,000-person safety and security staff by end of 2018URL:    https://www.cnbc.com/2017/10/31/facebook-senate-testimony-doubling-security-group-to-20000-in-2018.htmlDate:   31st October 2017Author: Anita Balakrishnan     Excerpt:“Facebook, under intensifying pressure from legislators and consumers to clean up its site, is pledging to double the number of people it has working on issues related to safety and security. Colin Stretch, a vice president and general counsel at Facebook, testified before senators on Tuesday alongside executives from Twitter and Google. He told them that Facebook’s staff focused on sensitive security and community issues will grow to 20,000 by the end of next year.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2017.2778 – [OSX] Apple macOS: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/54342 An application may be able to execute arbitrary code with system privileges. 2.    ESB-2017.2766 – [Mobile] Apple Watch: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54294 An application may be able to execute arbitrary code with kernel privileges. 3.    ESB-2017.2763 – [Ubuntu] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54282 A local attacker could exploit this vulnerability to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. 4.    ESB-2017.2782 – [Cisco] Cisco Firepower 4100 Series Next-Generation Firewall (NGFW): Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/54358 An authenticated, remote attacker to inject arbitrary commands that could be executed with root privileges. 5.    ESB-2017.2790 – [Appliance] F5 Products: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/54390 An authenticated attacker may be able to cause an escalation of privileges through a crafted application that uses the fork or close system call. — Wishing you the best from AUSCERT and hope to see you next week,Geoffroy

Learn more