Publications

AUSCERT Week in Review for 9th March 2018 Greetings, As Friday draws to a close, here are some of the more interesting Infosecstories we’ve seen this week: Title: Kali Linux for WSL now available in the Windows StoreDate Published: Mar 05 2018URL: https://blogs.msdn.microsoft.com/commandline/2018/03/05/kali-linux-for-wsl/Author: Tara RajExcerpt: “Our community expressed great interest in bringing Kali Linuxto WSL in response to a blog post on Kali Linux on WSL. We are happy toofficially introduce Kali Linux on WSL.” ——- Title: Vulnerability Affects Half of the Internet’s Email ServersDate Published: March 06 2018URL: https://www.bleepingcomputer.com/news/security/vulnerability-affects-half-of-the-internets-email-servers/Author: Catalin CimpanuExcerpt: “A critical vulnerability affects hundreds of thousands of emailservers. A fix has been released but this flaw affects more than half ofthe Internet’s email servers, and patching the issue will take weeks ifnot months.” ——- Title: BoM IT staffers questioned by police over cryptocurrency miningDate Published: March 08 2018URL: https://www.itnews.com.au/news/bom-it-staffers-questioned-by-police-over-cryptocurrency-mining-486546Author: Allie CoyneExcerpt: “Two IT workers within the Bureau of Meteorology have beenquestioned by police over the alleged use of the agency’s IT infrastructureto mine cryptocurrencies. AFP officers raided the bureau’s Melbourneheadquarters last Wednesday, as first reported by the ABC, and spoke withtwo of the agency’s IT workers.” ——- Title: APRA to give banks stricter cyber security rulesDate Published: Mar 07 2018URL: https://www.itnews.com.au/news/apra-to-give-banks-stricter-cyber-security-rules-486477Author: Allie CoyneExcerpt: “the Australian Prudential Regulation Authority (APRA) now wantsto create a dedicated prudential standard for cyber security to ensurefinancial services firms are keeping their systems secure against thelatest trends in attack.” ——- Here are this week’s noteworthy security bulletins: 1) ESB-2018.0620 – [Debian] simplesamlphp: Multiple vulnerabilitiesSeveral vulnerabilities have been discovered in SimpleSAMLphp, aframework for authentication, primarily via the SAML protocol. 2) ESB-2018.0681 – ALERT [Virtual][Cisco] Cisco Prime Collaboration: Root compromise – Remote/unauthenticatedA hardcoded password in Cisco Prime Collaboration could allow attackers toaccess the underlying Linux operating system. 3) ESB-2018.0679 – [UNIX/Linux][FreeBSD] ntp: Multiple vulnerabilitiesVarious vulnerabilities in the ntp suite of programs can allow hackers toaffect the system clocks of hosts using these programs. Stay safe, stay patched and have a good weekend!Anthony

25 Years of AUSCERT AUSCERT celebrates 25 years today There has been a lot of growth in the industry since the original SERT (Security Emergency Response Team) was formed in 1993. Three Brisbane based universities formed the SERT originally, Queensland University of Technology, Griffith University and The University of Queensland. Originally the SERT was formed for several reasons. One was in response to Australia being recognised as a targeted geographical location for cyber security threats. Also, back in 1992, Australia was the origin of an increasing number of these attacks, which targeted overseas websites. Relationship building with international CERTs began at this time, with the CERT Coordination Centre in Pittsburgh and the DFNCERT team in Germany being incredibly vital to the growth of Australia’s first CERT. In the early days an exercise book was used to log all incoming calls, including wrong numbers. Indeed one of those original staff members, whose initials are inscribed in that book, is an AUSCERT employee today. AUSCERT began in name on the 1st April, 1994, this was made possible by a collaboration with AARNet, who at that time were quite new themselves, only having been in operation for several years. AUSCERT became a member organisation in the late nineties, and has since been funded by our members.   The AUSCERT team is driven by a passion to protect, assist and engage with the information security community. We will continue to provide first class threat intelligence, unique membership options and advice now, and in the future.  

AUSCERT Week in Review for 2nd March 2018 Greetings, This week saw Trustico revoke more than 20,000 SSL certificates it issued, gaining them the attention of the infosec community, who were quick to offer unsolicited, complimentary penetration testing services for their website. GitHub has achieved the dubious (but well-handled) honour of being the biggest DDoS recipient, taking the crown from Dyn – dealing with 1.35Tbps of traffic at its peak. This attack was made possible by a memcached UDP amplification attack. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: The UK and Australian Governments Are Now Monitoring Their Gov Domains on Have I Been PwnedDate Published: 02 March 2018Author: Troy HuntExcerpt: “As of now, all UK government domains are enabled for centralised monitoring by the National Cyber Security Centre (NCSC) and all Australian government domains by the Australian Cyber Security Centre (ACSC).”   ——- 23,000 HTTPS certs will be axed in next 24 hours after private keys leakDate Published: 01 March 2018Author: John LeydenExcerpt: “This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are supposed to be secret, and only held by the cert owners, and certainly not to be disclosed in messages. In the wrong hands, they can be used by malicious websites to masquerade as legit operations.” ——- Financial Cyber Threat Sharing Group PhishedDate Published: 01 March 2018Author: Brian KrebsExcerpt: “The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, said today that a successful phishing attack on one of its employees was used to launch additional phishing attacks against FS-ISAC members.” ——- GitHub hit with largest ever DDoS attackDate Published: 02 March 2018Author: Allie CoyneExcerpt: “Developer platform Github has been hit with the most powerful distributed denial of service attack on record, managing to survive 1.35 Tbps of traffic flooded to its website relatively unscathed.” ——- Memcrashed – Major amplification attacks from UDP port 11211Date Published: 27 February 2018Author: Marek MajkowskiExcerpt: “Amplification attacks are effective, because often the response packets are much larger than the request packets. A carefully prepared technique allows an attacker with limited IP spoofing capacity (such as 1Gbps) to launch very large attacks (reaching 100s Gbps) “amplifying” the attacker’s bandwidth.” ——- Here are this week’s noteworthy security bulletins: 1) ESB-2018.0571 – ALERT [Win][UNIX/Linux][Apple iOS][Android] SAML libraries: Multiple vulnerabilitiesSAML signature generation and parsing libraries did not standardise behaviour, and thus it was possible to use comments to gain valid SAML assertions they were not authorised for. 2) ESB-2018.0538.2 – UPDATE [Win][UNIX/Linux] Drupal Core: Multiple vulnerabilitiesA number of vulnerabilities in Drupal’s core modules have been fixed, including XSS vectors. 3) ESB-2018.0603 – [Linux][Debian] freexl: Multiple vulnerabilitiesA library for manipulating Excel data is vulnerable to RCE if given a maliciously malformed document.   Stay safe, stay patched and have a good weekend!Tim

AUSCERT Week in Review for 23rd February 2018 Greetings, I hope you all had a good week and can enjoy the upcoming weekend. This week, the Mandatory Data Breach Notification Scheme came into effect,and we have an informative blog entry regarding this on the AUSCERTwebsite at: https://wordpress-admin.auscert.org.au/blog/2018-02-22-mandatory-data-breach-notification-scheme Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Tesla Internal Servers Infected with Cryptocurrency MinerDate Published: 20 Feb 2018https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-minerAuthor: Catalin CimpanuExcerpt: “Hackers have breached Tesla cloud servers used by the company’s engineers and have installed malware that mines the cryptocurrency.” ——- Null Character Bug Lets Malware Bypass Windows 10 Anti-Malware Scan InterfaceDate Published: Feb 19 2018https://www.bleepingcomputer.com/news/security/null-character-bug-lets-malware-bypass-windows-10-anti-malware-scan-interfaceAuthor: Catalin CimpanuExcerpt: “Malware that embeds a null character in its code can bypass security scans performed by the Anti-Malware Scan Interface (AMSI) on Windows 10 boxes.” ——- Internet of Babies – When baby monitors fail to be smartDate Published: Feb 21 2018https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.htmlAuthor: Mathias Frank / www.sec-consult.comExcerpt: “An attacker is able to access and interact with arbitrary video baby monitors and hijack other user accounts. Based on observed user identifier values extracted from the cloud API and Google Play store data, an estimated total number over 52000 user accounts and video baby monitors are affected” ——- Until last week, you could pwn KDE Linux desktop with a USB stickDate Published: Feb 12 2018https://www.theregister.co.uk/2018/02/12/kde_naming_usb_drive_vulnAuthor: John LeydenExcerpt: “A recently resolved flaw in the KDE Linux desktop environment meant that files held on a USB stick could be executed as soon as they were plugged into a vulnerable device.” ——- Here are this week’s noteworthy security bulletins: 1) ESB-2018.0526 – [Virtual] Cisco Elastic Services Controller ServicePortal: Administrator compromise – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/58722Administrator access allowed with empty password value! 2) ESB-2018.0494 – [UNIX/Linux][Debian] plasma-workspace: Execute arbitrarycode/commands – Console/physicalhttps://portal.auscert.org.au/bulletins/58594This describes the Debian 9 fix to the KDE USB vulnerability referred toin the Register’s article above. 3) ESB-2018.0541 – [Linux] IBM Security Guardium: Access privileged data –Existing accounthttps://portal.auscert.org.au/bulletins/58790We are still seeing Spectre fixes making their way into various products. 4) ESB-2018.0486 – [Apple iOS][Android] Schneider Electric IGSS Mobile:Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/58562Android and iOS application design and security issues are still veryprevalent.   Stay safe, stay patched and have a good weekend! Marcus.

Mandatory Data Breach Notification Scheme MANDATORY DATA BREACH NOTIFICATION SCHEME How it affects you   Introduction It’s official! The Notifiable Data Breaches scheme, established by the Privacy Amendment (Notifiable Data Breaches) Act 2017, will be officially enforced from the 22nd of February 2018.   What is it? It is a legal obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.   Does my organisation need to comply? When do I need to report a data breach and how?        IF your organisation is described in “Entities covered by the NDB scheme”        AND        2. Your organisation collects, retains, handles and transmits ‘personal information’        AND        3. Your organisation has been subjected to an eligible data breach [4], and there are no applicable exceptions to notification obligations       THEN You need to complete assessing the suspected data breach within 30 calendar days of becoming aware of the suspected breach. A suggested three-step assessment procedure contains the following stages:        a. Initiate: decide whether an assessment is necessary and identify which person or group will be responsible for completing it        b. Investigate: quickly gather relevant information about the suspected breach including, for example, what personal information is affected, who may have had access to the information and the likely impacts, and        c. Evaluate: make a decision, based on the investigation, about whether the identified breach is an eligible data breach (see Identifying eligible data breaches).        IF           reasonable evidence exists to believe an eligible data breach has occurred,        THEN You need to notify: a. Affected individuals b. The Australian Information Commissioner, by submitting a Notifiable Data Breach statement – Form available at https://www.oaic.gov.au/NDBform/.       2. The following information must be included in an eligible data breach statement:           a. the identity and contact details of the organisation           b. a description of the data breach           c. the kinds of information concerned and;           d. recommendations about the steps individuals should take in response to the data breach.      3. Special conditions for notification exist where the breached data is in the custody of more than one party.    An excellent resource covering this topic is available here.   Additional Resources https://www.youtube.com/watch?v=BZXzNLlW2vA   Legal AUSCERT has made every effort to ensure that the information contained on this web site is accurate. However, the decision to use or follow any information or advice referenced here is the responsibility of each user or organisation. The appropriateness of any information or advice for an organisation or individual system should be considered before application in conjunction with the organisation’s local policies and procedures. AUSCERT takes no responsibility for the consequences of applying or following the information or advice on this web site.

AUSCERT Week in Review for 16th February 2018 Greetings, Hopefully you have all had a rewarding and productive week.   As usual, there is always a deluge of new vulnerabilities and patches to consider.  Of course Microsoft’s “Patch Tuesday” this week added significantly to that. Please note that there is an Information Security Incident Response Planning workshop held next week in Melbourne with discounted member pricing and places still available: https://wordpress-admin.auscert.org.au/events/2018-02-21-melbourne-training-information-security-incident-response-planning Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  2 Billion Files Leaked in US Data Breaches in 2017Date Published:  15 Feb 2018Author: Tara SealsExcerpt:“Nearly 2 billion files containing the personal data of US citizens were leaked last year—and that number could be significantly underreported.” —– Title:  Australian govt sites hijacked by crypto minerDate Published:  12 Feb 2018Author: Allie CoyneExcerpt:“More than 4000 Australian and global government websites have been hijacked to run the Coinhive crypto currency mining software after a popular accessibility tool was compromised by attackers.” —– Title: Australian Government attribution of the ‘NotPetya’ cyber incident to RussiaDate Published: 16 Feb 2018Author: The Hon Angus Taylor MP Minister for Law Enforcement and CybersecurityExcerpt:“The Australian Government has joined the governments of the United States and the United Kingdom in condemning Russia’s use of the ‘NotPetya’ malware to attack critical infrastructure and businesses in June 2017.” —– Here are this week’s noteworthy security bulletins: 1) ASB-2018.0047 – ALERT [Win] Microsoft Windows: Multiple vulnerabilities 2018-02-14Microsoft has released its monthly security patch update for the month of February 2018.  Most notable is an Administrator Compromise vulnerability. 2) ASB-2018.0046 – [Win] ChakraCore: Execute arbitrary code/commands – Remote with user interaction 2018-02-14ChakraCore from Microsoft has been patched for eleven (11) vulnerabilities all being remote code execution.   3) ASB-2018.0045 – ALERT [Win][Mac] Microsoft Office Services and Web Apps: Multiple vulnerabilities 2018-02-14Microsoft Office and Sharepoint similarly were patched for a variety of remote code execution, privilege escalations and information disclosures. 4) ASB-2018.0044 – ALERT [Win] Microsoft Edge: Multiple vulnerabilities 2018-02-14 Microsoft Edge was remediated for a number of vulnerabilities including remote code execution, information disclosure and security feature bypass. Stay safe, stay patched and have a good weekend! Marcus

AUSCERT Week in Review for 9th February 2018 Greetings, The revolving door of information security continues, as Flash receives a patch for the 0day reported last week, while WordPress breaks auto-updating. Cisco has observed attacks against its Adaptive Security Appliance in the wild, and released a follow up patch for the RCE – noting that the first release didn’t entirely fix the problem. In non-security news, SpaceX has launched the 4th electric car to be sent into space (See: LRV-001 through 003). While they didn’t medal, their competition had a 44 year head start, so it remains impressive never the less. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Hackers Pounce on Cisco ASA Flaw (CVE-2018-0101)Date Published: 08/02/2018Author: Catalin CimpanuExcerpt: “Five days after details about a vulnerability in Cisco ASA software became public, hackers have now started exploiting this bug in the wild against Cisco ASA devices.” —– Title: WordPress Holds “Epic Fail Week” – Devs Break Background Updates, Ignore Zero-DayDate Published: 08/02/2018Author: Catalin CimpanuExcerpt: “A basic maintenance version released on Monday – WordPress 4.9.3 – a release meant to fix basic bugs caused huge problems for WordPress site owners by breaking the automatic update mechanism that upgrades WordPress sites in the background, without user interaction.” —– Title: How Long is Long Enough? Minimum Password Lengths by the World’s Top SitesDate Published: 06/02/2018Author: Troy HuntExcerpt: “I’ve been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security – a paradigm that every single person with an online account understands – yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules. Some have low max lengths. Some won’t let you paste a password. Some force you to regularly rotate it. It’s all over the place.” —– Title: Chrome will mark all HTTP sites ‘not secure’ from JulyDate Published: 09/02/2018Author: IT NewsExcerpt: “The company is on a long-term drive to stamp out unencrypted web connections, having begun to demote unencrypted sites in search results in 2015. Last year it started labelling HTTP login pages and credit card forms as ‘not secure’.” —– Title: Cybersecurity job fatigue affects many security professionalsDate Published: 06/02/2018Author: Jon OltsikExcerpt: “No one is talking about it, but I believe cybersecurity job fatigue is a real, growing, and troubling problem, exacerbated by the global cybersecurity skills shortage and the increasingly dangerous threat landscape. To address this, CISOs must assess the state of mind of key staff members, create work schedules to rotate personnel off the front lines, and provide the right levels of support, stress relief programs, and career counselling.” Here are this week’s noteworthy security bulletins: 1) ESB-2018.0326.2 – UPDATED ALERT [Win][Linux][Mac] Adobe Flash Player: Execute arbitrary code/commands – Remote with user interaction Flash 28.0.0.161 fixes last week’s 0day. 2) ESB-2018.0284.4 – UPDATE [Cisco] Cisco Adaptive Security Appliance: Execute arbitrary code/commands – Remote/unauthenticated Cisco has released a follow up patch for the ASA RCE, as the first was insufficient. 3) ASB-2018.0041 – [Win][UNIX/Linux] WordPress: Reduced security – Existing account WordPress’ auto-update may have just broken auto-update if it has auto-updated itself to 4.9.3. Manually update to 4.9.4 to remedy the issue. 4) ESB-2018.0404 – [Appliance] Kaspersky Secure Mail Gateway: Multiple vulnerabilities Kaspersky has patched several vulnerabilities in its Secure Mail Gateway. Stay safe, stay patched and have a good weekend! Tim

AUSCERT Week in Review for 2nd February 2018 Greetings, In pun-related security news this week, a literal cabinet was named as the source of some highly sensitive cabinet document leaks. Just goes to highlight the golden rule of security – know your assets. A 0day Flash exploit blamed on the North Koreans has been sighted targeting South Korean users. Adobe plans to have the vulnerability patched by next week, but until then turning it off is an option. Adaptive phishing kits are beginning to up their mimicry game. A newly discovered kit has been found that will download the favicon from the victim’s email domain and use that to help spoof the page. It’s all in the details. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Adaptive Phishing KitDate Published: 01/02/2018Author: Xavier MertensExcerpt: “Phishing kits are usually mimicking well-known big Internet players (eBay, Paypal, Amazon, Google, Apple, Microsoft…[add your preferred one here]). I found an interesting phishing kit which adapts itself to the victim. Well, more precisely, it adapts to the victim email address.” —– Title: The Cabinet Files reveal national security breaches, NBN negotiations, welfare reform plansDate Published: 31/01/2018Author: Ashlynne McGhee and Michael McKinnonExcerpt: “The documents were in two locked filing cabinets sold at an ex-government sale in Canberra. They were sold off cheaply because they were heavy and no-one could find the keys. A nifty person drilled the locks and uncovered the trove of documents inside.” —– Title: GoGet alleged ‘hacker’ revealed as infosec researcher Nik CubrilovicDate Published: 31/01/2018Author: Allie CoyneExcerpt: “According to the Illawarra Mercury, Cubrilovic had informed GoGet of vulnerabilities in its fleet booking system in 2016, for which GoGet rewarded him by waiving money owed on his account. But police reportedly allege that a year later he hacked into the system when his girlfriend’s account was suspended, creating more than 30 bookings on five different vehicles and each time charging the booking to a stranger’s account.” —– Title: North Koreans deploy zero-day Adobe Flash attacksDate Published: 02/02/2018Author: Juha SaarinenExcerpt: “North Korean hackers are believed to be behind a malware campaign targeting Windows users in South Korea, using a new zero-day vulnerability in Adobe’s Flash media player. The campaign was reported by security researcher Simon Choi, who said the North Koreans have been using the Flash zero-day since the middle of November last year.” —– Title: Critical Infrastructure More Vulnerable Than Ever BeforeDate Published: 01/02/2018Author: Tara SealsExcerpt: “‘Despite numerous incidents, reports and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were 10 years ago,’ said Vladimir Nazarov, head of ICS Security at PT. ‘Today, anyone can go on the internet and find vulnerable building systems, data centers, electrical substations and manufacturing equipment. ICS attacks can mean much more than just blackouts or production delays – lives may be at stake. This is why it’s so important that before even writing the first line of code, developers design-in the security mechanisms necessary to keep ICS components secure. And when these mechanisms eventually become outdated, they need to modernize them in a timely manner.'” Here are this week’s noteworthy security bulletins: 1) ASB-2018.0039 – [Win][UNIX/Linux] Mozilla Firefox: Execute arbitrary code/commands – Remote with user interaction Firefox 58.0.1 fixes some unsanitised browser UI output that could lead to an RCE. 2) ASB-2018.0038 – [Win][UNIX/Linux] Mozilla Thunderbird: Multiple vulnerabilities Thunderbird 52.6 fixes a slew of vulnerabilities, including some potential RCEs. 3) ESB-2018.0326 – [Win][Linux][Mac] Adobe Flash Player: Execute arbitrary code/commands – Remote with user interaction Shockingly, a 0day has been discovered in Flash. Patch is expected out next week, so stay safe until then! 4) ESB-2018.0317 – [Linux][RedHat] systemd: Denial of service – Existing account In its rush to init, systemd contains a race condition in automount requests which can cause a DoS for any processes who need them. Stay safe, stay patched and have a good weekend! Tim

AUSCERT at linux.conf.au 2018 Hi, I’m David, one of the information security analysts here.   Intro AUSCERT sent me to the 2018 linux.conf.au conference with a Fairy Penguin sponsorship. It was my second time attending; the previous year, I’d taken a week’s leave and paid my own way, and was so enamoured that I convinced my new employer to send me along this time. The real strength of the conference, to me, is being surrounded by people much smarter and more experienced than myself. (This is exactly how I pitched it to management.) And the atmosphere is so friendly that knowledge transfers quickly. The organisers put a strong emphasis on inclusion and diversity. One of these is the “Pac-Man rule”: when standing in a circle talking, shape it like Pac-Man and leave space for someone else to join. Speaking of speaking, the #lca2018 hashtag was pretty hectic all week. The Australia/NZ FOSS community is great to be involved with, and I’ve found it pays to follow interesting people using the tag. I also find it’s valuable to connect with people for whom information security is part of their job, but not their core responsibility. Understanding the motivations and needs of people outside the infosec space is important to staying in the loop. Plus, they have some really cool projects.   Recordings to watch All the talks are recorded and published free on YouTube by Next Day Video. I’m enjoying “week two” of the conference – catching up on the talks I couldn’t attend! We’ll also replay some talks at the office over lunch. At AUSCERT, we mix infosec with data analysis, technical communication and lightweight development. Current proposals are Understanding git – even the scary parts, What is the most common street name in Australia?, Is the 370 the worst bus route in Sydney? and the Panel on Meltdown, Spectre and the free-software community. Talks I personally recommend are every single keynote, the Meltdown/Spectre Panel, a home Kubernetes environment, automating WordPress security recovery, Tap On to Reverse Engineering, and Linux system monitoring with the Elastic Stack. Shoutout to Alistair Chapman for his superb lightning talk on things you can do but shouldn’t with Docker.   Notes from the Spectre/Meltdown Panel The speculative execution side-channel vulnerabilities had been leaked three weeks before the conference, so a panel was organised (and jammed into the schedule). It was a fascinating session giving perspectives from several stakeholders at several levels of the stack – hardware, kernel, OS, container, SRE and more kernel. Some interesting stories about responses to the embargo and patches from different parties. FreeBSD weren’t included in the embargo and were left scrambling to patch when it leaked. Small PaaS providers are stuck waiting for patches for their OS. Hardware vulnerabilities are very hard to resist even with containerised services. … but containers will make it easier when you patch. Some discussion of the value of embargoes of vulnerabilities. Give the full session a watch; it’s rare to find so much diverse expertise in one room, talking semi-frankly about this.   Wrapping up The linux.conf.au conference is a very educational week for anyone IT-adjacent, and I’d strongly recommend it. Hope to see you at #lca2019 in Christchurch! David Lord, @dal_geek

AUSCERT Week in Review for 25th January 2018 Greetings, It’s hard not to include a bunch of crypto currency related articles because it’s all happening in that sphere right now. Malware authors have targeted individuals who are keen to get into the crypto currency market. South Korea isn’t the only country taking action against crypto currency operators. Some cybercrime organisations have really got their house in order when it comes to managing their business operations. Though it’s taken a backseat to the Bitcoin wars, ransomware is by no means less of a threat this year, with new variants popping up every week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More Date Published: 24/01/2018 Authors:  CH Lei, Fyodor Yarochkin, Lenart Bermejo, Philippe Z Lin and Razor Huang Excerpt: “Few cybercrime groups have gained as much notoriety—both for their actions and for their mystique—as the Lazarus group. Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government, these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks—such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank—in recent history. Throughout the Lazarus group’s operational history, few threat actors have managed to match the group in terms of both scale and impact, due in large part to the wide variety of tools and tactics at the group’s disposal.” —– Large Scale Monero Cryptocurrency Mining Operation using XMRig Date Published: 24/01/2018 Author: Josh Grunzweig Excerpt: “Palo Alto Networks Unit 42 has observed a large-scale cryptocurrency mining operation that has been active for over 4 months. The operation attempts to mine the Monero cryptocurrency using the open-source XMRig utility. Based on publicly available telemetry data via bitly, we are able to estimate that the number of victims affected by this operation is roughly around 15 million people worldwide. This same telemetry provides insights into the most heavily targeted areas involving this campaign, which impacts southeast Asia, northern Africa, and South America the most.” —– Fake cryptocurrency wallet carries ransomware, leads to spyware Date Published: 23/01/2018 Author: Zeljka Zorz Excerpt: “The fake wallet is apparently being advertised on a variety of online forums. The link takes users to a page explaining what SpriteCoin is and offers a link to download the wallet. Once the victim downloads and installs the offered executable (spritecoind.exe), they are asked to enter a password for the wallet and to wait until the app downloads the blockchain:   Unfortunately for the victims, there is no real SpriteCoin, and the software does not download a blockchain.” —– Onecoin’s Bulgarian Offices Raided by Law Enforcement, No Arrests Made Date Published: 22/01/2018 Author: JP Buntinx Excerpt: “Surprisingly, this initiative was not something Bulgarian officials undertook on their own initiative. Instead, they were asked by German officials, where the Onecoin founder Ruja Ignatova has been taken to court. However, Ignatova was born in Bulgaria, which makes this raid a logical course of action. It is evident there are still plenty of skeletons in the closet of this company, and it is now up to law enforcement to bring them to light. Ignatova stepped down as the CEO of Onecoin a while ago, a move that clearly showed she knew what was eventually coming. With over three million people subscribing to the Onecoin “packages”, it is evident there is a very real chance that every single one of them has lost money in the process. This alone is a very worrisome thought, but it is also possible that the total number of defrauded victims is a lot higher. In Bulgaria, the company is suspected of money laundering, illegal payments, and commercial fraud. With this in mind, it seems to make little sense that no one has been arrested so far. At the same time, it is unclear if authorities are looking for specific individuals who may or may not work at the Bulgarian Onecoin office at this time” —- A Look into the Lazarus Group’s Operations Date Published: 24/01/2018 Authors:  Trend Micro Blog Excerpt: “What do the 2014 Sony hack and the 2016 Bangladeshi bank attacks have in common? Aside from being two of the most noteworthy cybercrime incidents of the past few years, these seemingly unrelated attacks are tied together by a common thread: their perpetrator, a cybercrime group called Lazarus. Few cybercrime groups throughout history have had as much disruptive power and lasting impact as the Lazarus Group. Ever since their first attacks, which involved DDoS operations against various organizations across different industries, the group has managed to step up their attacks even further. Two of the group’s most notable campaigns include the 2014 Sony hack, which involved sensitive company and personal information, and the 2016 Bangladeshi bankattack that stole millions of dollars from the financial institution.” —– desuCrypt Ransomware in the Wild with DEUSCRYPT and Decryptable Insane Variants Date Published: 22/01/2018 Author: Lawrence Abrams Excerpt: “When desuCrypt is executed, it will display a console windows that displays the current status of the encryption process. This window will stay open until the ransomware has finished encrypting the computer. According to Michael Gillespie, the creator of ID-Ransomware, at least the Insane variant of desuCrypt is encrypting files using RC4 encryption. This RC4 key is further encrypted using an embedded RSA-2048 key and then embedded at the end of each encrypted file.” Here are this week’s noteworthy security bulletins: 1) ESB-2018.0236 – [Apple iOS] Apple iOS: Multiple vulnerabilities Apple released security updates for numerous products, including this one for iOS. It contains a number of security fixes including one for a privilege escalation vulnerability that could grant root privileges to an attacker. 2) ESB-2018.0241 – [Win] Advantech WebAccess/SCADA: Multiple vulnerabilities Advantech released updates for its WebAccess/SCADA browser-based Human Machine Interface products, that are vulnerable to SQL injection attacks. Successful attacks could allow attackers to obtain confidential information from SCADA infrastructure. 3) ASB-2018.0036 – [Win][UNIX/Linux] Mozilla Firefox ESR: Multiple vulnerabilities Mozilla released updates for Firefox and Firefox ESR to address a large number of vulnerabilities in the web browsers. The most severe of these vulnerabilities could lead to remote code execution. These fixes have been incorporated into OS updates for RedHat, Debian and Ubuntu. Stay safe, stay patched, stay cool and have a good weekend! Nicholas

AUSCERT Week in Review for 19th January 2018 Greetings, Move over Star Wars. The Coin Wars have begun! As if hijacking other peoples CPUs to mine cryptocurrency wasn’t bad enough, some actors have taken to utilising botnets to steal others hard earned bitcoins by misdirecting them from compromised cryptominers to their own wallets. Bitcoin driven malicious activity will certainly be something to look out for this year! Plus botnets usually in the business of spreading malware are sending spam to pump up interest in Swisscoin to aid its trading prices! Add to that a side serving of the battery of malware that are keen to take a peek into your private life, or worse, take over your life. On a happier note, Paper submissions for the AUSCERT 2018 conference close today at midnight, so grab those keyboards and get typing! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Art of Steal: Satori Variant is Robbing ETH BitCoin by Replacing Wallet Address Date Published: 17/01/2018 Author: 360 netlab Excerpt: “Starting from 2018-01-08 10:42:06 GMT+8, we noticed that one Satori’s successor variant (we name it Satori.Coin.Robber) started to reestablish the entire botnet on ports 37215 and 52869. What really stands out is something we had never seen before, this new variant actually hacks into various mining hosts on the internet (mostly windows devices) via their management port 3333 that runs Claymore Miner software, and replaces the wallet address in the hosts with its own wallet address.” —– Skygofree: Following in the footsteps of HackingTeam Date Published: 16/01/2018 Author: Nikita Buchka and Alexey Firsch Excerpt: ” At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. “ —– Downloaders on Google Play spreading malware to steal Facebook login details Date Published: 18/01/2018 Author: Alena Nohova Excerpt: “Multiple downloaders, malicious apps that download further malicious apps to infected devices, have made it onto the Google Play Store. The downloaders are capable of downloading further apps that pose as system apps, some of which are capable of stealing Facebook login credentials. To do so, the malicious apps use social engineering tactics to trick victims into giving them up.” —– Threat actors are delivering the Zyklon Malware exploiting three Office vulnerabilities Date Published: 18/01/2018 Author: Perluigi Paganini Excerpt: “Security experts from FireEye have spotted a new strain of the Zyklon malware that has been delivered by using new vulnerabilities in Microsoft Office. Researchers at FireEye reported the malware was used in attacks against organizations in the telecommunications, financial, and insurance sectors.” —- World’s Largest Spam Botnet Is Pumping and Dumping an Obscure Cryptocurrency Date Published: 17/01/2018 Author: Catalin Cimpanu Excerpt: “The cryptocurrency in question is Swisscoin, an altcoin that’s been described as a Multi-Level-Marketing (MLM) ponzi scheme in a report last year, and for which trading was recently suspended. Trading resumed on January 15, the same day the Necurs spam started spreading. Since the Necurs spam, the cryptocurrency lost 40% of its initial trading price. It’s unclear what is Necurs’ impact on the Swisscoin trading price, mainly because there was no previous trading to compare the impact against.” Here are this week’s noteworthy security bulletins: 1) ASB-2018.0034 – [Win][Linux][Virtual] GitLab Community Edition and Enterprise Edition: Multiple vulnerabilities GitLab Community Edition (CE) and Enterprise Edition (EE) received updates to fix a number of vulnerabilities including two remote code execution vulnerabilities. 2) ESB-2018.0168 – [RedHat] linux-firmware: Access privileged data – Existing account More reversions for the SPECTRE fixes! 3) ASB-2018.0018 – [Win][UNIX/Linux] Oracle Financial Services Applications: Multiple vulnerabilities Oracle released its January Critical Patch Update this week, with 238 security fixes across 20 product families, including this one for Oracle Financial Services applications. The most severe vulnerability allows for remote code execution by an authenticated attacker. 4) ESB-2018.0208 – ALERT [Win] Siemens SIMATIC WinCC: Multiple vulnerabilities ICS-CERT released a security advisory for Siemens SIMATIC WIN CC SCADA system used globally for monitoring automated processes in  critical infrastructure sectors such as chemical, energy, food and agriculture and waste management. The advisory addresses a serious remote code execution vulnerability and denial of service vulnerability that could be leveraged to introduce and execute APTs into automated processes and disable monitoring. An update has been released to fix these issues. 5) ESB-2018.0171 – [Win][UNIX/Linux][Debian] bind9: Denial of service – Remote/unauthenticated A remotely exploitable denial of service vulnerability in BIND was fixed in updates for Debian and Ubuntu. ISC has provided BIND 9 patches, which can be downloaded from ISC.org.   Stay safe, stay patched, stay cool and have a good weekend! Nicholas

AUSCERT Week in Review for 12th January 2018 Greetings, Another week of new updates for Meltdown and Spectre with a false start for some of the patches with Ubuntu Kernel updates bricking machines and Windows patches also putting AMD led PCs into reboot loops.AUSCERT has published 152 Bulletins in the first two weeks that’s an average of 16.8 bulletins a day! This must be a new record! Please don’t forget to put in your paper submission for the AUSCERT 2018 conference. Submissions close on the 19th which is just a week away now! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Ubuntu takes two on Meltdown CPU patch after first one bricked machinesDate Published: 11/1/2018Author: Liam Tung (CSO Online)Excerpt: “Ubuntu maker Canonical on Wednesday released a second take on its kernel fix for the Meltdown CPU bug in Ubuntu 16.04 LTS after reports of machines failing to reboot after the update.”—– Title: Windows emergency Meltdown patch: Microsoft stops update for AMD PCs after crash reportsDate Published: 9/1/2018Author: Nick HeathExcerpt: “Microsoft has scaled back its rollout of Windows patches against the Meltdown and Spectre CPU flaws after reports the updates were crashing computers with AMD processors.”—– Title: Microsoft: How the Threat Landscape Will Shift This YearDate Published: 9/1/2018Author: Kelly SheridanExcerpt: “Unlike security professionals, who have stressed over digital threats for years, most average consumers didn’t recognize the importance of security until 2017.”—– Title: Where the CISO Should Sit on the Security Org Chart and Why It MattersDate Published: 9/1/2018Author: Christophe VeltsosExcerpt: “In early 2016, boards were starting to take cybersecurity more seriously and, in the process, increasing their interactions with chief information security officers (CISOs). How much has changed in the past two years? To whom do CISOs report today, and why does it matter?” —–Title: Healthcare breaches involving ransomware increase year-over-yearDate Published: 8/1/2018Author: @helpnetsecurityExcerpt:  “2017 has been a very challenging year for healthcare institutions as these organizations remain under sustained attack by cybercriminals that continue to target their networks.” —–Title: New Cryptocurrency Mining Malware Has Links to North KoreaDate Published: 8/1/2018Author: Jai VijayanExcerpt: “A security vendor has found another clue that North Korea may be turning to illegal cryptocurrency mining as a way to bring cash into the nation’s economy amid tightening international sanctions.AlienVault on Monday said it had recently discovered malware that is designed to stealthily install a miner for Monero, a Bitcoin-like cryptocurrency, on end-user systems and to send any mined coins to the Kim Il Sung University (KSU) in Pyongyang.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2018.0112 – [Apple iOS] General Motors and Shanghai OnStar (SOS) iOS Client: Multiple vulnerabilitiesDon’t jailbreak your iOS device if you own a recent General Motors vehicle and you control it with the Shanghai OnStar (SOS) iOS Client as someone may take control of your car for you! 2) ESB-2018.0121 – [UNIX/Linux][Ubuntu] irssi: Multiple vulnerabilitiesHaven’t migrated to Slack yet? Still using IRC? Is your favourite IRC chat client still IRSSI? Well you probably should patch that too! 3) ESB-2018.0131.2 – UPDATED ALERT [Win][UNIX/Linux] VMware Workstation and Fusion: Execute arbitrary code/commands – Existing accountA use-after-free vulnerability and an Integer-overflow vulnerability in VMware NAT service have been fixed in the latest versions of VMware Workstation and Fusion. However you wouldn’t have been affected unless you turned IPv6 mode for VMNAT on as it is off by default. 4) ESB-2018.0129 – [Juniper] Juniper Junos OS: Multiple vulnerabilitiesJuniper patched a whole array of vulnerabilities (including a few CRITICAL ones) on Junos OS and even managed to get the premium CVE numbers of CVE-2018-0001 to CVE-2018-0009. Stay safe, stay patched and have a good weekend! Ananda