10 Jan 2020

Week in review

AUSCERT Week in Review for 10th January 2020

Greetings,

The big headline this week is the opening of physical hostilities between the US and Iran, one of its long-standing cyber-adversaries (remember Stuxnet?). While we’re staying out of the politics, it does mean that there might be more cyber-attacks flying around on the internet than usual.

Maybe Iran’s Silent Librarian APT will take a break from targeting universities for IP and focus their efforts in that direction.

There’s also been a lot of ransomware in the news recently, so we’ve collated a few of the bigger stories.


The cyber pirates of the Caribbean
Date: 2020-01-06
Author: ABC News

When Jane Smith invested $670,000 to boost her retirement savings, it was flushed into a river of stolen cash flowing out of Australia and into the pockets of criminals. An ABC investigation has tracked down where the money went.

DHS: Iran maintains a robust cyber program and can execute cyber-attacks against the US
Date: 2020-01-07
Author: ZDNet

The US government has issued a security alert over the weekend, warning of possible acts of terrorism and cyber-attacks that could be carried out by Iran following the killing of a top general by the US military on Friday.
The warning comes in the form of a rare NTAS (National Terrorism Advisory System) alert, of which the US government has issued only a handful since 2011 when the system was put into place.
According to the DHS’ NTAS alert, possible attack scenarios could include “scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets.”

DeathRansom Campaign Linked to Malware Cornucopia
Date: 2020-01-07
Author: Threatpost

An ongoing DeathRansom malware campaign has been found by researchers to be part of a larger collection of malicious offensives, all carried out by an actor going by the nickname “scat01”.
According to Artem Semenchenko and Evgeny Ananin at FortiGuard Labs, evidence found on Russian underground forums and in their forensic investigations points to a significant connection between ongoing DeathRansom and various infostealing malware campaigns, all likely directed by one Russian-speaking individual living in Italy.

Christmas cyber attack spelled early holidays for council staff, nightmare for IT workers
Date: 2020-01-06
Author: ABC News

A council in Adelaide’s south is up and running again after cyber attack just before Christmas locked down its IT systems and forced staff to start their holidays earlier than planned.
City of Onkaparinga mayor Erin Thompson said its systems fell victim to the so-called Ryuk ransomware, which has also hit “other government organisations around the world”, on December 14.

REvil ransomware exploiting VPN flaws made public last April
Date: 2020-01-09
Author: Naked Security

Researchers report flaws, vendors issue patches, organisations apply them – and everyone lives happily ever after. Right? Not always. Sometimes, the middle element of that chain – the bit where organisations apply patches – can takes months to happen. Sometimes it doesn’t happen at all. It’s a relaxed patching cycle that has become security’s unaffordable luxury.
Take, for instance, this week’s revelation by researcher Kevin Beaumont that serious vulnerabilities in Pulse Secure’s Zero Trust business VPN system are being exploited to break into company networks to install the REvil (Sodinokibi) ransomware.


ESB-2020.0094 – Cisco Webex Video Mesh Node: Root escalation

An administrative user in the software could execute commands with root privileges on the underlying Linux system.

ESB-2020.0075 – Node.JS 8: Arbitrary file overwrite

Arbitrary file overwrite in one of the internet’s favourite application languages.

ESB-2020.0078 – [ALERT] Firefox & Firefox ESR: RCE

Shortly after releasing v72.0, Mozilla issued v72.1 to address an RCE which was being used in targeted attacks in the wild.

ASB-2020.0002 – Android: January patch level

The usual crop, and notably a privileged RCE using physical proximity and the Realtek wifi driver.


Stay safe, stay patched and have a good weekend!

David