Week in review

AUSCERT Week in Review for 13th December 2019

AUSCERT Week in Review for 13th December 2019 Greetings, As the week comes to a close, here are some articles that may help ease you into the weekend. … Microsoft to help Office 365 customers track entire phishing campaigns, not just lone emails Date: 2019-12-10 Author: ZDNet Microsoft is launching today a new security feature in public preview. Named “Campaign Views,” this is a new feature that will be available for Office 365 Advanced Threat Protection (ATP) […] Until today, Office 365 ATP users could only see details about each of the individual malicious emails that reached users. Campaign Views will show details about the entire phishing campaign and all the tricks and infrastructure it uses. The goal is to give security teams an idea of what other tricks the same attacker might be using, so they can put filters and security protections in place. Phishing Campaign Uses Malicious Office 365 App Date: 2019-12-11 Author: Phishlabs Blog Most phishing campaigns attempt to take over accounts by tricking the victim into divulging their credentials. PhishLabs has uncovered a previously unseen tactic by attackers that uses a malicious Microsoft Office 365 App to gain access to a victim’s account without requiring them to give up their credentials to the attackers. Australia Post SMS scam targeting Australians Date: 2019-12-12 Author: Stay Smart Online With millions of parcel deliveries expected around the country, Australia Post is seeing widespread scam text (SMS) messages being sent to people, using their brand. These fake SMS messages may tell you that your parcel is “detained”, you’ve “missed a delivery” or there’s an “important update” to your delivery – and include a link to click on for more details. As scammers use technology that imitates a caller ID, these scam texts can even appear in the same conversation thread as a legitimate Australia Post conversation. Amazon Battles Leaky S3 Buckets with a New Security Tool Date: 2019-12-09 Author: Bit Defender Anyone who has been following security trends in recent years cannot fail to have noticed the preponderance of data breaches which have stemmed from unsecured Amazon S3 buckets. Many well-known organisations, including FedEx, Capital One bank, Verizon, and even US defense contractors, have left confidential and sensitive data publicly exposed by not having properly configured the security of their cloud-based storage servers. Chrome now warns you if your password has been stolen Date: 2019-12-12 Author: WeLiveSecurity Google has added a new feature to its Chrome web browser that will alert users if their login credentials have been compromised in a security breach, according to the company’s announcement. Intel Processors Intel CPU vulnerability, which could allow an attacker to extract highly-sensitive information, such as encryption keys from affected processors by altering their voltage. Xen Multiple privilege escalation and guest escape vulnerabilities. Adobe Multiple Remote code execution, privilege escalation and information disclosure vulnerabilities. Stay safe, stay patched and have a good weekend! Rameez Agnew

Learn more

Week in review

AUSCERT Week in Review for 22nd November 2019

AUSCERT Week in Review for 22nd November 2019 Greetings, Welcome to the new format for the Week in Review. We hope you like it! AUSCERT’s Week in Review will move to a new mailing list known as the AUSCERT Daily Intelligence Report. This consists of a daily report on Mondays to Thursdays, and a weekly report on Fridays. If you don’t want this, please click the “unsubscribe” link at the bottom of the email. If you encounter any problems, please email <membership@auscert.org.au>. “Sic Transit Gloria Mundi”, and so our perception of a secure system does erode away with time. Well, systems do not form security cracks over time but there is an enormous amount of effort being made to find them and then patch them. So don’t let your systems security fade: keep the patches up to date. Microsoft Outlook for Android Bug Opens Door to XSS Date: 2019-11-21 Author: Threatpost Users of the Microsoft Outlook for Android app should update their apps to avoid a range of attacks. The bug (CVE-2019-1460) would allow an attacker to perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user, according to Microsoft’s advisory on the bug. XSS occurs when malicious parties inject client-side scripts into web pages, which trick the unsuspecting user’s browser into thinking that the script came from a trusted source. Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies Date: 2019-11-17 Author: VICE An infamous vigilante hacker known for their hits on surveillance companies is launching a new kind of bug bounty to reward hacktivists who do public interest hacks and leaks. In their new manifesto, Phineas Fisher also claimed to have hacked an offshore bank and called on other hacktivists to join in the fight against inequality and capitalism. The hacker said that in 2016 they hacked the Cayman Bank and Trust Company from the Isle of Man, an island between the UK and Northern Island. The hacker said they were able to steal money, documents, and emails from the bank. The hacker shared the stolen documents and emails from the bank to the leaking website Distributed Denial of Secrets, run by journalist and activist Emma Best, who said they uploaded 640,000 emails, in what is “the most detailed look at international banking that the public will have ever had access to.” Get ahead of the cybersecurity curve Date: 2019-11-18 Author: SC Magazine Experienced cybersecurity leaders are beginning to call for a move from reactive detection to proactive prevention. It’s clear that the need to get ahead of the cybersecurity curve is real. Over the past decade, experts talked about the number of days that malware is in your system, and now the discussion is fast becoming how many seconds you have between detection and disaster. There is no longer time to call the boss, check your files or phone a friend. Victims are literally watching their systems being taken over, and they are powerless to stop it despite massive budgets and plans. Clearly, spending on an arms race with dollars, people and technology is not an effective long-term solution. We need a different approach. Enter proactive prevention, the concept behind this move toward flipping the script and finally getting ahead of our adversaries. Twitter will finally let users disable SMS as default 2FA method Date: 2019-11-22 Author: ZDNet Twitter announced today that users will finally be able to disable SMS-based two-factor authentication (2FA) for their accounts, and use an alternative method only, such as a mobile one-time code (OTP) authenticator app or a hardware security key. Google will pay $1.5 million for the most severe Android exploits Date: 2019-11-22 Author: Ars Technica Google will pay up to $1.5 million for the most severe hacks of its Pixel line of Android phones, a more than seven-fold increase over the previous top Android reward, the company said. Effective immediately, Google will pay $1 million for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” the company said in a post published on Thursday. The company will also pay $500,000 for exploits that exfiltrate data out of a Pixel or bypass its lock screen. Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin Date: 2019-11-20 Author: Bleeping Computer Admins and owners of WordPress websites are urged to immediately apply the Jetpack 7.9.1 critical security update to prevent potential attacks that could abuse a vulnerability that has existed since Jetpack 5.1. You can update your installation to the 7.9.1 version through your dashboard, or manually download the Jetpack 7.9.1 release. ANU students forced to re-sit exam after data leak Date: 2019-11-19 Author: The Riot ACT Students in the Digital Analysis course at the ANU will be forced to re-take an exam, potentially delaying their graduation, after the university confirmed a data leak last week. “The need for a class to re-sit an exam is extremely rare, and is only undertaken when absolutely required,” an ANU spokesperson said after security protocols successfully identified that a breach had occurred. Noteworthy bulletins this week: ESB-2019.4421 – [Win][UNIX/Linux] Asterisk: Multiple vulnerabilities Denial of Service from Remote Unauthenticated Sessions ESB-2019.4410 – [UNIX/Linux] BIND: Denial of service – Remote/unauthenticated “… the load on the server releasing these multiple resources can cause it to become unresponsive …” ESB-2019.4400 – [Cisco] Cisco Small Business Routers: Access confidential data – Remote/unauthenticated “… could allow an unauthenticated, remote attacker to view information displayed in the web-based management interface …” ESB-2019.4384 – [Win][Linux][Mac] Flexera FlexNet Publisher: Multiple vulnerabilities “… could allow the attacker to deny the acquisition of a valid license …” ESB-2019.4379 – [Linux] Apache Solr: Execute arbitrary code/commands – Remote/unauthenticated “… which may in turn allow them to upload malicious code for execution on the Solr server.” Stay safe, stay patched and have a good weekend! Geoff

Learn more

Week in review

AUSCERT Week in Review for 29th November 2019

AUSCERT Week in Review for 29th November 2019 Greetings, It’s been a week for embarrassing mistakes in the cyber world. Splunk and Hewlett-Packard have both announced show-stopping (but silly) bugs with how their systems keep track of time, and Australian parliamentarians have been told that they’ll undergo phishing simulations to prevent them from making the same mistakes as in the breach earlier this year. Then again, who among us is immune to the most careful, targeted phishing attacks? We heard tell recently of one large organisation conducting a test by sending forged emails to its developers, which told them to update their system by running $(curl | bash) – downloading a shell script from the internet and executing it immediately. Some cautious developers tried to fetch the script with curl before piping it to bash, but the remote host could tell that it was not going straight to a shell, and returned an innocent-seeming script. Developers who executed the command as given did receive a malicious payload and a slap on the wrist. Stay sharp, but stay forgiving. Splunk customers should update now to dodge Y2K-style bug Date: 2019-11-27 Author: Naked Security If you’re a Splunk admin, the company has issued a critical warning regarding a showstopping Y2K-style date bug in one of the platform’s configuration files that needs urgent attention. According to this week’s advisory, from 1 January 2020 unpatched instances of Splunk will be unable to extract and recognise timestamps submitted to it in a two-digit date format. Pollies to face phishing tests after Parliament breach Date: 2019-11-28 Author: iTnews Parliamentarians and their staff will be subject to phishing email simulations in the wake of the state-sponsored cyber attack against Parliament House earlier this year. The Department of Parliamentary Services will conduct the simulations as part of a new program to test the cyber security awareness of its more than 4000 parliamentary computing network users. My Health Record: Australian healthcare scheme grades poorly on cybersecurity Date: 2019-11-28 Author: The Daily Swig A review of Australia’s controversial My Health Record scheme has concluded that it does, as experts have warned, present security risks to the public. In its review of the system, published on Monday, the Australian National Audit Office (ANAO) concluded that the A$1.5 billion project is “largely effective”, although poor management of shared cybersecurity risks, including inadequate controls over access to patients’ records, remains a pressing issue. In terms of privacy, the ANAO found, emergency access to patients’ records was widely being misused. Meanwhile, healthcare providers are not all achieving minimum levels of cybersecurity, says the ANAO, with the Australian Digital Health Agency failing to monitor compliance effectively. It has also failed to check whether third-party software providers to healthcare agencies are complying with the government’s cybersecurity framework. HP Warns That Some SSD Drives Will Fail at 32,768 Hours of Use Date: 2019-11-26 Author: BleepingComputer HP released firmware updates for a number of its Serial-Attached SCSI solid-state drives to prevent their failure at exactly 32,768 hours of operation time. The devices are used in multiple server and storage products for enterprise, such as HPE ProLiant, Synergy, Apollo, JBOD D3xxx, D6xxx, D8xxx, MSA, StoreVirtual 4335 and StoreVirtual 3200. The abnormal expiration time translates to 3 years, 270 days and 8 hours, a lot less than the normal lifespan of these products. For some of them, the warranty can be extended to up to five years. Silly Phishing Spotlight: Login to Unblock Microsoft Excel Date: 2019-11-24 Author: BleepingComputer As part of our ongoing series to educate users about some of the more silly phishing scams out there, we bring a new one that states Excel is blocked unless you login and verify your details. As people get more educated about phishing scams and how to spot them, we continue to see scammers create outlandish campaigns in order to bait people into entering their login credentials. Such is the case with this new phishing email that states you won’t be able to use your Excel due to a “system delay” unless you first login. ESB-2019.4501 – GitLab GitLab released an update for the 12.5, 12.4 and 12.3 branches and almost immediately realised it omitted the important security fix they intended. If you only installed 12.5.1, 12.4.4 or 12.3.7 then ensure you update again to catch this. ESB-2019.4475 – FreeRDP on SUSE: Unauthenticated memory leaks Expect this fix to reach other distros soon. ESB-2019.4441 – Symantec Critical System Protection: Authentication bypass Symantec’s CSP software scored a 9.4/10 on the CVSSv3 scale for letting an attacker stroll through its controls. ESB-2019.4460: Mailman on SUSE: Privilege escalation The GNU mailing list manager contained a privilege escalation from the wwwrun user to root. Stay safe, stay patched and have a good weekend! David

Learn more

Week in review

AUSCERT Week in Review for 15th November 2019

AUSCERT Week in Review for 15th November 2019 Greetings, Emotet is up officially by 730%. It feels better when things are officially reported by researchers. By the time the report is out most of the front line people would have already felt and dealt with the effects of this campaign. Criminals are going where the money is, no not the banks, but server of all flavour for their processing power. Also this week Bash got bashed and Intel says we can’t tell about their intel until they say so but what they say may have been fixed six months ago, a story that did not sell well with some Dutch security boffins. Feels like things are going fast, well I’ll play the researcher and tell you post-priori they certainly are and that security automation and response is the future. Oh hang on you also knew that too. Fact is that when you are at the front lines you get front row seat to the details as they happen. That’s why keeping communication lines open to AUSCERT, either push by report, or pull from feeds such as Malicious URL, MSIN, and MISP feeds provides you the intelligence the moment it happens. As for news, here’s a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week: ——- Title: PureLocker Ransomware Can Lock Files on Windows, Linux, and macOSAuthor: Ionut IlascuDate Published: November 13th, 2019 Excerpt: “Cybercriminals have developed ransomware that can be ported to all major operating systems and is currently used in targeted attacks against production servers. The new name is PureLocker. Malware researchers analyzed samples for Windows but a Linux variant is also being used in attacks. Built to dodge detection. The malware is carefully designed to evade detection, hiding malicious or dubious behavior in sandbox environments, posing as the Crypto++ cryptographic library, and using functions normally seen in libraries for music playback.” Title: Lateral Phishing Makes for Dangerous Waters, Here’s How You Can Avoid Getting Caught in the NetAuthor: Anurag KaholDate: November 13th, 2019 Excerpt: “Like regular phishing, a lateral phishing attack has the goal of gaining access to private information and begins with a user receiving an email that is attempting to extract login credentials or PII. However, the main differentiator between the two attack methods is that lateral phishing is conducted from a compromised email address within an organization. Once a hacker gains access to a legitimate email account, whether it belongs to a CEO or an intern, the hacker can then use it to target individuals within the company. Lateral phishing techniques are highly effective. When hackers impersonate someone that the recipient knows and trusts, said recipient tends to lower her or his guard, making it more likely that sensitive information will be surrendered.” Title: Researchers Discover Massive Increase in Emotet Activity Author : Helpnet SecurityDate: November 13th, 2019 Excerpt: “Emotet had a 730% increase in activity in September after being in a near dormant state, Nuspire discovered. Emotet, a modular banking Trojan, has added additional features to steal contents of victim’s inboxes and steal credentials for sending outbound emails. Those credentials are sent to the other bots in its botnet which are used to then transmit Emotet attack messages. When Emotet returned in September, it appeared with TrickBot and Ryuk ransomware to cause the most damage to a network.” Title: Microsoft Patch Tuesday Updates Fix CVE-2019-1429 Flaw Exploited in the WildAuthor: Pierluigi PaganiniDate: November 13th, 2019 Excerpt: “Microsoft’s Patch Tuesday updates for November 2019 address 74 flaws, including an Internet Explorer vulnerability, tracked as CVE-2019-1429, that has been exploited in the wild. Microsoft doesn’t provide any information on the nature of the active attacks, it only pointed out that they are likely limited at this time. The CVE-2019-1429 zero-day is a scripting engine memory corruption vulnerability that affects Internet Explorer 9, 10 and 11. Microsoft. “A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same use rights as the current user.” read the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” Title: Intel launches security blog, pushes security patchesAuthor: Doug OlenickDate: November 13th, 2019 “Intel has joined the Patch Tuesday crowd with a platform update that covered 77 vulnerabilities, two of which were rated critical.The chip maker noted the security updates in a new blog the company said it will use to disseminate security updates, bug bounty topics, new security research, and engagement activities within the security research community.Intel is dividing its updates by advisory with each covering a single or set of products.” Title: Intel Fixes a Security Flaw It Said Was Repaired 6 Months AgoAuthor : Kim ZetterDate : November 12th, 2019 Excerpt:“Last May, when Intel released a patch for a group of security vulnerabilities researchers had found in the company’s computer processors, Intel implied that all the problems were solved. But that wasn’t entirely true, according to Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018. The software patch meant to fix the processor problem addressed only some of the issues the researchers had found.”   Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2019.4311 – [Appliance] Phillips IntelliBridge EC40 and Phillips IntelliBridge EC80: Access privileged data – Remote/unauthenticated“…to execute software, modify system configuration, or view/update files, including unidentifiable patient data.” 2. ESB-2019.4300 – [Cisco] Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD): Root compromise – Existing account “.. to execute arbitrary code with root privileges on the underlying Linux operating system.” 3. ASB-2019.0337 – [Win] McAfee Data Loss Prevention ePO: Access confidential data – Existing account“…remote attackers with access to the network to collect login details to the LDAP server..” 4. ESB-2019.4289 – [Virtual] microcode: Access privileged data – Existing account“..speculative execution may be able to infer the value of data in the microarchitectural structures..” Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

Learn more

Week in review

AUSCERT Week in Review for 8th November 2019

AUSCERT Week in Review for 8th November 2019 Greetings, As the week comes to a close, here are some articles that may help ease you into the weekend. BlueKeep attacks are happening, but it’s not a worm Date published: 03/11/2019 Author: Catalin Cimpanu Excerpt: “This BlueKeep campaign has been happening at scale for almost two weeks, but it’s been only spotted today by cybersecurity expert Kevin Beaumont. The British security expert said he found the exploits in logs recorded by honeypots he set up months before and forgot about. First attacks date back to October 23, Beaumont told ZDNet. Beaumont’s discovery was confirmed by Marcus “MalwareTech” Hutchins, the security researcher who stopped the WannaCry ransomware outbreak, and who’s a recognized expert in the BlueKeep exploit.” QSnatch malware already infected thousands of QNAP NAS devices Date published: 04/11/2019 Author: Pierluigi Paganini Excerpt: “A couple of weeks ago, the experts at the National Cyber Security Centre of Finland (NCSC-FI), published a report on the QSnatch malware. The experts were alerted about the malware in October and immediately launched an investigation. “NCSC-FI received reports via the Autoreporter service during mid October of infected devices attempting to communicate to specific command and control (C2) servers.” reads the report. “The original infection method remains unknown, but during that phase malicious code is injected to the firmware of the target system, and the code is then run as part of normal operations within the device. After this the device has been compromised. The malware uses domain generation algorithms to retrieve more malicious code from C2 servers.” Trend Micro reveals that customer data was illegally sold following inside-job ‘security incident’ Date published: 06/11/2019 Author: Mark Wyci?lik-Wilson Excerpt: “Security firm Trend Micro has revealed details of an inside scam which led to personal details of its customers being exposed. The security incident dates back to August this year, and the company says that it was made aware of customers being contacted by fake Trend Micro support staff. Following an investigation lasting until the end of October, it was determined that it was a member of staff that had fraudulently gained access to a customer database and sold personal data to a third party.” Buran Ransomware; the Evolution of VegaLocker Date published: 05/11/2019 Authors: Alexandre Mundo and Marc Rivero Lopez Excerpt: “This ransomware was announced in a well-known Russian forum with the following message: “Buran is a stable offline cryptoclocker, with flexible functionality and support 24/7. Functional: Reliable cryptographic algorithm using global and session keys + random file keys; Scan all local drives and all available network paths; High speed: a separate stream works for each disk and network path; Skipping Windows system directories and browser directories; Decryptor generation based on an encrypted file; Correct work on all OSs from Windows XP, Server 2003 to the latest; The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;” The announcement says that Buran is compatible with all versions of the Windows OS’s (but during our analysis we found how, in old systems like Windows XP, the analyzed version did not work) and Windows Server and, also, that they will not infect any region inside the CIS segment.” Critical Remote Code Execution Flaw Found in Open Source rConfig Utility Date published: 04/11/2019 Authors: Tom Spring Excerpt: “Two bugs in the network configuration utility rConfig have been identified, both allowing remote code execution on affected systems. Worse, one is rated critical and allows for a user to attack a system remotely – sans authentication. RConfig is a free open-source configuration management utility used by over 7,000 network engineers to take snapshots of over 7 million network devices, according the project’s website. The vulnerabilities (CVE-2019-16663, CVE-2019-16662) are both tied to rConfig version 3.9.2. The more serious of the two vulnerabilities (CVE-2019-16662) allows an attacker to execute system commands on affected devices via GET requests, which can lead to command instructions.” Here are this week’s noteworthy security bulletins: 1) Tenable.sc: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0310/ Tenable Security Center received stand-alone patches that address multiple vulnerabilities affecting PHP. The most severe of these could lead to a remote denial of service attack and Cross-Site Scripting attacks. 2) Android: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0311/ Android received its monthly update that addresses 38 vulnerabilities. These include a remote code execution and privilege escalation vulnerabilities. 3) Cisco Web Security Appliance: Cross-site scripting – Remote with user interaction https://portal.auscert.org.au/bulletins/ESB-2019.4172/ Cisco Web Security Appliance received fixes for a couple of vulnerabilities. This particular bulletin addresses an update for fixing a reflected XSS vulnerability. 4) IBM QRadar SIEM: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ESB-2019.4193/ Last, but most certainly not least, IBM’s QRadar SIEM received fixes for over 39 vulnerabilities, including local arbitrary code execution, remote Denial of Service, and remote information disclosure. ..and with that, have a great weekend all!  Nick

Learn more

Week in review

AUSCERT Week in Review for 1st November 2019

AUSCERT Week in Review for 1st November 2019 Greetings, As the week comes to a close, here are some articles that may help ease you into the weekend. xHelper Trojan Variant Reinstalls Itself After Removal, Infects 45K Date published: 29/10/2019 Author: Sergiu Gatlan Excerpt: “While the infection vector used by the threat actor behind the new xHelper variant is not yet known, Symantec’s research team suspects that the app component that bundles the xHelper payloads is downloaded by a malicious system app that might come pre-installed on some smartphone brands. The fact that “numerous users have been complaining on forums about the persistent presence of this malware on their devices, despite performing factory resets and manually uninstalling it,” seems to further consolidate their hypothesis. — xHelper reports can be found on Reddit and Google Play’s Help forums. The number of devices infected with the xHelper Android malware grows each day, since “in the past month alone, there was an average of 131 devices infected each day, and an average of 2,400 devices persistently infected throughout the month,” as Symantec’s research team adds.” Facebook Sues Israeli NSO Spyware Firm For Hacking WhatsApp Users Date published: 29/10/2019 Author: Swati Khandelwal Excerpt: “Developed by NSO Group, Pegasus allows access to an incredible amount of data from victims’ smartphones remotely, including their text messages, emails, WhatsApp chats, contact details, calls records, location, microphone, and camera. Pegasus is NSO’s signature product that has previously been used against several human rights activists and journalists, from Mexico to the United Arab Emirates two years ago, and Amnesty International staffers in Saudi Arabia and another Saudi human rights defender based abroad earlier last year. Though NSO Group always claims it legally sells its spyware only to governments with no direct involvement, WhatsApp head Will Cathcart says the company has evidence of NSO Group’s direct involvement in the recent attacks against WhatsApp users.” Industrial equipment to come under fire at the world’s largest hacking contest Date published: 28/10/2019 Author: Catalin Cimpanu Excerpt: “Industrial equipment will be the primary focus of the next edition of Pwn2Own, the world’s largest and most well-known hacking contest. This is the first time that security researchers will be allowed to hack ICS (industrial control systems) software and protocols at Pwn2Own. For most of its 12-year history, the contest has featured browsers and operating systems as the primary targets for white-hat hackers looking to make a name for themselves and earn huge cash rewards. In recent years, contest organizers have been diversifying the target portfolio with virtual machines, Tesla cars, and even Facebook Portal devices. Now, the organizers, Trend Micro’s Zero-Day Initiative (ZDI) project, say the next Pwn2Own contest will be solely focused on ICS devices and their respective software.” Johannesburg Authorities Refuse to Pay Hackers’ Bitcoin Ransom Date published: 30/10/2019 Authors: Marie Huillet Excerpt: “Authorities in Johannesburg are holding firm in their refusal to pay a ransom of 4 Bitcoin to hackers who targeted municipal systems last week. In a statement posted to its official Twitter handle on Oct. 28, the Johannesburg city council confirmed the attack had affected services that included billing, property valuation and land information systems, as well as its eHealth and Libraries services. The breach, which occurred on Oct. 24, was accompanied by a ransom demand of 4 Bitcoin (BTC) — worth close to $37,000 to press time — payable by Oct. 28.” New Adwind Variant Targets Windows, Chromium Credentials Date published: 29/10/2019 Authors: Lindsey O’Donnell Excerpt: “Once delivered, this new Adwind variant obfuscates the initial JAR file, blocking against any signature-based detection methods. “Malware that takes advantage of common Java functionality is notoriously difficult to detect or detonate in a sandbox for the simple fact that Java is so common on the web,” researchers with Menlo Security said in a Tuesday post. “In fact, any effort to block or limit Java would result in much of the internet breaking down — a non-starter for users who increasingly rely on rich web apps or SaaS platforms for their day-to-day responsibilities.” The JAR file then decrypts and loads a loader, which then loads an initial set of modules and sends out a request that is responsible for initializing the RAT with the command-and-control (C2) server.” Here are this week’s noteworthy security bulletins: 1) ALERT php5: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/ESB-2019.3963/ Debian released an update to address a buffer underflow vulnerability in its php5-fpm implementation. The vulnerability, CVE-2019-11043, is being actively exploited in the wild to perform remote code execution. PHP 5.6 reached End Of Life on 1st January 2019. Updates to address the same vulnerability followed for php7.0, php7.3 on Debian, Ubuntu and SUSE. 2) Fortiguard FortiClient: Root compromise – Existing account https://portal.auscert.org.au/bulletins/ESB-2019.4008/ Forticlient end point protection solution for Mac OS received a fix to address a local security check bypass. This could result in local command execution with root privileges. The vulnerability arose due to improper sanitisation of special elements in a command. 3) Apple MacOS: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ESB-2019.4010/ Apple released a bunch of security fixes for its products; MacOS, iOS, iPadOS, TV, Watch and Safari. Needless to say, the fixed vulnerabilities ranged from UI spoofing to remote code execution. 4) sudo: Root compromise – Existing account https://portal.auscert.org.au/bulletins/ESB-2019.3979/ Red Hat released an update to fix a privilege escalation vulnerability which allowed a local attacker to execute privileged commands by leveraging the “Runas” specification, effectively bypassing the need to authenticate as root. Red Hat has stated: “This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example: someuser myhost = (ALL, !root) /usr/bin/somecommand” ..and with that, have a great weekend all!  Nick

Learn more

Week in review

AUSCERT Week in Review for 25th October 2019

AUSCERT Week in Review for 25th October 2019 Greetings, This week we saw both Google and Mozilla release updates to patch multiple vulnerabilities in the Chrome and Firefox browsers, part of the on-going battle to ensure we are a little safer whilst we battle the web. Additionally, with consumer protection in mind, Apple pulled eighteen malicious apps from the iOS store, whilst on Google Play Store, forty two adware Android apps were removed.  However, despite measures taken by vendors to protect us from the ‘evilz’, we must still remember that have to take responsibility for our own actions and choices.  Be vigilant with your app choice and always perform due diligence. Every day we are more invested in staying connected to both people and systems, and Naked Security informed audiences in an article this week that people still think of phishing as being solely an email borne scam. However, the article correctly reminded readers that the technique is applied by scammers to communications streams available on our electronic devices, including social message, instant messaging and SMS text messages. Please feel free to dive into the associated articles:——————————————————————————– iBye, bad guy: Apple yanks 18 iOS store apps that sheltered advert-mashing malwareDate: October 24Author: The Register 42 Adware Apps with 8 Million Downloads Traced Back to Vietnamese StudentDate: October 24Author: The Hacker News Phishy text message tries to steal your cellphone accountDate: October 18Author: Naked Security ——————————————————————————– Here are four of this week’s interesting security bulletins: ASB-2019.0308Google Chrome was patched to resolve multiple vulnerabilities which when unpatched offered an interesting selection of impact/access factors. ESB-2019.3941Mozilla also patched multiple vulnerabilities in Firefox, resolving a bunch of ‘Remote with User Interaction’ associated impacts. ESB-2019.3947Red Hat plugged a nifty vulnerability related to little old sudo which researchers found would lead to root compromise when exploited. ESB-2019.3958VMware issued update to resolve a vulnerability associated with its vCenter Server Appliance, addressing a sensitive information disclosure vulnerability (remote unauthenticated) in backup and restore. ——————————————————————————– As always, stay safe, stay patched, and make it a good weekend! Best regards,Colin and Patch the AUSCERT cat

Learn more

Week in review

AUSCERT Week in Review for 18th October 2019

AUSCERT Week in Review for 18th October 2019 Greetings, This week we saw Oracle release its quarterly “Critical Patch Updates,Alerts and Bulletins”. Numerous vulnerabilities and patches were reportedin their broad range of products, that will need to be managed. We canexpect many other vendors to release patches over the next few weeks fortheir products which might be built around Oracle technologies includingdatabases and Java products. Please refer to our webpage for details of upcoming events – hosted bothby AUSCERT as well as other industry groups:https://wordpress-admin.auscert.org.au/resources/events/ — Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: Germany’s cyber-security agency recommends Firefox as most secure browserhttps://www.zdnet.com/article/germanys-cyber-security-agency-recommends-firefox-as-most-secure-browser/Author: Catalin CimpanuDate: 17 October 2019Excerpt:“Germany’s BSI tested Firefox, Chrome, IE, and Edge. Firefox was onlybrowser to pass all minimum requirements for mandatory security features.” Title: Sudo? More like Su-doh: There’s a fun bug that gives restrictedsudoers root access (if your config is non-standard)https://www.theregister.co.uk/2019/10/14/linux_sudo_security_bug/Author: Chris WilliamsDate: 14 October 2019Excerpt:“Linux users who are able to run commands as other users, via the sudoermechanism, though not as the all-powerful root user, can still run commandsas root, thanks to a fascinating coding screw-up.” Title: MacGibbon joins local cyber security push to challenge multinationalshttps://www.itnews.com.au/news/macgibbon-joins-local-cyber-security-push-to-challenge-multinationals-532376/Author: Justin HendryDate: 15 October 2019Excerpt:“Two of Australia’s most high-profile IT executives have joined forcesto form the nation’s largest dedicated cyber security company, a movethat directly challenges the dominance of large US-affiliated vendors insecuring key contracts with major corporates and government.” Title: ATO phone scammers turn up at Adelaide man’s house dressed as police with eftpos machinehttps://www.abc.net.au/news/2019-10-15/ato-scammers-turn-up-at-house-with-eftpos-machine/11603144/Author: Eugene BoisvertDate: 16 October 2019Excerpt:“Two men turned up to another man’s house with an eftpos machine demandingmoney after earlier calling him pretending to be from the AustralianTaxation Office (ATO), according to SA Police.” Title: Planting tiny spy chips in hardware can cost as little as $200https://arstechnica.com/information-technology/2019/10/planting-tiny-spy-chips-in-hardware-can-cost-as-little-as-200/Author: Andy GreenbergDate: 13 October 2019Excerpt:“Proof-of-concept shows how easy it may be to hide malicious chips insideIT equipment.” — Here are some of this week’s noteworthy security bulletins (in no particularorder): ESB-2019.3826 – [UNIX/Linux][Ubuntu] sudo: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.3826/– See article above for discussion of issue. ASB-2019.0294 – [Win][UNIX/Linux] Oracle Java SE: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ASB-2019.0294/– One of the outputs from Oracle’s CPU this week. ESB-2019.3835 – [SUSE] linux kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.3835/– Another root compromise vulnerability. ESB-2019.3881 – [Cisco] Cisco Identity Services Engine: Multiplevulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.3881/– Cisco had a big week too reporting vulnerabilities and patches, this isone of those. ESB-2019.3861 – [Win][Mac] Acrobat and Reader: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.3861/– 68 CVEs reported! — Stay safe, stay patched and have a great weekend,Marcus.  

Learn more

Week in review

AUSCERT Week in Review for 11th October 2019

AUSCERT Week in Review for 11th October 2019 Greetings, In the words of the Beatles, “it’s getting better all the time”. That is, flawed software is always being discovered and fixed. A cynic might add that flawed software is being created faster than the fix process can keep up. Microsoft’s monthly Patch Tuesday came and went this week without any major dramas, but popular macOS terminal app iTerm fixed a major RCE thanks to research funded by Mozilla, and D-Link have given up entirely on certain home routers, leaving them open to any botnet which will have them. Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit Date: 2019-10-09 Author: The Hacker News A 7-year-old critical remote code execution vulnerability has been discovered in iTerm2 macOS terminal emulator app—one of the most popular open source replacements for Mac’s built-in terminal app. Tracked as CVE-2019-9535, the vulnerability in iTerm2 was discovered as part of an independent security audit funded by the Mozilla Open Source Support Program and conducted by cybersecurity firm Radically Open Security. “MOSS selected iTerm2 for a security audit because it processes untrusted data, and it is widely used, including by high-risk targets (like developers and system administrators),” Mozilla says. ‘Hypocritical and ironic’: NSA whistleblower dropped from speaking at Melbourne cybersecurity conference Date: 2019-10-08 Author: ABC News A high-profile American whistleblower and a privacy researcher have been unexpectedly dropped from addressing a Government-backed cybersecurity event underway in Melbourne. Thomas Drake and Dr Suelette Dreyfus of the University of Melbourne were both told their talks were “incongruent” with CyberCon, despite being invited to speak months earlier. Mr Drake’s presentation was to address national security and surveillance, while Dr Dreyfus planned to explore the use of safe digital drop boxes for anti-corruption whistleblowing. Beware of Fake Amazon AWS Suspension Emails for Unpaid Bills Date: 2019-10-09 Author: BLEEPING COMPUTER A billing notice from a vendor, especially one like Amazon, that states that your account has been suspended for unpaid bills, may confuse a user enough to click on the email link. Attackers are capitalizing on this confusion by sending emails that pretend to be from Amazon AWS Support at postmaster@amazon.com and that use a subject of “Your service has now been suspended”. D-Link Home Routers Open to Remote Takeover Will Remain Unpatched Date: 2019-10-07 Author: ThreatPost D-Link won’t patch a critical unauthenticated command-injection vulnerability in its routers that could allow an attacker to remotely take over the devices and execute code. The vulnerability (CVE-2019-16920) exists in the latest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565 products, which are Wi-Fi routers for the home market. With no patch available, affected users should upgrade their devices as soon as possible. Signal Messenger Bug Lets Callers Auto-Connect Calls Without Receivers’ Interaction Date: 2019-10-04 Author: The Hacker News Almost every application contains security vulnerabilities, some of which you may find today, but others would remain invisible until someone else finds and exploits them—which is the harsh reality of cybersecurity and its current state. And when we say this, Signal Private Messenger—promoted as one of the most secure messengers in the world—isn’t any exception. Google Project Zero researcher Natalie Silvanovich discovered a logical vulnerability in the Signal messaging app for Android that could allow malicious caller to force a call to be answered at the receiver’s end without requiring his/her interaction. Australia, US negotiate CLOUD Act data swap pact Date: 2019-10-08 Author: iTnews Australian law enforcement and national security agencies are set to have greater access to data held by US-based cloud providers under an agreement being negotiated with the US government. But the bilateral agreement, if finalised and approved, will also require Australian-based cloud providers to hand over data requested by US law enforcement authorities. Short October Patch Tuesday Includes Remote Desktop Client, Browser, and Authentication Patches Date: 2019-10-08 Author: TrendLabs Security Intelligence Blog October’s Patch Tuesday is relatively modest, with Microsoft releasing a total of 59 patches. However, this shorter list still warrants attention. Nine of the 59 were still identified as Critical, while the remaining 50 were labeled Important. Most of the critical bulletins were for various Internet Explorer and Microsoft Edge vulnerabilities, with one covering a Remote Desktop Client vulnerability. The Important bulletins fixed several issues, including NLTM and Microsoft IIS server vulnerabilities. 10 Steps to Assess SOC Maturity in SMBs Date: 2019-10-07 Author: Dark Reading Facing a system and organisation controls audit doesn’t have to be stressful for small and midsize businesses if they follow these guidelines. Preparing for a system and organisation controls (SOC) compliance audit for the first time can be challenging. Many organisations, especially small to midsize businesses (SMBs), underestimate the level of planning and effort that goes into completing a successful SOC audit, adding to their security-related stress. Without proper preparation, SMBs risk missing milestones and deadlines, which can result in additional fees to complete a SOC audit. Addressing these 10 questions can help an organisation prevent delays, determine their level of preparedness to complete an audit, and hopefully limit unnecessary work and effort from process owners and employees critical to the business. Yes, MFA Isn’t Perfect. But That’s Not a Reason for Your Company Not to Use It Date: 2019-10-08 Author: Bitdefender When computer users and businesses ask me for a single step they could take to dramatically enhance their security it’s easy to answer: enable multi-factor authentication. Multi-factor authentication (MFA) offers an additional layer of protection for accounts that means even if a criminal manages to phish, guess or crack your password, even if a data breach spills your login credentials, there’s a very good chance your account won’t be compromised. Multi-factor authentication is a great way to improve your security from some of the most common attacks that are out there, but that’s not to say it’s perfect. Stay safe, stay patched and have a good weekend! Patch the AUSCERT cat

Learn more

Week in review

AUSCERT Week in Review for 4th October 2019

AUSCERT Week in Review for 4th October 2019 AUSCERT Week in Review04 October 2019 This week the ANU publicly released their report on the Nov 2018 breach oftheir administrative systems. This report is unique in that, as per thereport’s Forward, “provides details on the attack including the methodsused by the attacker” and “this publicly available report is the first ofits kind in Australia following a cyber attack on a public institution”. Members are encouraged to review the report to understand some of thethreats also faced by them and where possible incorporate the valuablelessons learned.     New Checkm8 jailbreak released for all iOS devices running A5 to A11 chipsDate: 27 SeptemberAuthor: ZDNet A security researcher has released today a new jailbreak that impactsall iOS devices running on A5 to A11 chipsets — chips included in allApple products released between 2011 and 2017, spanning eight generationsof devices, from iPhone 4S to iPhone 8 and X. Victorian hospitals targeted in ransomware attackDate: 1 OctoberAuthor: ABC News The Victorian Government is investigating the scale of a ransomwareattack by “sophisticated cyber criminals” on some of the state’s majorregional hospitals that has forced healthcare providers to go offline. Critical Remote Code Execution Vulnerability Patched in Exim Email ServerDate: 1 October A Critical vulnerability recently addressed in the popular open-sourceemail server Exim could lead to remote code execution.   Inside a massive cyber hack that risks compromising future leaders around the globeDate: 2 October Without anyone clicking on a link, a massive cyber attack of unprecedentedsophistication gained access to private information of potentiallyhigh-ranking officials across the globe. Thanks to the release of a 5,000-word report into the incident, the publiccan see for the fist time how sophisticated and extensive the attack onthe ANU was.   ANU hackers built ‘shadow ecosystem’ to stay hidden for six weeksDate: 3 October  

Learn more

Week in review

AUSCERT Week in Review for 27th September 2019

AUSCERT Week in Review for 27th September 2019 Greetings, This week has been a mix of something old and something new. On the old side, a vBulletin zero-day gained attention, and whilst this was shocking news to some, it was old news to others as we learned it had been an exploited commodity for years. It’s good to be in the know it seems. Being in the know was echoed by Atlassian who published a community article stating their intention to retire support for Internet Explorer, coming at the same time as ZDNet’s report that Microsoft had released two brand-spanking patches, one to plug an IE zero-day, and the other squash a Defender bug. In a change of tact, interesting to hear that hackers are looking into new methods of injecting card stealing code on “Layer 7” routers to steal payment card details, instead of utilising websites. Whether this focus change is due to frustration in having their lovingly crafted websites taken-down, or in wanting to remain undetected for longer, one things is certain, this should highlight an organisations need to perform effective asset management and patch management practices. And in considering vulnerable assets, we should also consider those non-traditional or non-managed devices that connect to our networks and become potential threat vectors. As remote working practices are becoming more widely accepted, InsiderPro reported to the evolution of the Bring Your Own Device (BYOD) policy has recently raised discussions regarding Bring Your Own Office (BYOO). Perhaps it’s time to splash out on two sweet 27″ monitors for your home office. Lastly, a reminder to both enterprise and consumers that Windows 7 support will end on 14 January 2020, so perhaps new year, new secure you! And if you’re an Apple device user, then definitely check Wired’s article for checking your iOS 13 privacy and security features. vBulletin Zero-Day Exploited for Years, Gets Unofficial PatchDate: 25 SeptemberAuthor: BleepingComputer A zero-day exploit for the vBulletin forum platform was publicly disclosed and quickly used to attack affected versions of the forum software. It turns out, though, that this exploit has been known, utilized, and sold by researchers and attackers for years. Retiring IE11 support for Atlassian cloud, server, and data center productsDate: 23 SeptemberAuthor: AtlassianURL: https://community.atlassian.com/t5/Feedback-Forum-articles/Retiring-IE11-support-for-Atlassian-cloud-server-and-data-center/ba-p/1185312 In 2015 Microsoft released Edge as the browser to supersede Internet Explorer (IE). Since then IE has not received major updates, or added support for many modern web standards. Microsoft recently discouraged the use of Internet Explorer as a default browser, and we’ve also seen a decrease in IE11 usage across our cloud, server, and data center products over time. To allow us to continue to take advantage of modern web standards to deliver improved functionality and the best possible user experience across all of our products, we have decided to end support for IE11. Microsoft releases out-of-band security update to fix IE zero-day & Defender bugDate: 23 SeptemberAuthor: ZDNet Microsoft has released an emergency out-of-band security update today to fix two critical security issues — a zero-day vulnerability in the Internet Explorer scripting engine that has been exploited in the wild, and a Microsoft Defender bug.The updates stand out because Microsoft usually likes to stay the course and only release security updates on the second Tuesday of every month. The company rarely breaks this pattern, and it’s usually only for very important security issues. Hackers looking into injecting card stealing code on routers, rather than websitesDate: 25 SeptemberAuthor: ZDNet Security researchers at IBM have found evidence that hackers have been working on creating malicious scripts they can deploy on commercial-grade “Layer 7” routers to steal payment card details. Why your company needs a BYOO (bring your own office) policyDate: 23 SeptemberAuthor: InsiderPro Remote work is not a trend. It’s there to stay. Insider Pro columnist Mike Elgan explains why it’s time to re-orient your organisation’s thinking around workshifting and BYOO. Just as the reality of consumer devices drove the BYOD policy trend, the reality of remote work demands the systematic thinking and communication of a bring your own office (BYOO) policy. Windows 7 support will end on January 14, 2020Date: Aug 3, 2019Author: Microsoft Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. When this 10-year period ends, Microsoft will discontinue Windows 7 support so that we can focus our investment on supporting newer technologies and great new experiences. The specific end of support day for Windows 7 will be January 14, 2020. After that, technical assistance and software updates from Windows Update that help protect your PC will no longer be available for the product. The iOS 13 Privacy and Security Features You Should KnowDate: 22 SeptemberAuthor: WIRED Your iPhone just got a major security upgrade. The reputation of iOS security may have taken some dings of late, but it’s still one of the most secure consumer operating systems available. Here are all the ways the latest version keeps you even more protected. Here are some noteworthy bulletins from the week: ESB-2019.3609Adobe ColdFusion patched to resolve two critical and one important vulnerability. ESB-2019.3617Cisco IOx multiple vulnerabilities. ESB-2019.3616Cisco IOS XR root compromise vulnerability. ESB-2019.3648Confidential data access vulnerabilities patched in Apple iOS and iPadOS. ESB-2019.3641Apple iOS, macOS and watchOS were all patched due to an out-of-bounds readwith significant implications. As always, stay safe, stay patched, and make it a good weekend!Colin

Learn more

Week in review

AUSCERT Week in Review for 13th September 2019

AUSCERT Week in Review for 13th September 2019 Greetings, This week has been a busy one with Microsoft patch Tuesday, a serious Exim vulnerability being actively exploited and other potentially life threatening medical equipment vulnerabilities being exposed. All in all, just another day at the office! As the week comes to a close, here are some articles that may help ease you into the weekend. ThreatList: Amidst Data Breaches, Account Creation Fraud Soars in 2019 Date published: 10/09/2019  Author: Tara Seals Excerpt: “The first half of 2019 saw a 13 percent increase in fraudulent activity compared to the previous six months, with a spike in June representing the highest-volume bot attack that’s been recorded since 2016, according to an analysis from LexisNexis. The firm’s report, with data gleaned from 277 million human-initiated attacks across its Digital Identity Network, shows that bot attacks focused on new account creations are on the rise, bent on building fake online identities across diverse sectors. This type of attack is the only criminal “use case” that saw growth in the study period. The June attack targeted a virtual gift-card provider, with a bot trying to set up accounts using different email addresses. LexisNexis found that the attack originated in the U.S., but the browser language was set to Russian.” Weakness in Intel chips lets researchers steal encrypted SSH keystrokes Date published: 11/09/2019 Author: Dan Goodin Excerpt: “The researchers have named their attack NetCAT, short for Network Cache ATtack. Their research is prompting an advisory for Intel that effectively recommends turning off either DDIO or RDMA in untrusted networks. The researchers say future attacks may be able to steal other types of data, possibly even when RDMA isn’t enabled. They are also advising hardware makers do a better job of securing microarchitectural enhancements before putting them into billions of real-world servers. “While NetCAT is powerful even with only minimal assumptions, we believe that we have merely scratched the surface of possibilities for network-based cache attacks, and we expect similar attacks based on NetCAT in the future,” the researchers, from the Vrije Universiteit Amsterdam and ETH Zurich, wrote in a paper published on Tuesday. “We hope that our efforts caution processor vendors against exposing microarchitectural elements to peripherals without a thorough security design to prevent abuse.”” Fake PayPal Site Spreads Nemty Ransomware Date published: 08/09/2019 Author: Ionut Ilascu Excerpt: “The automated analysis showed that it took about seven minutes for the ransomware to encrypt the files on the victim host. However, this may differ from one system to another. Fortunately, the malicious executable is detected by most popular antivirus products on the market. A scan on VirusTotal shows that it is detected by 36 out of 68 antivirus engine.” Threats to macOS users Date published: 11/09/2019 Authors: Mikhail Kuzin, Tatyana Shcherbakova, Tatyana Sidorina, Vitaly Kamluk Excerpt: “The belief that there are no threats for the macOS operating system (or at least no serious threats) has been bandied about for decades. The owners of MacBooks and iMacs are only rivaled by Linux users in terms of the level of confidence in their own security, and we must admit that they are right to a certain degree: compared to Windows-based systems, there are far fewer threats that target macOS. However, the main reason for this is the number of potential victims: there are many more computers running Windows than those running macOS. However, the situation is changing, since the popularity of the latter platform is growing. Due to this and despite all the efforts that have been taken by the company, the threat landscape for Apple devices is changing, and the amount of malicious and unwanted software is growing. For the purposes of this report we used the statistics from Kaspersky Security Network cloud infrastructure. It stores information about all of the malicious programs and other threats that our macOS product users agreed to anonymously share with us. In fact, all these threats at some point attacked the computers of Kaspersky security solution users, but these attacks were successfully repelled.” COBALT DICKENS Goes Back to School…Again Date published: 11/09/2019 Authors: Secureworks Counter Threat Unit Research Team Excerpt: “For this campaign, the threat actors registered at least 20 new domains targeting over 60 universities in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland. These domains were registered using the Freenom domain provider, which administers the following free top-level domains (TLDs) unless the domain is considered “special”: .ml .ga .cf .gq .tk   Many of these domains use valid SSL certificates, likely to make the spoofed pages appear authentic. The overwhelming majority of the certificates observed in 2019 were issued by Let’s Encrypt, a nonprofit organization that programmatically issues free certificates. However, past campaigns used certificates issued by the Comodo certificate authority.”   Here are this week’s noteworthy-ish security bulletins: 1) Microsoft Windows: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0257/ Microsoft Patch Tuesday (or Wednesday in this part of the world) saw the release of security updates for multiple Microsoft products. These included Edge, Internet Explorer (surprise, surprise), Exchange server, Office, Skype, etc. The update for Windows had a rather small 49 vulnerabilities addressed within it, including multiple remote code execution vulnerabilities and privilege escalation vulnerabilities. 2) UPDATED ALERT exim4: Root compromise – Remote/unauthenticated https://portal.auscert.org.au/bulletins/ESB-2019.3394.2/ This was published, and then, republished as an alert when a malware campaign involving the installation of LILOCKED ransomware in Linux servers by gaining root access on those servers. Chatter from a Russian-language blog indicated exim as a potential vector employed by the malware authors gain root privileges within the target servers. If you want to to learn more, see https://twitter.com/threatbear_co/status/1170876973436022785?s=20 3) Becton, Dickinson and Company Pyxis: Unauthorised access – Existing account https://portal.auscert.org.au/bulletins/ESB-2019.3404/ The weekly roundup just wouldn’t be complete without a medical industry related vulnerability. This particular session fixation vulnerability could allow an attacker who has gained prior access to a lower privileged account within the Pyxis medication management platform, to re-use a higher privileged users Active Directory credentials, thereby increasing his privileges within the platform. At that point, the attacker could view patient data and medication details and potentially alter medication records within the platform. 4) Adobe Flash Player: Execute arbitrary code/commands – Remote with user interaction https://portal.auscert.org.au/bulletins/ASB-2019.0264/ Adobe got a bit of security love from Microsoft as part of its updates. Just two “critical” remote code execution vulnerabilities being addressed this time around. Adobe also released an update fixing a remote code execution vulnerability in its Application Manager software. 5) curl: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ESB-2019.3472/ Last but not least, everyone’s favourite url retrieval tool, curl, got an update for two remote code execution vulnerabilities which stem from it incorrectly handling memory when performing transfer of TFTP or when using Kerberos over FTP. ..and with that, have a great weekend all!  Nick

Learn more