Week in review

AUSCERT Week in Review for 28th July 2017

AUSCERT Week in Review for 28th July 2017 Greetings, As Friday 28th July comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: WikiLeaks drops another cache of ‘Vault7’ stolen toolsDate Published: 26/07/2017URL: https://nakedsecurity.sophos.com/2017/07/26/wikileaks-drops-another-cache-of-vault7-stolen-tools/Author: Taylor ArmerdingExcerpt: “The WikiLeaks “Vault 7” almost-weekly drip-drip-drip of confidential information on the cybertools and tactics of the CIA continued last week. The latest document dump is a trove from agency contractor Raytheon Blackbird Technologies for the so-called “UMBRAGE Component Library” (UCL) Project, which includes reports on five types of malware and their attack vectors.” —– Title: Joint international operation sees US citizen arrested for denial of service attacks on IT systems Date Published: 28/07/2017 URL: https://www.afp.gov.au/news-media/media-releases/joint-international-operation-sees-us-citizen-arrested-denial-serviceAuthor: AFPExcerpt: “A two and a half year joint operation between the Australian Federal Police (AFP), Federal Bureau of Investigation (FBI) and Toronto Police Department has resulted in a 37-year-old Seattle man being arrested in connection with serious offences relating to distributed denial of service attacks on IT systems.” —– Title: Australia’s war on maths blessed with gong at Pwnie AwardsDate Published: 27/07/2017URL: https://www.computerworld.com.au/article/625351/australia-war-maths-blessed-gong-pwnie-awards/Author: Rohan PearceExcerpt: “Australia’s own Malcolm Turnbull has been recognised at the Pwnie Awards in Las Vegas, with the prime minister taking out the ‘Pwnie for Most Epic FAIL’. The annual awards, staged at the BlackHat security conference, recognise security successes and failures.” —–Title: Flash Player death warrant signed by AdobeDate Published: 27/07/2017URL: http://technology.inquirer.net/65543/flash-player-death-warrant-signed-by-adobeAuthor: INQUIRER.netExcerpt: “Adobe is making a move to permanently terminate it’s Flash Player feature—which many believe should have been done a while back. According to an Adobe press release, the end-of-life (EOL) of the multimedia software platform is already in the works, as they are working with various technology partners like Apple, Facebook, Google, Microsoft and Mozilla, to create a smooth transition into open web platform.” —–Title: Russian National And Bitcoin Exchange Charged In 21-Count Indictment For Operating Alleged International Money Laundering Scheme And Allegedly Laundering Funds From Hack Of Mt. GoxDate Published: 26/07/2017URL: https://www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-exchange-charged-21-count-indictment-operating-allegedAuthor: Department of JusticeExcerpt: “SAN FRANCISCO – A grand jury in the Northern District of California has indicted a Russian national and an organization he allegedly operated, BTC-e, for operating an unlicensed money service business, money laundering, and related crimes.” —–Here are this week’s noteworthy security bulletins: 1) ESB-2017.1841 – [Cisco] Cisco IOS and IOS XE: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50358 Cisco has released information about three vulnerabilities (CVE-2017-6665, CVE-2017-6664, CVE-2017-6663) that do not have any patches currently. 2) ASB-2017.0125 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50350 Two vulnerabilities have been fixed in Joomla! core, the first is a fix to the CMS Installer itself and the second is a fix in the lack of proper filtering of potentially malicious HTML tags. 3) ESB-2017.1852 – ALERT [Cisco] Cisco Products: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/50402 Multiple Cisco Products are susceptible to an OSPF LSA Manipulation Vulnerability. This allows an attacker to take full control of the OSPF AS routing table. AUSCERT in the Media: Title: The Methodology of Improving Incident ResponseURL: http://www.bankinfosecurity.com/methodology-improving-incident-response-a-10124Author: Tom FieldExcerpt: “AUSCERT is one of the oldest CERT’s in the world, and Phil Cole says the independent organization is now laser-focused on helping enterprises across sectors to fundamentally improve their strategies and solutions for incident response.”—-Title: Is your company and customer data being sold on the darknet?URL: https://www.cio.com.au/article/621699/your-company-customer-data-being-sold-darknet/Author: George NottExcerpt: “Increasingly businesses are monitoring the darknet for clues that their company and customer data is being exposed. But it’s no easy task. Last week, The Guardian reported that Australians’ Medicare numbers were being offered for sale on a darknet marketplace for the equivalent of $30 in Bitcoins each.” Stay safe, stay patched and have a good weekend! Ananda

Learn more

Week in review

AUSCERT Week in Review for 21st July 2017

AUSCERT Week in Review for 21st July 2017 As Friday 21st July comes to a close along with the latest Oracle and Apple security updates, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Cisco patches critical bug in WebEx plug-in for Chrome, Firefox on WindowsDate Published: July 18 2017URL: http://www.zdnet.com/google-amp/article/cisco-patches-critical-bug-in-webex-plug-in-for-chrome-firefox-on-windows/Author: Liam TungExcerpt: “Google’s Project Zero researcher Tavis Ormandy reported the bug to Cisco earlier this month. It was discovered by him and Chris Neckar of Divergent Security, a former member of the Chrome security team. Ormandy earlier this year found two other flaws in the WebEx extension that allowed remote code execution. WebEx is a popular video conferencing tool in the enterprise. Ormandy notes that the WebEx extension for Chrome alone has 20 million active users. It’s also installed on 731,000 Firefox instances.” Title: Issues found via fuzzing by Guido VrankenDate Published: July 17 2017URL: http://freeradius.org/security/fuzzer-2017.htmlAuthor: FreeRADIUS Excerpt:“In order to improve the security of FreeRADIUS, we asked Guido to try fuzzing FreeRADIUS. He spent a week working with us, and managed to find a number of issues. We worked together to create and validate fixes for all of them. His blog contains a short note on the subject. The short summary is that if your RADIUS server is on a private network, accessible only by managed devices, you are likely safe. If your RADIUS server is part of a roaming consortium, then anyone within that consortium can attack it. If your RADIUS server is on the public internet, then you are not following best practices, and anyone on the net can attack your systems.” Title: Oracle e-business suite flaw allows downloads of documentsDate Published: July 18 2017URL: https://threatpost.com/oracle-e-business-suite-flaw-allows-downloads-of-documents/126897/Author: Michael MimosoExcerpt:“Oracle admins have more than 300 patches to contend with today, but one that should be considered a top priority is a bug in the E-Business Suite of business applications that could allow an attacker to download data without the need for authentication. The vulnerability, CVE-2017-10244, was addressed in today’s quarterly Critical Patch Update, but given the critical apps and data moving through the suite, and the potential downtime required to patch, it’s unknown how long it would take for the bulk of installations to be update and the risk be mitigated completely.” Title: Apple patches BROADPWN bug in IOS 10.3.3Date Published: July 20 2017 URL: https://threatpost.com/apple-patches-broadpwn-bug-in-ios-10-3-3/126955/Author: Tom SpringExcerpt:“Apple released iOS 10.3.3 Wednesday, which serves as a cumulative update that includes patches for multiple vulnerabilities including the high-profile BroadPwn bug that allowed an attacker to seize control of a targeted iOS device. BroadPwn was revealed earlier this month as a flaw in Broadcom Wi-Fi chipsets used in Apple and Android devices. Apple said the vulnerability affected the iPhone 5 to iPhone 7, the fourth-generation iPad and later versions, and the iPod Touch 6th generation.” —- Here are this week’s noteworthy security bulletins: 1) ESB-2017.1765 – ALERT [Win] Cisco WebEx extensions: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/49958 WebEx is one the most widely used meeting and collaboration tools in use today. If you use the Google Chrome or Firefox WebEx extension on Windows, then upgrade as soon as possible. This vulnerability could allow an attacker to execute arbitrary code with the privileges of the affected browser on the affected system. 2) ESB-2017.1767 – ALERT [UNIX/Linux][BSD][RedHat] freeradius: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49966 FreeRADIUS is a Remote Authentication Dial In User Service (RADIUS) server. It provides centralised authentication and authorization for many Fortune-500 companies and ISPs. It’s also widely used for Enterprise Wi-Fi and IEEE 802.1X network security, particularly in the academic community, including eduroam. A remote attacker could crash the FreeRADIUS server or execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. For more information see the article we referenced earlier. 3) ASB-2017.0121 – ALERT [Appliance][Solaris] Oracle Sun Systems: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/50066 If you have Oracle Sun Solaris systems in your environment, we advise patching as soon as possible to mitigate a shadowbrokers EASYSTREET (CVE-2017-3632) vulnerability. This easily exploitable vulnerability allows an unauthenticated attacker with network access via TCP to completely take over the system. 4) ASB-2017.0106 – ALERT [Win][UNIX/Linux] Oracle E-Business Suite: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50006 An easily exploitable vulnerability (CVE-2017-10244) would allow an unauthenticated attacker with network access to access any document stored there with a single HTTP request. 5) ASB-2017.0104.2 – UPDATE ALERT [Win][UNIX/Linux] Oracle Fusion Middleware: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49998 This easily exploitable vulnerability (CVE-2017-10137) is rated 10.0 and allows the unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server. 6) ESB-2017.1783 – [Apple iOS] Apple iOS: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/50118 Of interest is the BroadPwn vulnerability (CVE-2017-9417). An attacker within range of an iPhone, iPad or IPod touch may be able to execute arbitrary code on the Wi-Fi chip. See more information in the article we referenced earlier. —- Stay safe, stay patched and have a good weekend! Danny  

Learn more

Week in review

AUSCERT Week in Review for 14th July 2017

AUSCERT Week in Review for 14th July 2017 As Friday 14th July comes to a close along with the monthly Microsoft Security Update, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Microsoft Patches 19 Critical Vulnerabilities in July Patch Tuesday UpdateDate Published: July 12 2017URL: http://www.esecurityplanet.com/endpoint/microsoft-patches-19-critical-vulnerabilities-in-july-patch-tuesday-update.htmlAuthor: Sean Michael KernerExcerpt: “Microsoft released its latest monthly Patch Tuesday update on July 11, patching a total of 54 vulnerabilities, of which 19 were rated as critical. Microsoft’s HoloLens Virtual Reality (VR) technology received its first patch this month, for a critical remote code execution vulnerability identified as CVE-2017-8584. The vulnerability could have been triggered by an attack that sent a malicious WiFi packet to the HoloLens.” —– Title: The laws of Australia will trump the laws of mathematics: TurnbullDate Published: July 14 2017 URL: http://www.zdnet.com/article/the-laws-of-australia-will-trump-the-laws-of-mathematics-turnbull/Author: Chris Duckett and Asha McLeanExcerpt: “Regardless of what the laws of mathematics state around breaking into end-to-end encryption, the Australian government is determined to bring in laws that go against them, with the Prime Minister of Australia telling ZDNet that the laws produced in Canberra are able to trump the laws of mathematics. ‘The laws of Australia prevail in Australia, I can assure you of that,’ he said on Friday. ‘The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.’ On Friday, the government unveiled plans to introduce legislation this year that would force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.” —– Title: Let’s Encrypt Wildcard Certificates a ‘Boon’ for Cybercriminals, Expert SaysDate Published: July 12 2017URL: http://www.securityweek.com/lets-encrypt-wildcard-certificates-boon-cybercriminals-expert-saysAuthor: Ionut ArghireExcerpt: “The organization will be offering wildcard certificates free of charge via an upcoming ACME v2 API endpoint. Only base domain validation via DNS will be supported in the beginning, but the CA may explore additional validation options over time. Let’s Encrypt’s goal might be improved security and privacy for all users, but it doesn’t mean that its certificates can’t be misused. In March 2017, encryption expert Vincent Lynch revealed that, over a 12-month period, Let’s Encrypt issued over around 15,000 security certificates containing the term PayPal for phishing sites.“ —– Title: China orders complete block on VPNs to begin by February 2018Date Published: 11 July 2017URL: https://www.v3.co.uk/v3-uk/news/3013611/china-orders-complete-block-on-vpns-to-begin-by-february-2018Author: Graeme BurtonExcerpt: “The Chinese government has ordered the country’s big-three telecoms and internet service providers, China Mobile, China Telecom and China Unicom, to completely block access to virtual private networks (VPNs) by February 2018 in the latest stage of its campaign to prevent web users from circumventing the ‘great firewall of China’.” —– Here are this week’s noteworthy security bulletins: 1) ESB-2017.1714 – ALERT [Win][UNIX/Linux] Apache Struts: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/49726 This *new* Apache struts issue went largely unnoticed by mainstream media despite there being POCs available and vulnerable servers visible in Google search. AUSCERT advises members to inform web developers and users to check if sites are vulnerable. 2) ESB-2017.1715 – [UNIX/Linux][Debian] xorg-server: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49730 This was another vulnerability that went largely unnoticed. Two security issues were discovered in the X.org X server, the worst leading to privilege escalation. Since X server in most environments runs as root this vulnerability could potentially lead to root compromise. 3) ESB-2017.1721 – [Win][Linux][OSX] Adobe Flash Player: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49754 Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. AUSCERT advises members to remove Adobe Flash if possible otherwise to keep Adobe products upgraded. 4) ASB-2017.0100 – [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49782 Our hundredth ASB for 2017 is fittingly for Microsoft Windows and includes an unusual vulnerability – a critical remote code execution vulnerability in Microsoft’s HoloLens Virtual Reality (VR) technology. Refer to our first interesting article of the week for more details. —- Stay safe, stay patched and have a good weekend! Danny

Learn more

Week in review

AUSCERT Week in Review for 7th July 2017

AUSCERT Week in Review for 7th July 2017 As Friday 7th July comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Westpac joins Swift blockchain testDate Published: 06/07/2017URL: https://www.itnews.com.au/news/westpac-joins-swift-blockchain-test-467746Author: Staff Writers Excerpt: “Second Aussie bank after ANZ to take part.Westpac has become the second Australian bank to join a proof-of-concept by payment messaging service Swift that aims to test blockchain for facilitating cross-border payments.It is one of 22 global banks to join the PoC today, adding to the six foundational banking participants, one of which is ANZ Bank.” —–Title: Microsoft to cut ‘thousands’ of jobsDate Published: 07/07/2016URL: http://www.bbc.com/news/business-40523172Author: BBCExcerpt: “Microsoft is to cut “thousands” of jobs worldwide as it attempts to beef up its presence in the cloud computing sector.The technology giant wants to strengthen its cloud computing division but is facing intense competition from rivals such as Amazon and Google.” —–Title: Australia stuck with higher cost of deploying FttP: NBN CoDate Published: 06/07/2017URL: https://www.itwire.com/telecoms-and-nbn/78880-australia-stuck-with-higher-cost-of-deploying-fttp-nbn-co.htmlAuthor: Peter DinhamExcerpt: “NBN Co, the builder of the national broadband network, has moved to defend the higher costs of deploying fibre-to-the-premises in Australia and “set the record straight” on recent media claims about the local cost of FttP compared to other operators around the world.” —–Title: Ukrainian police seize computers that spread global NotPetya attackDate Published: 05/07/2017URL: http://www.itworld.com/article/3205810/malware/ukrainian-police-seize-computers-that-spread-global-notpetya-attack.htmlAuthor: Peter Sayer Excerpt: “Ukraine’s Cyber Police have intervened to prevent further cyberattacks in the wake of last week’s global attack, initially considered to be ransomware and called by various names including NotPetya.” —–Title: Govt blames Medicare card breach on ‘traditional’ crimsDate Published: 04/07/2017URL: https://www.itnews.com.au/news/govt-blames-medicare-card-breach-on-traditional-crims-467502Author: Allie Coyne Excerpt: “Not wide-scale, and no IT breach, says minister. The federal government says there has been no breach of the Department of Human Services’ IT systems and the Medicare card data currently on sale likely affects only a small number of people.” Here are this week’s noteworthy security bulletins: 1) ESB-2017.1655 – [SUSE] Xen: Multiple vulnerabilities 2017-06-30https://portal.auscert.org.au/bulletins/49486Quite a few Xen Vulnerabilities, if you are running Xen it is time to check for updates. 2) ESB-2017.1659 – [Debian] libgcrypt20: Unauthorised access – Existing account 2017-07-03https://portal.auscert.org.au/bulletins/49510Side channel attacks are getting rather popular. 3) ESB-2017.1676 – [SUSE] sudo: Root compromise – Existing account 2017-07-05https://portal.auscert.org.au/bulletins/49570Regression fix for CVE-2017-1000368, this has been repeated in a few products. 4) ESB-2017.1682 – [Win][UNIX/Linux] samba: Denial of service – Remote/unauthenticated 2017-07-06https://portal.auscert.org.au/bulletins/49594Remote Samba denial of service, that has to be able to affect a lot of people. —- Stay safe, stay patched and have a good weekend! Peter

Learn more

Week in review

AUSCERT Week in Review for 30th June 2017

AUSCERT Week in Review for 30th June 2017 Hope you all have had a chance to investigate the new website. Please email us at auscert@auscert.org.au or call 07 3365 4417 with any questions or concerns about the new website. As Friday 30th June comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: The Petya ransomware is starting to look like a cyberattack in disguiseDate Published: 28/06/2017 URL: https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russiaAuthor: Russell Brandom Excerpt: “The haze of yesterdays massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hacks reach touched some of the countrys most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.” —– Title: Google Slapped With Record $3.6 Billion Fine In Europe For Manipulating Shopping Results Date Published: 28/06/2017URL:  https://www.gizmodo.com.au/2017/06/google-slapped-with-record-3-6-billion-fine-in-europe-for-manipulating-shopping-results/Author: Matt Novak Excerpt: “Yesterday, government regulators in Europe hit Google with a record 2.42 billion fine, roughly the equivalent of $3.5 billion. The search engine company was found to be manipulating search results to favour its own shopping service, a violation of antitrust laws. And if it doesn’t fix the problem within 90 days it faces an additional 12.5 million ($18.7 million) fine per day.” —– Title: Defence launches ‘Information Warfare Division’ Date Published: 30/06/2017 URL: https://www.computerworld.com.au/article/621324/defence-launches-information-warfare-division/Author: George Nott Excerpt: “The Australian Defence Force is launching a new Information Warfare Division responsible for electronic warfare, the government announced today.” —– Title: Turnbull government continues push against online encryption ahead of Five Eyes meeting Date Published: 26/06/2017 URL: http://www.news.com.au/technology/online/security/turnbull-government-continues-push-against-online-encryption-ahead-of-five-eyes-meeting/news-story/cae2303d24bcfe90cf3d490083c208e9Author: Nick Whigham and AAP Excerpt: “AUSTRALIA will be leading the discussion on an encrypted technology crack down when ministers meet with FiveEyes nations to talk terror prevention. Leaders from Australia, the United States, United Kingdom, Canada and New Zealand, will meet in the Canadian city of Ottawa where they will discuss tactics to combat terrorism and the spread of extremism.” —– Title: Qld ex-cop charged with 44 counts of database snooping Date Published: 28/06/2017 URL: https://www.itnews.com.au/news/qld-ex-cop-charged-with-44-counts-of-database-snooping-466817Author: Allie Coyne Excerpt: “The Queensland Crime and Corruption Commission has charged a former police officer with accessing information in the force’score crimes database 44 times over six years without authorisation.” Here are this week’s noteworthy security bulletins: 1) ESB-2017.1639 – [Ubuntu] Kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49422 USN 3326-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. That is a lot of regressions ๐Ÿ™ 2) ESB-2017.1643 – [Win] OpenSource Apache Struts: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49438 Struts is in all sorts of products. 3) ESB-2017.1644 – [Appliance] Cisco IOS and IOS XE Software: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49442 Root compromise that is significant. 4) ESB-2017.1602 – [Win][Linux][AIX] IBM Java SDK: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49270 Oh no not Java vulnerabilities —- Stay safe, stay patched and have a good weekend! Peter

Learn more