Week in review

AUSCERT Week in Review for 21st December 2018

AUSCERT Week in Review for 21st December 2018 Greetings, That’s a wrap for this year! Reminder that some of AUSCERT’s services will be in hibernation mode from today until they resume on the 2nd of January. For any urgent needs the 24/7 hotlines will continue as always. In a dramatic end to the year, the US DoJ announced indictments against two Chinese nationals accused of being members of APT10. This was in relation to intellectual property theft, particularly as part of the Cloud Hopper campaign, targeting MSPs (managed service providers). In additional state-sponsored attack news, Twitter has reported that it was the victim of an attack targeting its support platform. It allowed a user’s phone number and country of origin to be uncovered, fueling speculation it was designed to unmask dissident accounts. Microsoft has also issued an out of band patch for Internet Explorer, so be sure to get your patching in before the holidays! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: US charges Chinese citizens for espionage in major hacking campaign targeting navy, NASA, others21 DecemberAuthor: ABC NewsExcerpt: “US officials have charged two Chinese citizens they allege carried out an extensive hacking campaign to steal data from military service members, government agencies and private companies in the United States and nearly a dozen other countries. The US Justice Department said Zhu Hua and Zhang Jianguo, acting on behalf of Beijing’s main intelligence agency, were involved in computer hacking attacks on the US Navy, NASA and the Energy Department as well as companies in numerous sectors.” —— Twitter discloses suspected state-sponsored attack18 DecemberAuthor: Catalin CimpanuExcerpt: “Social networking site Twitter announced today another data leak that occurred on its platform, which the company said it is investigating as a suspected state-sponsored attack. In a support page published earlier today, Twitter said that it detected the attack on November 15 when it “observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia.”” —— On the first day of Christmas, Microsoft gave to me… an emergency out-of-band security patch for IE19 DecemberAuthor: Chris WilliamsExcerpt: “Microsoft today emitted an emergency security patch for a flaw in Internet Explorer that hackers are exploiting in the wild to hijack computers. The vulnerability, CVE-2018-8653, is a remote-code execution hole in the browser’s scripting engine. Visiting a malicious website abusing this bug with a vulnerable version of IE is enough to be potentially infected by spyware, ransomware or some other software nasty. Thus, check Microsoft Update and install any available patches as soon as you can.” —— Save the Children Hit by $1m BEC Scam17 DecemberAuthor: Phil MuncasterExcerpt: “A leading children’s charity was conned into sending $1m to a fraudster’s bank account this year, in another example of the dangers of Business Email Compromise (BEC). Save the Children Federation, the US outpost of the world-famous British non-profit, revealed the incident in a recent filing with the IRS, according to the Boston Globe. The attacker managed to access an employee’s email account and from there sent fake invoices and other documents designed to trick the organization into sending the money.” —— Here are this week’s noteworthy security bulletins: 1) ASB-2018.0310 – ALERT [Win] Internet Explorer: Execute arbitrary code/commands – Remote with user interaction Vulnerability in the scripting engine allowed malicious pages to execute code when viewed in IE. 2) ESB-2018.3702.3 – UPDATE ALERT [Cisco] Cisco Prime License Manager: Execute arbitrary code/commands – Remote/unauthenticated Cisco has released an update that fixes a regression in the previous patch release. 3) ESB-2018.3880 – [Linux][SUSE] amanda: Root compromise – Existing account Root compromise in AMANDA, a networked backup service. Stay safe, stay patched and have a good break (if you’re so lucky)! We’ll see you in the new year! Tim

Learn more

Blogs

What do I need to know about the MSP hack?

What do I need to know about the MSP hack? What’s going on? On Thursday, the United States Justice Department made an indictment against two members of APT10, acting in association with the Chinese government [0]. APT10, an advanced persistent threat, has been targeting managed service providers (MSPs) around the world since 2014. Organisations from over fourteen countries were affected, including Australia. This indictment has spurred a flurry of new stories this morning, including a publication from the ACSC [1] and an interview with National Cyber Security Adviser, Alastair MacGibbon [2], who also attributes APT10 to the Chinese Government. The nation-state attack on MSPs was covered extensively in 2017, as well as earlier this year [3] [4], and is known as “Cloud Hopper” [5]. This attack attempts to compromise the MSP with remote access trojans (RATs) delivered by phishing. By compromising MSPs, attackers are able to then target the MSP’s clients. What is APT10? APT10 is also known as Stone Panda, MenuPass, and Red Apollo. An APT is skilled and persistent with more resources than other types of attackers, so they are usually sponsored by nation-states, or coordinated groups. When the APT10 MSP attacks were reported in 2017, there was only circumstantial evidence which pointed at Chinese timezone patterns. This indictment from the US Justice Department charges APT10 members Zhu Hua and Zhang Shilong, who acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau since 2006. What should I tell my boss? This is not a new threat, and we have known about it since early 2017. The reason it is in the news is that the United States Justice Department has indicted two Chinese nationals. You can also point out which of the controls in this document you have implemented to mitigate the risks associated with engaging with an MSP: “How to manage your network security when engaging a Managed Service Provider” [6] What you should do At the time of writing, here are the Indicators of Compromise from our MISP event:https://wordpress-admin.auscert.org.au/publications/2018-12-21-apt10-msp-breach-iocs We recommend running these against your systems and logs. While a list of affected MSPs isn’t publicly known, the ACSC has contacted any MSPs they know to have been affected. If you have any concerns, we recommend you contact your MSP, as they will be able to provide more information about their situation. You can also take this opportunity to update your risk registers and incident plans for any information and services you have hosted with a third party provider. Perhaps you could make it a start or end of year routine?   With that said, have a relaxing holiday season – we hope you don’t have to play too much family tech support!   [0] https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion[1] https://cyber.gov.au/msp-global-hack/[2] https://www.abc.net.au/radionational/programs/breakfast/australian-businesses-hit-by-audacious-global-hacking-campaign/10645274[3] https://www.arnnet.com.au/article/617425/aussie-msps-targeted-global-cyber-espionage-campaign/[4] https://www.securityweek.com/dhs-warns-attacks-managed-service-providers[5] https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf[6] https://cyber.gov.au/business/publications/msp-risk-for-clients/

Learn more

Blogs

Windows DNS Server Privilege Escalation vulnerability (CVE-2018-8626) leading to Remote Code execution alleged to have Proof of Concept exploit

Windows DNS Server Privilege Escalation vulnerability (CVE-2018-8626) leading to Remote Code execution alleged to have Proof of Concept exploit INTRODUCTION AUSCERT recently published an ASB addressing Microsoft’s security updates for the month of December.  Among the vulnerabilities addressed was a Critical vulnerability in the DNS Server implementation in the following Windows platforms: “Windows 10 Version 1607 for 32-bit SystemsWindows 10 Version 1607 for x64-based SystemsWindows 10 Version 1709 for 32-bit SystemsWindows 10 Version 1709 for 64-based SystemsWindows 10 Version 1709 for ARM64-based SystemsWindows 10 Version 1803 for 32-bit SystemsWindows 10 Version 1803 for ARM64-based SystemsWindows 10 Version 1803 for x64-based SystemsWindows 10 Version 1809 for 32-bit SystemsWindows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows Server 2012 R2Windows Server 2012 R2 (Server Core installation)Windows Server 2016Windows Server 2016 (Server Core installation)Windows Server 2019Windows Server 2019 (Server Core installation)Windows Server, version 1709 (Server Core Installation)Windows Server, version 1803 (Server Core Installation)” [1] Security updates fixing the vulnerability have been provided by Microsoft.   VULNERABILITY DESCRIPTION In their vulnerability description, Microsoft states: “A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.” [1] Failed exploitation attempts will lead to denial of service conditions.   NVD CVSS3 Vector:  AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C NVD CVSS3 Base Score: 9.8 (Critical)   PROOF OF CONCEPT EXPLOIT Although the NVD CVSS3 vector above indicates a proof of concept exploit exists for this vulnerability, AUSCERT has not been able to access it or find any threat indicators related to it. We will continue to update this blog as more information becomes available.   References 1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626

Learn more

Week in review

AUSCERT Week in Review for 14th December 2018

AUSCERT Week in Review for 14th December 2018 Greetings, Extortion spammers have stepped up their game, with reports coming in of fake bomb threats. Microsoft have caused some brouhaha with an unauthenticated administrator compromise in their DNS Server product. And ATO scam calls have increased in both prevalence and prominence, making the front page of ABC News today. The Super Micro story originally broken by Bloomberg has had minimal follow-up, with outright rejections from Apple and IBM. Now, an external security audit of Super Micro has found no evidence. AUSCERT will be closed over the Christmas break. However, for urgent queries and incident assistance, please call the member hotline, which is 24/7/365. The number is available once you’re logged in on the “Contact” page of auscert.org.au – consider including it in your incident response plan! Without further ado, the news: Quick-thinking retail worker saves Tasmanian woman from losing thousands in tax scamDate: 14 December 2018Author: ABC Newshttps://www.abc.net.au/news/2018-12-14/woman-avoids-scam-with-help-from-tasmanian-retail-worker/10614324A Tasmanian woman who narrowly escaped falling prey to a scammer pretending to be from the Australian Tax Office (ATO) has a quick-thinking retail employee to thank. What saved her from going through with the scammer’s demands was Alistair — a customer service employee who noticed she was buying a lot of gift cards, and pointed Ms Carey to a document from the ACCC warning of this very scam. The store refunded all the cards on the spot and she did not lose any money. Spammed Bomb Threat Hoax Demands BitcoinDate: 13 December 2018Author: Brian Krebshttps://krebsonsecurity.com/2018/12/spammed-bomb-threat-hoax-demands-bitcoin/A new email extortion scam is making the rounds, threatening that someone has planted bombs within the recipient’s building that will be detonated unless a hefty bitcoin ransom is paid by the end of the business day. I could see this spam campaign being extremely disruptive in the short run. There is little doubt that some businesses receiving this extortion email will treat it as a credible threat. This is exactly what happened today at one of the banks that forwarded me their copy of this email. Also, KrebsOnSecurity has received reports that numerous school districts across the country have closed schools early today in response to this hoax email threat. Windows DNS Server Privilege Escalation Vulnerability (CVE-2018-8626)Date: 14 December 2018Author: AUSCERTURL: https://wordpress-admin.auscert.org.au/blog/2018-12-14-windows-dns-server-privilege-escalation-vulnerability-cve-2018-8626-leading-remote-code-execution-has-publicly-available-poc-exploitExcerpt: Although the NVD CVSS3 vector above indicates a proof of concept exploit exists for this vulnerability, AUSCERT has not been able to access it or find any threat indicators related to it. We will continue to update this blog as more information becomes available. Super Micro says external security audit found no evidence of backdoor chipsDate: 11 December 2018Author: ZDNethttps://www.zdnet.com/article/super-micro-says-external-security-audit-found-no-evidence-of-backdoor-chips/Excerpt: In a letter sent out today to its customers, hardware vendor Super Micro Computer said that a security audit performed by a third-party investigations firm found no evidence that Supermicro server motherboards contained any type of backdoor chip. The company sent out this letter after earlier this year a Bloomberg report claimed that some Supermicro motherboards contained a malicious chip implant inserted on its Chinese assembly lines by Chinese spies. The US news outlet then claimed that some of these servers made it into the networks of government agencies and private companies, such as Apple and Amazon’s AWS. ASD chief insists new encryption laws won’t see Aussie tech shunned like HuaweiDate: 12 December 2018Author: iTnewshttps://www.itnews.com.au/news/asd-chief-insists-new-encryption-laws-wont-see-aussie-tech-shunned-like-huawei-516830Excerpt: The Australian Signals Directorate says the idea that Australian technology will be seen as untrustworthy in the wake of encryption-busting laws and therefore blocked from use “is absurd”. Director-general Mike Burgess published what he called seven “myths” of the controversial new laws, which the major parties passed in the last hours of parliament last week. In particular, Burgess targeted the significant doubt that has been swirling in the days since around how Australia’s technology sector will now be treated by foreign buyers. This week’s noteworthy bulletins: 1. ASB-2018.0303 – [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72974 Remote-code-execution vulnerability in Microsoft DNS Server. 2. ASB-2018.0308 – [Win][UNIX/Linux] BIND: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/73110 Unrelated vulnerabilities in BIND. 3. ASB-2018.0304 – [Win][UNIX/Linux][BSD] Mozilla Firefox: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72978 Firefox 64 has been released, with some significant security updates. 4. ESB-2018.3839 – [Win][UNIX/Linux] phpMyAdmin: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72986 Security updates for current versions of phpMyAdmin including XSS and authenticated unauthorised file access. Stay safe, stay patched and have a great weekend, David

Learn more

Week in review

AUSCERT Week in Review for 7th December 2018

AUSCERT Week in Review for 7th December 2018 Greetings, The word on everybody’s lips today is #aabill. With the hasty passage yesterday of the Assistance & Access Act 2018, Australia has extended the reach of its law-enforcement groups. They will shortly be able to serve notices to access protected data. The extent of the powers is not yet fully understood, and terms such as “systemic weakness” will likely require judicial interpretation. What impact will this have on your business? We’ll just have to wait and see. After the jump, some news articles. Australia gets world-first encryption busting lawshttps://www.itnews.com.au/news/australia-gets-world-first-encryption-busting-laws-516601Author: iTnewsPublished: December 6 2018 Australia’s law enforcement agencies have a wide range of new encryption-busting powers after Labor dropped all opposition to a highly contentious bill and let it pass without extra changes it claimed all day were needed. The bill passed into law by 44 votes to 12 in the senate, having already cleared the lower house where just two MPs voted against it. Assistance and Access Bill 2018: Explanatory Documenthttps://www.homeaffairs.gov.au/how-to-engage-us-subsite/files/assistance-access-bill-2018/explanatory-document.pdfAuthor: Department of Home AffairsPublished: August 2018 This explanatory document accompanies the exposure draft of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill). The Bill provides national security and law enforcement agencies with powers to respond to the challenges posed by the increasing use of encrypted communications and devices. The proposed changes are designed to help agencies access intelligible communications through a range of measures, including improved computer access warrants and enhanced obligations for industry to assist agencies in prescribed circumstances. This includes accessing communications at points where it is not encrypted. The safeguards and limitations in the Bill will ensure that communications providers cannot be compelled to build systemic weaknesses or vulnerabilities into their products that undermine the security of communications. Providers cannot be required to hand over telecommunications content and data. ‘Outlandish’ encryption laws leave Australian tech industry angry and confusedhttps://www.abc.net.au/news/science/2018-12-07/encryption-bill-australian-technology-industry-fuming-mad/10589962Author: ABC NewsPublished: December 7 2018 The situation has left Australian technology companies struggling to understand the potential impact on their global standing and bottom line. John Stanton, chief executive of the Communications Alliance, said the bill’s passing was a “magnificent triumph of politics over policy”. Partner at M8 Ventures Alan Jones argued the bill will have unintended consequence for the security reputation of Australian businesses — “crippling” attempts to export their technology. “It could be just enough to lose a deal to a competitor in Israel and the US,” he said. Adobe releases out-of-band security update for newly-discovered Flash zero-dayhttps://www.zdnet.com/article/adobe-releases-out-of-band-security-update-for-newly-discovered-flash-zero-day/Author: ZDNetPublished: December 5 2018 Adobe released patches today for a new zero-day vulnerability discovered in the company’s popular Flash Player app. The zero-day has been spotted embedded inside malicious Microsoft Office documents. These documents were discovered last month after they’ve been uploaded on VirusTotal, a web-based file scanning service, from a Ukrainian IP address. A Breach, or Just a Forced Password Reset?https://krebsonsecurity.com/2018/12/a-breach-or-just-a-forced-password-reset/Author: Brian KrebsPublished: December 4 2018 Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains that’s not the case. Warning about tax scamshttps://www.scamwatch.gov.au/news/warning-about-tax-scamsAuthor: ACCC ScamwatchPublished: December 4 2018 Tax scams seem to be everywhere at the moment and Scamwatch is warning people not to engage with phone calls or emails they receive threatening arrest or jail over unpaid tax debts. Reports of these scams have jumped significantly during the past month. The scam is timed to coincide with the cut-off date for people needing to have their tax returns submitted to the Australian Tax Office. Most of these scams occur over the phone. People get a call from an aggressive scammer directly or receive a robotic-sounding voice message informing them they need to contact a phone number in relation to an outstanding tax debt, or face imminent arrest and jail time. Buying a new devicehttps://www.cert.govt.nz/businesses-and-individuals/guides/stepping-up-your-cyber-security/buying-a-new-deviceAuthor: CERT-NZ Get our tips to help you stay secure when you’re thinking of buying a new device. Here are this week’s noteworthy security bulletins: 1. ESB-2018.3747 – ALERT [RedHat] Red Hat OpenShift Container Platform & Kubernetes: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72578 Nasty privilege escalation/hijacking vulnerability in Kubernetes with a CVSSv3 score of 9.8 out of 10. 2. ESB-2018.3766 – [Apple iOS] iOS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72658 Apple’s monthly patches include multiple vulnerabilities in WebKit (used widely) and some significant vulnerabilities in iOS. 3. ASB-2018.0296 – [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72650 The release of Chrome 71 includes some fixes for significant vulnerabilities, including RCE from a web page. 4. ESB-2018.3702 – ALERT [Cisco] Cisco Prime License Manager: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/72390 Cisco cleaning up SQL injection in another product. Stay safe, stay patched, and may you not be served with a technical capability notice, David and the team at AUSCERT

Learn more

Week in review

AUSCERT Week in Review for 30th November 2018

AUSCERT Week in Review for 30th November 2018 AUSCERT Week in Review30 November 2018 Greetings, Happy computer security day! Established in 1988, computer security day is celebrated on Nov 30th each year to raise awareness for computer security issues. Here are some ways you can celebrate too: – Make sure everything is patched and up to date– Help a friend set up a password manager and change their email password– Encourage a relative to enable 2FA on their email or online banking– Test your backups!– Ensure your home WiFi has a nice long and unique password Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: ATO may get direct telco metadata and bank data accessDate Published: 26 Nov 2018https://www.itnews.com.au/news/ato-may-get-direct-telco-metadata-and-bank-data-access-516050Author: Ry CrozierExcerpt:“The Australian Taxation Office (ATO) could be allowed to directly access telecommunications metadata and other records such as those held by banks under a proposal aired by Treasury late last week.” —– LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on FacebookDate Published: 26 Nov 2018https://techcrunch.com/2018/11/24/linkedin-ireland-data-protection/Author: Ingrid LundenExcerpt:“The DPC found that LinkedIn in the US had obtained emails for 18 million people who were not already members of the social network, and then used these in a hashed form for targeted advertisements on the Facebook platform, “with the absence of instruction from the data controller” — that is, LinkedIn Ireland — “as is required.” “—– Check your repos… Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)Date Published: 26 Nov 2018https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/Author: Thomas ClaburnExcerpt:“A widely used Node.js code library listed in NPM’s warehouse of repositories was altered to include crypto-coin-stealing malware. The lib in question, event-stream, is downloaded roughly two million times a week by application programmers. This vandalism is a stark reminder of the dangers of relying on deep and complex webs of dependencies in software: unless precautions are taken throughout the whole chain, any one component can be modified to break an app’s security. “—– Half of all Phishing Sites Now Have the PadlockDate Published: 26 Nov 2018https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/Author: Brian KrebsExcerpt:“Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old “look for the lock” advice to heart, and still associate the lock icon with legitimate sites. A PhishLabs survey conducted last year found more than 80% of respondents believed the green lock indicated a website was either legitimate and/or safe.”—– Potentially disastrous Rowhammer bitflips can bypass ECC protections Date Published: 22 Nov 2018https://arstechnica.com/information-technology/2018/11/potentially-disastrous-rowhammer-bitflips-can-bypass-ecc-protections/Author: Dan GoodinExcerpt:“In early 2015, researchers unveiled Rowhammer, a cutting-edge hack that exploits unfixable physical weaknesses in the silicon of certain types of memory chips to transform data they stored. In the 42 months that have passed since then, an enhancement known as error-correcting code (or ECC) available in higher-end chips was believed to be an absolute defense against potentially disastrous bitflips that changed 0s to 1s and vice versa. Research published Wednesday has now shattered that assumption.” —– Here are this week’s noteworthy security bulletins: ESB-2018.3699 – [Win] Sennheiser HeadSetup and HeadSetup Pro: Provide misleading information – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/72378 Two inadvertently disclosed digital certificates could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates. ESB-2018.3702 – ALERT [Cisco] Cisco Prime License Manager: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/72390 A vulnerability in the web framework code of Cisco Prime License Manager(PLM) could allow an unauthenticated, remote attacker to execute arbitrarySQL queries. ESB-2018.3688 – [Win][UNIX/Linux][Debian] ghostscript: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72334 Several vulnerabilities were discovered in Ghostscript, the GPLPostScript/PDF interpreter, which may result in denial of service or theexecution of arbitrary code if a malformed Postscript file is processed. ESB-2018.3652 – [Win][UNIX/Linux][Debian] gnuplot5: Execute arbitrary code/commands – Existing account https://portal.auscert.org.au/bulletins/72190 gnuplot5, a command-line driven interactive plotting program, has been examined with fuzzing by Tim Blazytko, Cornelius Aschermann, Sergej Schumilo and Nils Bars.They found various overflow cases which might lead to the execution of arbitrary code. ESB-2018.3650 – [UNIX/Linux][Debian] roundcube: Cross-site scripting – Remote with user interactionhttps://portal.auscert.org.au/bulletins/72182 Roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to a cross-site scripting vulnerability in handling invalid style tag content. Stay safe, stay patched and have a good weekend! Charelle  

Learn more

Week in review

AUSCERT Week in Review for 23rd November 2018

AUSCERT Week in Review for 23rd November 2018 Greetings, This week, back to basics. We’ve selected some articles about the fundamentals of cybersecurity, for wins you can get without going to a vendor and buying more SIEMs to cram into your network. Patching! Security updates are important, but if you don’t install them, they’re worthless. In fact, if everyone else is patched and you’re not, it just makes you a bigger target. Users! User behaviour is key, and encouraging secure practices will close a lot of holes. Finally, it’s the season for Cyber Monday sales. Some password managers are offering discounts – if your loved ones aren’t already using a password manager, it might be worth having a browse…! Into the articles: Active XSS Attacks Targeting AMP for WP WordPress PluginDate: 20 November 2018Author: BleepingComputerhttps://www.bleepingcomputer.com/news/security/active-xss-attacks-targeting-amp-for-wp-wordpress-plugin/ Vulnerabilities were recently discovered in the popular AMP for WP plugin that allows any registered user to perform administrative actions on a WordPress site. It has now been discovered that an active XSS attack is underway that targets these same vulnerabilities to install backdoors and create rogue admin accounts on a vulnerable WordPress site. Unfortunately, as many users may not know about the security vulnerabilities or have not updated their software, this still remains a good vector for attacks. Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web serversDate: 19 November 2018Author: ZDNethttps://www.zdnet.com/article/hackers-use-drupalgeddon-2-and-dirty-cow-exploits-to-take-over-web-servers/ Through these recent attacks, hackers aim to gain a foothold on servers, elevate their access to a root account, and then install a legitimate SSH client so they can log into the hijacked servers at later dates. Taking into account that this attack relies on exploiting two very well-known vulnerabilities for which patches have been made available a long time ago, website and server owners can easily make sure they’re immune to such attacks by updating Drupal and their Linux servers. Employees’ cybersecurity habits worsen, survey findsDate: 15 November 2018Author: We Live Securityhttps://www.welivesecurity.com/2018/11/15/employees-cybersecurity-habits-worsen/ The prevalence of cybersecurity incidents and the concomitant growing concerns about any organization’s cybersecurity posture haven’t done much to discourage many employees from engaging in poor security habits, a survey has found. In some respects, employees’ cyber-hygiene is actually getting worse, according to the 2018 Market Pulse Survey by identity governance provider SailPoint, which gathered opinions from 1,600 employees at organizations with at least 1,000 employees in Australia, France, Germany, Italy, Spain, the United Kingdom, and the United States. Three in every four respondents admitted to reusing passwords across accounts. In the survey’s 2014 edition, the same was true for “only” 56% of the employees. Beyond Passwords: 2FA, U2F and Google Advanced ProtectionDate: 15 November 2018Author: Troy Hunthttps://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/ Last week I wrote a couple of different pieces on passwords, firstly about why we’re going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. A few people took some of the points I made in those posts as being contentious, although on reflection I suspect it was more a case of lamenting that we shouldn’t be in a position where we’re still dependent on passwords and people needing to understand good password management practices in order for them to work properly. This week, I wanted to focus on going beyond passwords and talk about 2FA. Per the title, not just any old 2FA but U2F and in particular, Google’s Advanced Protection Program. This post will be partly about 2FA in general, but also specifically about Google’s program because of the masses of people dependent on them for Gmail. Your email address is the skeleton key to your life (not just “online” life) so protecting that is absolutely paramount. Adobe issues fix for Flash bug allowing remote code executionDate: 21 November 2018Author: CyberScoophttps://www.cyberscoop.com/adobe-flash-patch-bug-remote-code-execution/ Adobe has issued a patch for its Flash Player software, fixing a critical bug that would have allowed attackers to remotely execute malicious code. The company labels it as a “type confusion” vulnerability. That means that Flash Player could run a piece of code without verifying what type it is. If an unpatched version of Flash is running, an attacker could trick users into visiting a website hosting malicious code that could then run on the user’s Flash Player, as explained in a security advisory issued by Microso Here are this week’s noteworthy security bulletins: ESB-2018.3611 – ALERT [Win][UNIX/Linux] Flash Player: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/72014 Adobe has released security updates for Adobe Flash Player for Windows, macOS,Linux and Chrome OS. These updates address a critical vulnerability in AdobeFlash Player 31.0.0.148 and earlier versions. Successful exploitation couldlead to arbitrary code execution in the context of the current user. ASB-2018.0241.3 – UPDATE Palo Alto PAN-OS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/69798 Palo Alto Networks has addressed vulnerabilities from OpenSSL. ESB-2018.3609 – [Win][Linux] moodle: Cross-site request forgery – Remote with user interactionhttps://portal.auscert.org.au/bulletins/72006 A cross-site-request-forgery vulnerability in a login form. ESB-2018.3627 – [Win][UNIX/Linux] GitLab: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/72078 Versions 11.5.0-rc12, 11.4.6, and 11.3.10 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been released. ASB-2018.0292 – [Win][UNIX/Linux] Google Chrome: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/72086 The Chrome team has released an update which includes a security fix for CVE-2018-17479, a high-severity issue causing a use-after-free in GPU code. Stay safe, stay patched, and have a good weekend!David, Charelle and the team at AUSCERT

Learn more

Week in review

AUSCERT Week in Review for 16th November 2018

AUSCERT Week in Review for 16th November 2018 Greetings, This week the steady flow of speculative execution attacks continues, with researchers releasing 7 additions to the vulnerability family (thankfully some are covered by previous mitigations). In good news for the international community, Mozilla’s Firefox Monitor, which checks your email addresses against Troy Hunt’s Have I Been Pwned platform, is now multilingual! Firefox Quantum will also begin displaying alerts on pages which have suffered a data breach in the last 12 months. This should go a long way to increasing user-visibility of such events, especially for those sites which have to be dragged kicking and screaming to proper user notification. In further good news, Ubuntu is putting the L in LTS, as 18.04 will be receiving 10 years of support. Recognising that IoT, scientific, and industrial devices traditionally have service lives far greater than the OSes that power them, Ubuntu is doing its best to keep our increasingly networked ecosystem from becoming an unsecurable mess (moreso than it already is). Lastly, we were once again reminded that BGP is not a secure routing protocol, in the form of a Nigerian ISP rerouting Google (and other) traffic through itself via Russia and China, seemingly by accident. The advertised routes were not prepared to handle the volume of traffic, resulting in a DoS to Google services for over an hour. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Spectre, Meltdown researchers unveil 7 more speculative execution attacksDate: 14 Novemberhttps://arstechnica.com/gadgets/2018/11/spectre-meltdown-researchers-unveil-7-more-speculative-execution-attacks/ Author: Peter BrightExcerpt: “A research team—including many of the original researchers behind Meltdown, Spectre, and the related Foreshadow and BranchScope attacks—has published a new paper disclosing yet more attacks in the Spectre and Meltdown families. The result? Seven new possible attacks. Some are mitigated by known mitigation techniques, but others are not. That means further work is required to safeguard vulnerable systems.” —— Microsoft closes actively exploited Windows zero-dayDate: 14 Novemberhttps://www.itnews.com.au/news/microsoft-closes-actively-exploited-windows-zero-day-515531 Author: Juha SaarinenExcerpt: “Admins and Windows users have been urged to apply the November 2018 round of security patches urgently, to close off vulnerabilities, one of which is under active exploitation currently. This is the Kaspersky Labs-reported CVE-2018-8589 vulnerability in the win32k.sys kernel, a privilege elevation bug that allows attackers to run arbitrary code in the local system security context, Microsoft warned.” —— Firefox Monitor Launches in 26 Languages and Adds New Desktop Browser FeatureDate: 14 Novemberhttps://blog.mozilla.org/blog/2018/11/14/firefox-monitor-launches-in-26-languages-and-adds-new-desktop-browser-feature/ Author: Nick NguyenExcerpt: “Introducing Firefox Monitor Notifications Along with making Monitor available in multiple languages, today we’re also releasing a new feature exclusively for Firefox users. Specifically, we are adding a notification to our Firefox Quantum browser that alerts desktop users when they visit a site that has had a recently reported data breach. We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features. This new functionality will gradually roll out to Firefox users over the coming weeks.” —— Cloudflare launches Android and iOS apps for its 1.1.1.1 serviceDate: 11 Novemberhttps://www.zdnet.com/article/cloudflare-launches-android-and-ios-apps-for-its-1-1-1-1-service/ Author: Catalin CimpanuExcerpt: “Cloudflare launched today official mobile apps for its 1.1.1.1 privacy-first DNS resolver service. Mobile apps for Android and iOS are now available on their respective app stores. The company first launched the 1.1.1.1 service to great fanfare on April 1, earlier this year. The service is a basic DNS server, but one for which Cloudflare has guaranteed user privacy and improved look-up speed.” —— How a Nigerian ISP Accidentally Knocked Google OfflineDate: 15 Novemberhttps://blog.cloudflare.com/how-a-nigerian-isp-knocked-google-offline/ Author: Tom PasekaExcerpt: “Last Monday evening – 12 November 2018 – Google and a number of other services experienced a 74 minute outage. It’s not the first time this has happened; and while there might be a temptation to assume that bad actors are at work, incidents like this only serve to demonstrate just how much frailty is involved in how packets get from one point on the Internet to another.” —— Mark Shuttleworth reveals Ubuntu 18.04 will get a 10-year support lifespanDate: 15 Novemberhttps://www.zdnet.com/article/mark-shuttleworth-reveals-ubuntu-18-04-will-get-a-10-year-support-lifespan/Author: Steven J. Vaughan-NicholsExcerpt: “‘I’m delighted to announce that Ubuntu 18.04 will be supported for a full 10 years,’ said Shuttleworth, ‘In part because of the very long time horizons in some of industries like financial services and telecommunications but also from IoT where manufacturing lines for example are being deployed that will be in production for at least a decade.'” —— Here are this week’s noteworthy security bulletins: ASB-2018.0288 – [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/71754 Patch Tuesday brings with it the usual slew of vulnerability fixes. ESB-2018.3542 – [Win][Linux][Ubuntu] gettext: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/71698 Maliciously formatted messages could cause RCE in GNU internationalisation package gettext. ESB-2018.3535 – [Virtual] VMware ESXi, Workstation and Fusion: Execute arbitrary code/commands – Existing accounthttps://portal.auscert.org.au/bulletins/71670 VMWare has fixed a couple of vulnerabilities, including a guest-to-host RCE. Stay safe, stay patched and have a good weekend! Tim

Learn more

Week in review

AUSCERT Week in Review for 9th November 2018

AUSCERT Week in Review for 9th November 2018 Greetings, This week in information security: a research paper has unveiled several techniques for defeating hardware-level SSD encryption, a proposal would give SA Police the right to compel you to access your devices, and Cisco have removed more hard-coded credentials. If you like the Week in Review, the AUSCERT Daily Intelligence Report is a daily news summary, in the same vein but simpler and – dare I say – prettier. It’s currently in beta. If you’d like to sign up, please email auscert@auscert.org.au. Flaws in Popular SSD Drives Bypass Hardware Disk EncryptionDate: 5 NovemberAuthor: Lawrence Abramshttps://www.bleepingcomputer.com/news/security/flaws-in-popular-ssd-drives-bypass-hardware-disk-encryption/Excerpt: “We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware,” stated the report. “In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret.”To make matters worse, as Windows’ BitLocker software encryption will default to hard drive encryption if supported, it can be bypassed using the same discovered flaws. South Australia Police to be able to compel passwords and biometrics from suspectsDate: 8 NovemberAuthor: Chris Ducketthttps://www.zdnet.com/article/south-australia-police-to-be-able-to-compel-passwords-and-biometrics-from-suspects/Excerpt: “South Australia Police is set for a boost to its powers under proposed laws introduced on Thursday in Adelaide, which would enable police officers to compel passwords and biometrics from suspects.That can include the provision of passwords, fingerprints, facial scans, or retinal scans — whatever enables authorities to access a device that may contain evidence of a serious offence.“Anyone who fails to comply with the order could face up to five years imprisonment.” Govt adds new safeguards to My Health RecordDate: 7 NovemberAuthor: iTnewshttps://www.itnews.com.au/news/govt-adds-new-safeguards-to-my-health-record-515206Excerpt: The federal government has moved to introduce extra privacy and security changes to the legislation behind the controversial My Health Record just a week out from the end of the opt-out period.The proposed amendments are focused on introducing tougher penalties for system misuse, including by employers, as well as strengthening provisions to safeguard against domestic violence.They add to the August changes to privacy provisions to make it harder for agencies and police to gain access to the content of a personal electronic health record and allow individuals to delete records permanently at any time. Defence shipbuilder Austal hit by cyber security breach and extortion attemptDate: 2 NovemberAuthor: ABChttps://www.abc.net.au/news/2018-11-01/defence-shipbuilder-austal-subject-of-a-cyber-security-breach/10458042Excerpt: Western Australia-based Defence shipbuilder Austal has been the subject of a cyber security breach and extortion attempt.The company announced to the stock exchange last night that its Australian data management system had been targeted by an “unknown offender”.Some staff email addresses and mobile phone numbers were accessed, according to the statement which acknowledged that a “small number” of customers had been affected.The company, which builds patrol vessels and frigates for the Australian Navy, said there was “no evidence to date that information affecting national security has been stolen”.But it indicated the hackers got access to — or stole — drawings and designs of its ships. Stealing Chrome cookies without a passwordDate: 26 SeptemberAuthor: the hacker known as “Alex”https://mango.pdf.zone/stealing-chrome-cookies-without-a-passwordExcerpt: Chrome stores your cookies, history, deepest secrets, etc. in a user-data-dir. By default (if you have no Chrome Profiles), this will be $HOME/Library/Application Support/Google/Chrome/.Needless to say, this directory is The Good Stuff, and we want to be extremely up in it. [AUSCERT adds: this is less serious than the other articles, but a high-quality writeup of an attack.] Noteworthy bulletins this week: 1. ESB-2018.3504 – ALERT [Cisco] Cisco Unity Express: Root compromise – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/71538 Unsafe object deserialisation strikes again.  2. ESB-2018.3484.2 – UPDATE [Win][Linux][Solaris][AIX] IBM Db2: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/71458 A grab-bag of vulnerabilities in IBM Db2, including an authenticated root compromise via symlink.  3. ESB-2018.3479 – [Linux][Ubuntu] SpamAssassin: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/71438 SpamAssassin, which is designed to handle baddies entering your mail system, has a couple of RCEs from crafted input. 4. ESB-2018.3410.4 – UPDATED ALERT [Appliance] Cisco Adaptive Security Appliance Software and Cisco Firepower Software: Denial of service – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/71146 Noteworthy updates to the DoS vulnerability in Cisco firewalls via SIP: v9.4 has a fix, v9.6 onwards are still pending, clearer instructions on disabling SIP. 5. ESB-2018.3501 – [Cisco] Cisco Small Business Switches: Unauthorised access – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/71526 The seventh backdoor account removed this year. Stay patched, stay safe, and have a good weekend!David

Learn more

Week in review

AUSCERT Week in Review for 26th October 2018

AUSCERT Week in Review for 26th October 2018 Greetings, Yet another week comes to a close. Between El Nino predictions for the summer and Halloween approaching, there are plenty of reasons to be scared. Not infosec professionals, however, who face hot conditions and scary situations on a daily basis! Let’s take a look at some of the creepy stuff out there this week… ….Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Hacker Discloses New Windows Zero-Day Exploit On Twitter Date Published: 23/10/2018 Author: Swati Khandelwal Excerpt: “A security researcher with Twitter alias SandboxEscaper—who two months ago publicly dropped a zero-day exploit for Microsoft Windows Task Scheduler—has yesterday released another proof-of-concept exploit for a new Windows zero-day vulnerability.  SandboxEscaper posted a link to a Github page hosting a proof-of-concept (PoC) exploit for the vulnerability that appears to be a privilege escalation flaw residing in Microsoft Data Sharing (dssvc.dll).  The Data Sharing Service is a local service that runs as LocalSystem account with extensive privileges and provides data brokering between applications.  The flaw could allow a low-privileged attacker to elevate their privileges on a target system, though the PoC exploit code (deletebug.exe) released by the researcher only allows a low privileged user to delete critical system files—that otherwise would only be possible via admin level privileges.” —– IF YOUR TOOTHBRUSH CALLS YOU, IT MIGHT NOT BE FOR DENTAL HYGIENE: THE IMPORTANCE OF SECURING THE INTERNET OF THINGS Date Published: 25/10/2018 Author: Europol Excerpt: “THE MAIN CONCLUSIONS OF THE CONFERENCE ARE: security should not be an afterthought when designing systems and IoT systems are no exception; implementing security does not need to be complicated. As ENISA’s report shows, baseline security recommendations for IoT were made accessible via an interactive online table. This allows for easy access to specific good practices; law enforcement needs to be in a position to go beyond defence and incident response by being able to investigate and prosecute the criminals abusing connected devices; there is a need to discuss digital forensics in regard to IoT and the importance of data and privacy protection, considering the amount and different categories of data collected by the IoT; this joint conference is an excellent example of much-needed multi-disciplinary dialogues. ENISA and Europol are working closely together to inform key stakeholders of the need to be aware of the cybersecurity and criminal aspects associated with deploying and using these devices; the IoT has great potential and provides tremendous opportunities to improve the way we interact, do business and go about our daily lives. In 2019 and beyond, holistic, pragmatic, practical and economically viable security solutions need to be promoted and the entire IoT ecosystem needs to be looked into. ENISA will be working on an automotive IoT case study and welcomes the active support of all partners. Cybersecurity is a shared responsibility. Stronger collaborations with industry are planned together with other initiatives to ensure coordinated efforts and explore all possible synergies.” —– Is nowhere private? Chinese subway users upset by plans to install facial recognition systems Date Published: 25/10/2018 Author: Phoebe Zhang Excerpt: “The technology will be used in just one security channel at each of the four stations in Guangzhou, the capital of Guangdong province, the city’s metro operator said on Weibo, China’s Twitter-like service. To use the new channels, passengers must first register their details, including a photograph, using the Guangzhou Metro’s official smartphone app. “The registration process is voluntary,” the company said. “[And] information collected will be used only for security checks and not be passed on to our partner companies.” Once registered, passengers will be able to use through the dedicated channels and the system will recognise them from the information they registered, it said.” —– Advertisers can track users across the Internet via TLS Session Resumption Date Published: 23/10/2018 Author: Catalin Cimpanu Excerpt: “The abused TLS mechanism is called TLS Session Resumption (RFC 8447), a mechanism that was created in the mid-2000s to allow TLS servers to remember past user sessions and avoid wasting server resources by re-negotiating a TLS connection with a returning user. There are currently three different ways that servers can opt to use and support TLS Session Resumption. There’s TLS Session Resumption via session IDs, there’s TLS Session Resumption via session tickets, and there’s TLS Session Resumption via pre-shared keys (PSKs). The first two are compatible with the older TLS 1.2 protocol, while the third mechanism was developed for the newer and recently-approved TLS 1.3 standard. In all three cases, server owners have the liberty to set the lifespan the server remembers a user session.” —- Apps Installed On Millions Of Android Phones Tracked User Behavior To Execute A Multimillion-Dollar Ad Fraud Scheme Date Published: 23/10/2018 Authors: Craig Silverman Excerpt: “The Google Play store pages for these apps were soon changed to list four different companies as their developers, with addresses in Bulgaria, Cyprus, and Russia, giving the appearance that the apps now had different owners. But an investigation by BuzzFeed News reveals that these seemingly separate apps and companies are today part of a massive, sophisticated digital advertising fraud scheme involving more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere. More than a dozen of the affected apps are targeted at kids or teens, and a person involved in the scheme estimates it has stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of actual humans.” — Magecart hackers change tactic and target vulnerable Magento extensions Date Published: 24/10/2018 Authors: Pierluigi Paganini Excerpt: “The new attack was detailed by the researcher Willem de Groot, the hackers are now exploiting zero-day vulnerabilities in popular store extension software in order to inject skimmer scripts. “Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it turns out, thieves are massively exploiting unpublished security flaws (aka 0days) in popular store extension software.” continues the expert. “While the extensions differ, the attack method is the same: PHP Object Injection (POI). Now attackers leverage PHP Object Injection (POI) by abusing PHP’s unserialize() function in order to compromise websites. With this attack method, they are able to modify the database or any JavaScript file. According to de Groot, many popular PHP applications continue to use unserialize(), but while Magento has replaced most of the vulnerable functions, many of its extensions are still flawed. “This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site.” continues the researcher.” Here are this week’s noteworthy security bulletins: 1) ESB-2018.3290 – [Juniper] Juniper Junos OS: Execute arbitrary code/commands – Remote/unauthenticated Juniper Network released a security update for the Junos OS, used in its physical and virtual networking and security products.  The update addressed a vulnerability arising from the mishandling of crafted BGP NOTIFICATION messages. It can cause a denial of service and condition and potentially lead to remote code execution. 2) ASB-2018.0241.2 – UPDATE Palo Alto PAN-OS: Multiple vulnerabilities Not to be outdone, Palo Alto Networks fixed a few issues affecting the OpenSSL library used in its Pan-OS operating system, which is used in a large number of Juniper’s network appliances. The worst of these three vulnerabilities could lead to the disclosure of privileged information. 3) ASB-2018.0271 – [Win][UNIX/Linux] Tenable Nessus: Multiple vulnerabilities Tenable’s Nessus received an update that fixes two vulnerabilities stemming from the OpenSSL library it employs. The more serious of the two could allow a remote attacker to infer the private key generated by the RSA key generation algorithm via a cache timing side channel attack. This would lead to the decryption of “secure“ communications. 4) ASB-2018.0270.2 – UPDATED ALERT [Win][UNIX/Linux][Android] Mozilla Firefox and Mozilla Firefox ESR: Multiple vulnerabilities Mozilla released an update that addressed a large number of vulnerabilities in Firefox and Firefox ESR. The worst of these leads to remote code execution. Stay safe, stay patched, stay cool and have a good weekend! Nicholas

Learn more

Week in review

AUSCERT Week in Review for 2nd November 2018

AUSCERT Week in Review for 2nd November 2018 Greetings, As another week comes to a close, here’s a collection of articles for you to enjoy. Been having nightmares lately? May there’s a hacker behind it… Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Hackers attacking your memories: science fiction or future threat? Date Published: 29/10/2018 Author: Kaspersky Lab Excerpt: “The hardware and software to underpin this exists too: deep brain stimulation (DBS) is a neurosurgical procedure that involves implanting a medical device called a neurostimulator or implantable pulse generator (IPG) in the human body to send electrical impulses, through implanted electrodes, to specific targets in the brain for the treatment of movement and neuropsychiatric disorders. It is not a huge leap for these devices to become ‘memory prostheses’ since memories are also created by neurological activity in the brain.   To better understand the potential future threat landscape facing memory implants, researchers from Kaspersky Lab and the University of Oxford Functional Neurosurgery Group have undertaken a practical and theoretical threat review of existing neurostimulators and their supporting infrastructure.   The attached report is the outcome of that research. It should be noted that because much of the work involving neurostimulators is currently handled in medical research laboratories, it’s not easy to practically test the technology and associated software for vulnerabilities. However, much can be learned from handling the devices and seeing them used in situ, and this research involved both.” —- Project Dribble: hacking Wi-Fi with cached JavaScript Date Published: 29/10/2018 Author: Federico De Meo Excerpt: “The idea is to steal Wi-Fi passwords by exploiting web browser’s cache. Since I needed to come up with a name for the project, I first developed it and than named it “Dribble” :-). Dribble creates a fake Wi-Fi access point and waits for clients to connect to it. When clients connect, dribble intercepts every HTTP requests performed to JavaScript pages and injects in the responses a malicious JavaScript code. The headers of the new response are altered too so that the malicious JavaScript code is cached and forced to persist in the browser. When the client disconnects from the fake access point and reconnects back to, say, its home routers, the malicious JavaScript code activates, steals the Wi-Fi password from the router and send it back to the attacker. Pretty straightforward, right?   In order to achieve this result I had to figure out these three things: How to create a fake access point How to force people to connect to it What should the malicious JavaScript code do to steal passwords from routers” —– Apple’s new security chip kills access to microphone Date Published: 30/10/2018 Author: Greg Otto Excerpt: “In a security pamphlet released after Apple’s press event on Tuesday, the company revealed that the chip will completely cut off access to the device’s microphone when the MacBook lid is shut. “This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed,” the pamphlet reads. The power cut is only limited to the microphone, and not the camera, since the latter would be useless when a computer is shut. The T2 chips are in the latest line of MacBook Pros, and will be in included in the new MacBook Airs and Mac Minis.” —– Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims Date Published: 31/10/2018 Author: David Bisson Excerpt: “At this current time, Kraken employs a ransomware-as-a-service (RaaS) business model. The first version of the threat reserved a quarter of the profits generated from attack campaigns for Kraken’s developers. But that percentage dropped to a fifth in the second version, presumably in a bid to attract more affiliates. According to McAfee, the developers give affiliates an updated version of the ransomware every 15 days to ensure that their creation avoids detection. Affiliates then spread the ransomware with the help of Fallout and other vectors. Upon successful infection, Kraken quickly encrypts data on the disk and uses SDelete from the Sysinternals suite along with other tools to wipe files and complicate the recovery process for the user. It then drops a ransom note on the infected computer asking victims to send money to one of several wallets operated by the attackers through BitcoinPenguin, an online gambling site.” —– Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments Date Published: 29/10/2018 Author: Trend Micro Excerpt: ” We recently found a small spam campaign that distributes malicious .ARJ files. Several of these spam emails have email subjects pertaining to statements or purchase orders, such as “STATEMENT OF OUTSTANDING BALANCE AS YOUR REFERENCE,” “New Order-Snam Thai Son Group//PO//Ref 456789,” and “SUBJECT:Advice from Standard Chartered Bank,” to name a few. After the malicious .ARJ file has been downloaded to a device, it may drop and execute a plain executable file or an executable screensaver file. Back in 2014, once successfully unpacked in a system, a spam campaign with an .ARJ file attachment will turn an infected computer as part of a botnet that can be used for spam or denial-of-service attacks. This year, the payload is a spyware (detected by Trend Micro as TROJANSPY.WIN32.GOLROTED.THAOOEAH) that steals system information as well as usernames and passwords from browsers. This malware also attempts to steal stored email credentials from several email service platforms. Cybercriminals also use .Z files maliciously. .Z file extensions are compressed Unix-based machine files, though it has been outshined by the GNU Gzip compression in terms of popularity among users. Because it appears to have a double file extension (such as .PDF.z), users may be tricked into thinking that they’re opening a PDF instead of a .Z file.” Here are this week’s noteworthy security bulletins: 1) ESB-2018.3432 – ALERT [Cisco] Cisco Aironet Access Points and Meraki Access Points: Execute arbitrary code/commands – Remote/unauthenticated Cisco issued firmware updates for its Aironet and Meraki Access Points. The update addresses a critical vulnerability in the vulnerability in the Bluetooth Low Energy (BLE) Stack on Texas Instruments (TI) chips CC2640 and CC2650. Processing malformed BLE frames could lead to a memory corruption condition resulting in Denial of service or Remote code execution. An attacker would need to be network adjacent to exploit the vulnerability. The implications here are huge, so super urgent patching is highly recommended. 2) ESB-2018.3410 – [Appliance] Cisco Adaptive Security Appliance Software and Cisco Firepower Software: Denial of service – Remote/unauthenticated Software for Cisco’s Adaptive Security Appliance (ASA) and Firepower platforms received a security update fixing a denial of service vulnerability that could be remotely exploited by flooding an affected device with crafted SIP traffic. Exploits have been sighted in the wild, so fix it ASAP! 3) ASB-2018.0275 – [Win][UNIX/Linux][BSD][Android] Mozilla Thunderbird: Multiple vulnerabilities Mozilla Thunderbird ESR received an update that fixes multiple vulnerabilities. The most serious of these could result in remote code execution by tricking users into performing certain actions.   4) ESB-2018.3336 – [Win] Cisco Advanced Malware Protection: Execute arbitrary code/commands – Existing account Cisco released an update for its Advanced Malware Protection solution on Windows platforms. The fixed vulnerability could allow a highly privileged attacker to prevent detection of malicious intrusions in the host. As we have seen in the past, after gaining privileges in the target system, several malware types attempt to identify and kill security applications running on the infected host.   Stay safe, stay patched, stay cool and have a good weekend! Nicholas

Learn more