Publications

AUSCERT Week in Review for 19th October 2018 AUSCERT Week in Review19 October 2018 This week’s libssh issue makes me think of the usual joke intro. of “Knock Knock! – Who’s there?”, just that the punchline is when the answer is “It’s (Me) and I’m allowed to come in.”, and the response is “Sure! come right in!”. Probably not the type of authentication challenge-response that was expected.  So, this just illustrates that access will be had even with the best intentions of rolling out trusted and secure modules. A compensating control, is assume that breaches have already been made and unwanted activity is being performed. These types of activities can be found by doing some threat hunting, just in case someone, somehow got through.  If you need to skill up on that aspect, there is a 10% discount for AUSCERT members at the “AUSTRALIAN LEADERSHIP CYBER-SECURITY WORKSHOPS”.  Tick the box that you are an AUSCERT member and you will automatically get the discount for training that will be rolled out in Canberra and in Brisbane.[1] An another note, a flurry of notices came through this morning about the specific patch instructions, from SUSE for SUSE Linux Enterprise Server 12-SP2-BCL.  [1] https://www.eait.uq.edu.au/australian-leadership-cyber-security-workshops  As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:  ——- Title:  Critical Remote Code Execution Vulnerabilities Patched by DrupalURL:    https://news.softpedia.com/news/critical-remote-code-execution-vulnerabilities-patched-by-drupal-523315.shtmlDate:   October 18, 2018Author: Sergiu Gatlan Excerpt:“… Unpatched versions of the Drupal open source content management system (CMS) are vulnerable to remote exploitation which could lead to remote code execution.Given enough privileges associated with the user that the Drupal installation runs under, this could allow bad actors to create new accounts with full users rights, as well as view, change, delete data on the compromised target.Therefore, compromised servers where Drupal is launched using a user with limited rights will be a lot less impacted than those where Drupal runs under an administrator account.” ——- Title:  New Reconnaissance Tool Uses Code from Eight-Year-Old Comment Crew ImplantURL:    https://www.bleepingcomputer.com/news/security/new-reconnaissance-tool-uses-code-from-eight-year-old-comment-crew-implant/Date:   October 18, 2018Author: Ionut Ilascu Excerpt:“A newly discovered first-stage implant targeting Korean-speaking victims borrows code from another reconnaissance tool linked to Comment Crew, a Chinese nation-state threat actor that was exposed in 2013 following cyber espionage campaigns against the United States.Dubbed Oceansalt, the threat has been spotted on machines in South Korea, the United States, and Canada.” ——- Title:  Critical Vulnerabilities Allow Takeover of D-Link RoutersURL:    https://www.securityweek.com/critical-vulnerabilities-allow-takeover-d-link-routersDate:   October 17, 2018Author: Eduard Kovacs Excerpt:“The security holes affecting D-Link devices were discovered by a research team at the Silesian University of Technology in Poland. The bugs impact the httpd server of several D-Link routers, including DWR-116, DWR-111, DIR-140L, DIR-640L, DWR-512, DWR-712, DWR-912, and DWR-921.One of the vulnerabilities, tracked as CVE-2018-10822, is a directory traversal issue that allows remote attackers to read arbitrary files using a simple HTTP request. The vulnerability was previously reported to D-Link and tracked as CVE-2017-6190, but the vendor failed to address it in many of its products.” ——- Title:  Hacker: I’m logged in. New LibSSH Vulnerability: OK! I believe youURL:    https://www.bleepingcomputer.com/news/security/hacker-im-logged-in-new-libssh-vulnerability-ok-i-believe-you/Date:   October 17, 2018Author: Ionut Ilascu Excerpt:“Discovered by Peter Winter-Smith of NCC Group, the vulnerability received the identification number CVE-2018-10933 and it affects the server part of libssh.Laughably easy to exploit is an understatementLeveraging it is a simple matter of presenting the server with the  SSH2_MSG_USERAUTH_SUCCESS message, which shows that the login already occurred without a problem.The server expects the message SSH2_MSG_USERAUTH_REQUEST to start the authentication procedure, but by skipping it an attacker can log in without showing any credentials.” ——- Title:  Apple VoiceOver iOS vulnerability permits hacker access to user photosURL:   https://www.zdnet.com/article/apple-voiceover-iphone-vulnerability-permits-access-to-user-photos/Date:   October 15, 2018Author: Charlie Osborne Excerpt:“A vulnerability has been discovered in the Apple iOS VoiceOver feature which can be exploited by attackers to gain access to a victim’s photos.As reported by Apple Insider, the bug, a lock screen bypass made possible via the VoiceOver screen reader, relies on an attacker having physical access to the target device.Revealed by iOS hacker Jose Rodriguez and subsequently demonstrated in the YouTube video below, the attack chain begins with the attacker calling the victim’s phone.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1) ESB-2018.3113 – [SUSE] texlive: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/69822Load a font, execute code. (CVE-2018-17182) 2) ASB-2018.0266 – [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/70182Chrome 70 is out. 3) ESB-2018.3183 – [Debian] drupal7: Execute arbitrary code/commands – Existing accounthttps://portal.auscert.org.au/bulletins/70202…executing arbitrary code. 4) ESB-2018.3191 – [SUSE] linux kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/70242…escalating privileges in kernel. 5) ESB-2018.3188 – [SUSE] xen: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/70230…hypervisor crash or potentially privilege escalation Wishing you the best from AUSCERT and stay safe as we will need you next week to keep users safe,Geoffroy

What Scotty Didn't Know – your guide to domain takeovers Last night, a domain belonging to our PM lapsed, resulting in a cheeky citizen snapping it up [1]. If your business lost control of its domain, what would you do? Losing your domain can greatly impact business operations – email will stop working, customers won’t be able to access your website, soon calls and tweets start coming in. In a worst case scenario, someone with malicious intent can claim the domain, start receiving sensitive business emails, receive password reset emails for online services, and start sending emails as you. Not only does this look unprofessional, but can significantly impact service to your clients, your access to other services (via email password resets), and impact business revenue. Fortunately, prevention is as simple as not letting the renewal get lost in a sea of tasks: – See if your registrar allows automatic renewal, and make sure your payment details are kept up to date– Set an alert far enough in advance to get the expense approved and paid– Don’t ignore emails from your registrar, but also don’t click links in the email. It is always safer to go directly to their website– Related to the previous point, watch out for scam emails claiming to be from a registrar. They often use urgent wording to try get you to click ICANN is the Internet Corporation for Assigned Names and Numbers. They control generic top level domains (gTLD) such as .com, .net, .space. The number of gTLDs is expanding, but there are currently over 1900 that have been delegated. ICANN policy allows a 30 day redemption grace period where the registered name holder can renew a lapsed gTLD. The .au TLD is a country code top level domain (ccTLD). In Australia, the .au top level domain, which includes .com.au, .gov.au, .net.au, .edu.au, is controlled by auDA – .au Domain Administration Ltd [2]. auDA’s domain name renewal policy for lapsed domains is also 30 calendar days after expiry. Conveniently, for potential scammers, there is a public list of expired domain names, updated daily. [3] If someone has taken your .au domain and is trying to sell it back to you, this is called cybersquatting, and not allowed according to auDA’s policies:“A registrant may not register a domain name for the sole purpose of resale or transfer to another entity.” [4]In this scenario, you would be able to file a complaint with auDA.   Registering similar domains So you have awesomebusiness.com.au … but what if someone buys awesomebusiness.com? Or awesomebusiness.tk? Domains are fairly cheap, so it often doesn’t hurt to buy the more common ones, like .com or .net If you follow this route, try not to let them lapse as well! If someone does register a domain that infringes on your trademark, it may be possible to have it de-registered. We recommend speaking with your legal department for advice. AUSCERT is only able to issue takedowns for malicious domains that are used to distribute malware or phishing campaigns. Subdomain takeoversIt would be remiss to have a post about domains but not mention subdomain takeovers. This often occurs when CNAME records aren’t kept up to date. For example, say you have campaign.awesomebusiness.com.au which points to hosting.cloud.com. After the campaign ends you take down the site, but forget remove the CNAME record. This would allow someone else to establish a service on hosting.cloud.com, and set up a phishing site for your users at campaign.awesomebusiness.com.au. To prevent this, include updating DNS in your decommissioning process, and periodically check your DNS zone file. While domain threats are not often at the forefront of our minds, a little bit of housekeeping can go a long way to prevent an embarrassing incident in the future. Charelle. [1] https://web.archive.org/web/20181018222134/http://www.scottmorrison.com.au/[2] https://www.auda.org.au/[3] https://afilias.com.au/about-au/domain-drop-lists[4] https://www.auda.org.au/policies/index-of-published-policies/2012/2012-04/

AUSCERT Week in Review for 12th October 2018 AUSCERT Week in Review12 October 2018 Greetings,“Thar’s money in them thar breaches!”. [1]Well, it turns out that when playing a probability’s game, the more time you play at it, the more chances of hitting the Jackpot. This time it was 500K users on Google+, which the business risk model seems to have ridden on the acceptance of closing up shop if the numbers come up. It would be interesting to see if there will be any persistent repercussions from Europe and its GDPR [2].  The question of whether it a “less severe breach” or “more severe breach” [3] may be pivotal as this may impact yearly earnings and in turn stock prices [4]. The ripple effect can be seen to go well beyond the data centers and endpoints we are tasked to secure. There’s money to be made in breaches, for sure, but not as may be expected.  GDPR vs Google, may pan out to be an event that two continents will have to smooth out. [1] http://dlg.galileo.usg.edu/dahlonega/history.php[2] https://www.gdpreu.org/compliance/fines-and-penalties/[3] https://www.nibusinessinfo.co.uk/content/gdpr-penalties-and-enforcement[4] https://www.marketwatch.com/investing/stock/goog As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:  ——- Title:  PoC Code Available For Microsoft Edge Remote Code Execution BugURL:    https://www.bleepingcomputer.com/news/security/poc-code-available-for-microsoft-edge-remote-code-execution-bug/Date:   October, 11 2018Author: Ionut Ilascu Excerpt:“The flurry of security bugs Microsoft addressed with this month’s rollout of updates includes a remote code execution vulnerability in Edge web browser. The glitch relies on abusing URI schemes and scripts in Windows that can run with user-defined parameters.Now tracked as CVE-2018-8495, the bug was discovered by security researcher Abdulrahman Al-Qabandi.His investigation started from the simple response to the ‘mailto’ URI scheme in Microsoft Edge when he noticed that Outlook would launch with a parameter customized for the scenario at hand.” ——- Title:  World’s largest CCTV maker leaves at least 9 million cameras open to public viewingURL:    https://www.theregister.co.uk/2018/10/09/xiongmai_cctv_failDate:   October, 9 2018Author: Shaun Nichols Excerpt:“This time, it’s Chinese surveillance camera maker Xiongmai named and shamed this week by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed to were exposed default credentials and unsigned firmware updates that could be delivered via the service.As a result, SEC Consult warns, the cameras could be compromised to do everything from spy on their owners, to carry out botnet instructions and even to serve as an entry point for larger network intrusions.“Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether,” SEC Consult recommended.” ——- Title:  It’s a cert: Hundreds of big sites still unprepared for starring role in that Chrome 70’s showURL:    https://www.theregister.co.uk/2018/10/09/chrome_70_symantec_cert_disavowal/Date:   October, 9 2018Author: John Leyden Excerpt:“Hundreds of high-profile websites are still unprepared for the total disavowal of legacy Symantec-issued digital certificates that will kick in with the release of Chrome 70 next week.Chrome 70, out on 16 October, will no longer recognise Symantec-issued certificates including legacy-branded Equifax, GeoTrust, RapidSSL, Thawte and VeriSign.” ——- Title:  Google+ is Shutting Down After a Vulnerability Exposed 500,000 Users’ DataURL:    https://thehackernews.com/2018/10/google-plus-shutdown.htmlDate:   October, 8 2018Author: Swati Khandelwal Excerpt:“Google is going to shut down its social media network Google+ after the company suffered a massive data breach that exposed the private data of hundreds of thousands of Google Plus users to third-party developers.According to the tech giant, a security vulnerability in one of Google+’s People APIs allowed third-party developers to access data for more than 500,000 users, including their usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.” ——- Title:  Fake Flash Updaters Push Cryptocurrency MinersURL:   https://researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/Date:   October, 11 2018Author: Brad Duncan Excerpt:“In most cases, fake Flash updates pushing malware are not very stealthy. In recent years, such imposters have often been poorly-disguised malware executables or script-based downloaders designed to install cryptocurrency miners, information stealers, or ransomware. If a victim runs such poorly-disguised malware on a vulnerable Windows host, no visible activity happens, unless the fake updater is pushing ransomware. However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1) ESB-2018.3099 – [SUSE] linux kerenel: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/69754Gaining priviledges in kernel. (CVE-2018-17182) 2) ESB-2018.3084 – [Juniper] Junos Space Network Management Platform: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/69690Leveraging on an OpenSSH vulnerability (CVE-2016-10010) 3) ESB-2018.3070 – [Appliance] Siemens ROX II: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/69626…gain root privileges. (CVE-2018-13801) 4) ASB-2018.0238 – [Appliance] Intel Server Boards: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/69662…may allow an unauthenticated attacker to potentially execute arbitrary code resulting…(CVE-2018-12173) 5) EESB-2018.3096 – [RedHat] Red Hat Process Automation Manager: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/69742…Yaml unmarshalling vulnerable to RCE (CVE-2016-9606) Wishing you the best from AUSCERT and stay safe as we will need you next week to keep users safe,Geoffroy

AUSCERT Week in Review for 5th October 2018 Greetings, The Shearwater 2018 Hackathon is going to be held on the 16th of November in Sydney, Melbourne, Canberra, and Brisbane. It’s a one-day CTF and learning event with two different challengest and prizes to be won. There’s also a 20% discount if you use the code AUSCERT. In case you’ve missed it, the third AUSCERT and BDO Security Survey is now open. This annual survey identifies and monitors current cyber security trends, issues and threats facing businesses in Australia and New Zealand.By taking part you will gain direct access to our survey report, which contains valuable data that allows you to compare business’ current cyber security efforts with trends in your industry sector.Survey respondents have the chance to go in the draw to win one of three Apple Watches. The survey closes at midnight on Friday, 23 November 2018. The survey is anonymous and takes 15 minutes to complete. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. CompaniesDate Published: 04/10/2018https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companiesAuthor: Jordan Robertson, Michael Riley Excerpt: “Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.” A response from Apple: What Businessweek got wrong about Apple Date Published: 04/10/2018https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/Author: Apple StatementExcerpt: “The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.” A follow up from Bloomberg: The Big Hack: The Software Side of China’s Supply Chain AttackDate Published: 04/10/2018https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-the-software-side-of-china-s-supply-chain-attackAuthor: Jordan Robertson, Michael RileyExcerpt: “In its denial that a chip attack had reached its server network, Apple did acknowledge to Bloomberg Businessweek that it had encountered malware downloaded from Supermicro’s customer portal.” Wi-Fi now has version numbers, and Wi-Fi 6 comes out next yearDate Published: 03/10/2018https://www.theverge.com/2018/10/3/17926212/wifi-6-version-numbers-announcedAuthor: Jacob KastrenakesExcerpt: “If you’ve ever bought a Wi-Fi router, you may have had to sort through specs that read like complete gibberish — like “802.11ac” or “a/b/g/n.” But going forward, Wi-Fi is adopting version numbers so that it’ll be easier to tell whether the router or device you’re buying is on the latest version.” Voice Phishing Scams Are Getting More CleverDate Published: 01/10/2018https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/Author: Brian KrebsExcerpt: “Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).” Everything We Know About Facebook’s Massive Security BreachDate Published: 28/09/2018https://www.wired.com/story/facebook-security-breach-50-million-accounts/Author: Louise Matsakis, Issie LapowskyExcerpt: “Facebook’s privacy problems severely escalated Friday when the social network disclosed that an unprecedented security issue, discovered September 25, impacted almost 50 million user accounts. Unlike the Cambridge Analytica scandal, in which a third-party company erroneously accessed data that a then-legitimate quiz app had siphoned up, this vulnerability allowed attackers to directly take over user accounts.” Here are this week’s noteworthy security bulletins: 1) ESB-2018.3017 – [Cisco] Cisco Identity Services Engine: Execute arbitrary code/commands – Existing account Hardcoded credentials in a Cisco device. 2) ESB-2018.2961 – [Linux][OSX] WebKitGTK+ and WPE WebKit: Multiple vulnerabilities A truckload of vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. 3) ESB-2018.2966 – [UNIX/Linux][Ubuntu] haproxy: Denial of service – Remote/unauthenticated HAProxy could be made to crash if it received a specially crafted request. 4) ASB-2018.0225 – [Android] Google Android devices: Multiple vulnerabilities Multiple security vulnerabilities have been identified in the Android operating system prior to the 2018-10-05 patch level. 5) ESB-2018.2952 – ALERT [Win][Mac] Adobe Acrobat and Reader: Multiple vulnerabilities Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. Stay safe, stay patched and have a good weekend! Charelle  

AUSCERT Week in Review for 28th September 2018 Greetings, Another week with a crazy number of AUSCERT bulletins! 99! That is an average of 19.8 bulletins per day! The worst thing is when you see CVE numbers like CVE-2011-2767 in a 2018 bulletin, oops forgot to fix that vulnerability didn’t we? It’s really hard to see the light at the end of the tunnel sometimes…but hopefully with the continual investment in what we now call Cyber Security and better development lifecycles we’ll perhaps see the end of the proliferation of the same vulnerabilities again and again. However, does it all matter in the end when that user still clicks on that URL in that PDF to a fake OneDrive page and inputs their credentials in to a look-a-like O365 web page? Repeat after me: Multi-factor authentication is now a REQUIREMENT in 2018. It is no longer optional. Especially if Chrome goes further down the rabbit hole, and kills off all sub-domains resulting in a compromised *.sharepoint.com phishing pages looking 100% legitimate to unsuspecting users? At AUSCERT 2018, we announced a new service, the AUSCERT Daily Intelligence Report. ADIR is now in private beta. If you’re a member interested in receiving a daily summary of cybersecurity news, please contact us at auscert@auscert.org.au to subscribe. In other news the third AUSCERT and BDO Security Survey is now open.   This annual survey identifies and monitors current cyber security trends, issues and threats facing businesses in Australia and New Zealand.By taking part you will gain direct access to our survey report, which contains valuable data that allows you to compare business’ current cyber security efforts with trends in your industry sector.Survey respondents have the chance to go in the draw to win one of three Apple Watches. The survey closes at midnight on Friday, 23 November 2018. The survey is anonymous and takes 15 minutes to complete. https://bdoaustralia.checkboxonline.com/2018CSS.survey Here is a summary (including excerpts) of some of the more interesting stories we have seen this week: Title: Gone in 15 Minutes: Australia’s Phone Number Theft ProblemAuthor: BankInfoSecurityExcerpt: SIM hijacking is not a new attack, but there’s increasing interest in stealing phone numbers. That’s because banks often send two-step verification codes over SMS. Additionally, major services such as Google, LinkedIn, Facebook and Instagram use the mobile channel in some scenarios for password resets.Over the past two years, fraud involving unauthorized phone ports has increased, mostly due to organized crime, says Detective Chief Inspector Matthew Craft of the New South Wales Police’s Financial Crimes Squad. Craft says because of the mobile industry’s “inability to implement some simple measures to prevent it from occurring,” the problems have continued.—– Title: Decryption laws enter parliamentAuthor: iTnewsExcerpt: The federal government has moved to introduce the legislation underpinning its controversial crackdown on encrypted communications services.The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill was introduced into parliament by home affairs minister Peter Dutton on Thursday.It comes less than two weeks after the Department of Home Affairs closed public consultation on the exposure draft of the bill, in which more than 14,000 submissions are said to have been made. —– Title: Mass WordPress compromises redirect to tech support scamsAuthor: Malwarebytes LabsExcerpt: Thousands of WordPress sites have been injected with the same malicious redirection. We review the infection details and the malicious traffic leading to browser lockers. —– Title: Uber to pay $148 million to states for 2016 data breachAuthor: CyberScoopExcerpt:  Ridehailing company Uber will pay $148 million across all 50 [American] states and Washington, D.C., as part of a settlement stemming from a data breach that revealed sensitive information on 57 million of the company’s users.The breach took place in October 2016 and revealed names, email addresses, phone numbers and U.S. driver’s license numbers. The company paid the hackers $100,000 to stay quiet and delete the data.Several attorneys general released statements after the settlement was announced, with each state getting a varying amount. —–Title: United Nations WordPress Site Exposes Thousands of ResumesAuthor: BleepingComputerExcerpt: Disclosure vulnerabilities in a web app from the United Nations leave open to public access CVs from job applicants and the organization failed to plug the leak despite receiving a private report on the issues.Security researcher Mohamed Baset of penetration testing company Seekurity found a path disclosure and an information disclosure bug in one of the UN’s WordPress websites, which gives unfettered access to job applications since 2016. He claims that thousands of documents have been uploaded. —–Here are this week’s noteworthy security bulletins: 1) ESB-2018.2842 – [UNIX/Linux][Debian] mediawiki: Multiple vulnerabilities Multiple vulnerabilities have been found in the popular Wiki. These result in incorrectly configured rate limits, information disclosure in Special:Redirect/logid and bypass of an account lock. 2) ESB-2018.2900 – [Win][UNIX/Linux] Apache HTTP Server: Denial of service – Remote/unauthenticated Apache HTTP Server is vulnerable to a Remote/Unauthenticated Denial of Service; if you value your uptime in the end a minor downtime to patch is recommended. 3) Cisco has released their 2018 Semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication that can be found in the three ESBs below. ESB-2018.2902 – [Cisco] Cisco IOS XE: Multiple vulnerabilitiesESB-2018.2903 – [Cisco] Cisco IOS Software: Multiple vulnerabilitiesESB-2018.2904 – [Cisco] Cisco IOS and IOS XE: Denial of service – Remote/unauthenticated Stay safe, stay patched and have a good weekend! Ananda

AUSCERT Week in Review for 21st September 2018 There were again numerous updates and patches released this week. While Microsoft had its turn last week with Patch Tuesday, it seems that it was Apple’s turn this week.Apple released a new version of iOS as well as fixes for Safari, Apple Watch and Apple TV. Below is a summary (including excerpts) of some of the more interestingstories we’ve seen this week: — Title: iOS 12 Patches Memory Bugs, Safari 12 Fixes Data Leaks Date Published: 17-09-2018 URL: https://www.bleepingcomputer.com/news/security/ios-12-patches-memory-bugs-safari-12-fixes-data-leaks/ Author: Ionut Ilascu Excerpts: “A new round of security updates is available from Apple, fixing bugs in Safari, watchOS, tvOS, and iOS.” “Apple released its newest version of iOS today, and apart from adding a performance boost to older iPhone models, it also comes with solutions for security problems.” — Title: Hackers Mining Cryptos Using Leaked NSA Surveillance Tools, New Report Reveals Date Published: 20-09-2018 URL: Hackers Mining Cryptos Using Leaked NSA Surveillance Tools, New Report Reveals Author: Steve Kaaru Excerpt: “The report revealed that cryptojacking incidences have spiked by over 450 percent in 2018, attributing the increased incidences to an NSA tool that was leaked in late 2017 which has been used by North Korean and Russian hackers in the past to infiltrate strategic targets. Now, the tool is being used to mine cryptos, and the hackers show no sign of slowing down with their lucrative venture.” — Title: Adobe releases patch out of schedule to squash critical code execution bug Date Published: 20-09-2018 URL: https://www.zdnet.com/article/adobe-releases-patch-out-of-schedule-to-squash-code-execution-bugs/ Author: Charlie Osborne Excerpts: “Adobe has released a patch out of the usual security update schedules to resolve a set of severe vulnerabilities in Adobe Acrobat and Reader.” “Deemed critical, CVE-2018-12848 can lead to arbitrary code execution in the context of the current user if exploited by attackers.” — Title: Western Digital goes quiet on unpatched MyCloud flaw Date Published: 20-09-2018 URL: https://nakedsecurity.sophos.com/2018/09/20/western-digital-goes-quiet-on-unpatched-mycloud-flaw/ Author: John E Dunn Excerpt: “No admin password, nothing – just a simple CGI request to MyCloud’s web server and an attacker would be in via a local network” — Title: ICO Fines Equifax £500K After 2017 Breach Date Published: 20-09-2018 URL: https://www.infosecurity-magazine.com/news/ico-fines-equifax-500k-after-2017/ Author: Phil Muncaster Excerpt: “The Information Commissioner’s Office (ICO) has issued the maximum fine possible to Equifax in response to failings which led to a major 2017 breach.” —   Here are a few of this week’s noteworthy security bulletins: ESB-2018.2832 – ALERT [Win][Mac] Adobe Acrobat and Reader: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/68614 Some recent Adobe Acrobat and Reader vulnerabilites to address.   ESB-2018.2824 – [SUSE] pango: Denial of service – Remote with user interaction https://portal.auscert.org.au/bulletins/68582 Denial of Service from parsing Emoji!   ESB-2018.2782 – [Apple iOS] Apple Support 2.4 for iOS: Access confidential data – Remote/unauthenticated https://portal.auscert.org.au/bulletins/68394 One of a number of Apple advisories released this week which included others for tvOS, watchOS and Safari.   ESB-2018.2807 – [Ubuntu] ghostscript: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/68506 Many linux distros released ghostscript fixes this week addressing remote code execution, information disclosure and denial of service issues.   ASB-2018.0221 – [Linux] Multiple McAfee products: Denial of service – Remote/unauthenticated https://portal.auscert.org.au/bulletins/68534 Multiple McAfee products based on linux are affected by the kernel vulnerability know as “SegmentSmack” which allows remote attackers to cause a denial of service condition.A list of products that were vulnerable, not-vulnerable and available patches and mitigations was released. — Stay safe, stay patched and have a good weekend! Marcus.  

AUSCERT Week in Review for 14th September 2018 Greetings, Another work week is over and there has probably been significant patching activities again following Microsoft’s patch Tuesday. 17 critical vulnerabilities were addressed and also the recently disclosed Zero-Day Task Scheduler vulnerability. In one of the articles referenced below, we see another example of private data exfiltration from our personal electronic devices, and this time from one of the big security players (Trend Micro). Below is a summary (including excerpts) of some of the more interesting stories we’ve seen this week: —– Microsoft September 2018 Patch Tuesday Fixes 17 Critical Vulnerabilities Date Published: 11-09-2018https://www.bleepingcomputer.com/news/security/microsoft-september-2018-patch-tuesday-fixes-17-critical-vulnerabilities/Author: Lawrence Abrams Excerpt: “This Patch Tuesday fixes 17 Critical security vulnerabilities that when exploited could lead to code execution. These vulnerabilities are the most dangerous as if they are exploited could allow a remote attacker to execute commands on a vulnerable computer and essentially take full control.” —– Election infrastructure security: Should we use Internet voting? Date Published: 10-09-2018https://www.helpnetsecurity.com/2018/09/10/election-infrastructure-security/Author: Help Net Security Excerpt: “To protect the integrity and security of U.S. elections, all local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election, says a new report from the National Academies of Sciences, Engineering, and Medicine.” —– NSW puts digital driver’s licence on a blockchain Date Published: 10-09-2018https://www.itnews.com.au/news/nsw-puts-digital-drivers-licence-on-a-blockchain-512298Author: Justin Hendry Excerpt: “The NSW government’s digital driver’s licence will be underpinned by blockchain technology developed by Australian firm Secure Logic.” “It plans to make digital driver’s licences and digital photo cards available to citizens across the state by the end of 2019.” —– Trend Micro blames data collection issue on code library re-use Date Published: 11-09-2018https://www.cyberscoop.com/trend-micro-mac-app-store-browser-history/Author: Greg Otto Excerpt: “Cybersecurity giant Trend Micro has apologized after researchers discovered that a number of the company’s consumer-facing apps were  collecting users’ browser histories.” —– 2 Billion Bluetooth Devices Remain Exposed to Airborne Attack Vulnerabilities Date Published: 13-09-2018https://www.darkreading.com/attacks-breaches/2-billion-bluetooth-devices-remain-exposed-to-airborne-attack-vulnerabilities/d/d-id/1332815Author: Jai Vijayan Excerpt: “One year after security vendor Armis disclosed a set of nine exploitable vulnerabilities in Bluetooth, some 2 billion devices — including hundreds of millions of Android and iOS smartphones — remain exposed to the threat.” —– Here are a few of this week’s noteworthy security bulletins: 1) ASB-2018.0211.2 https://portal.auscert.org.au/bulletins/68074 Patch Tuesday Windows Updates. 2) ESB-2018.2682 https://portal.auscert.org.au/bulletins/67966 Multiple vulnerabilities including RCEs patched in Chromium. 3) ESB-2018.2683 https://portal.auscert.org.au/bulletins/67970 Multiple vulnerabilities including RCEs patches in Firefox. 4) ESB-2018.2731 https://portal.auscert.org.au/bulletins/68186 More Flash issues. 5) ESB-2018.2698 https://portal.auscert.org.au/bulletins/68030 Linux kernel information leaks, privilege escalations and DOS issues. Stay safe, stay patched and have a good weekend! Marcus.

AUSCERT Week in Review for 7th September 2018 Greetings, Submissions close shortly for comments on the Assistance and Access Bill 2018. This bill is for communication providers to allow law enforcement to access encrypted communication. The type of assistance the bill has requested includes: – removing one or more forms of electronic protection that are or were applied by, or on behalf of, the provider– assisting access to devices or services– installing, maintaining, testing or using software or equipment or assisting with those activities where the provider is already capable of removing this protection– concealing that any other thing has been covertly performed in accordance with the law Souce: https://www.homeaffairs.gov.au/consultations/Documents/industry-assistance-factsheet.pdf https://www.homeaffairs.gov.au/about/consultations/assistance-and-access-bill-2018 Public feedback is open until September the 10th. For more information on having your say, see https://digitalrightswatch.org.au/2018/08/19/defend-encryption/ Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: NIST Releases Draft on BGP SecurityDate Published: 05 September 2018URL: https://www.darkreading.com/perimeter/nist-releases-draft-on-bgp-security/d/d-id/1332740Author: Dark Reading StaffExcerpt: “A new draft publication from the NIST National Cybersecurity Center of Excellence (NCCoE) takes aim at security concerns about the Border Gateway Protocol (BGP), the default routing protocol to route traffic among Internet domains. The paper, “Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation,” is open for public comment until Oct. 15.”—– Google Wants to Kill the URLDate Published: 04 September 2018URL: https://www.wired.com/story/google-wants-to-kill-the-url/Author: Lily Hay NewmanExcerpt: “The focus right now, they say, is on identifying all the ways people use URLs to try to find an alternative that will enhance security and identity integrity on the web while also adding convenience for everyday tasks like sharing links on mobile devices.”—– Five-Eyes nations to force encryption backdoorsDate Published: 03 September 2018URL: https://www.itnews.com.au/news/five-eyes-nations-to-force-encryption-backdoors-511865Author: Juha SaarinenExcerpt: “At the Five Country Ministerial meeting on the Gold Coast last week, security and immigration ministers put forward a range of proposals to combat terrorism and crime, with a particular emphasis on the internet.As part of that, the countries that share intelligence with each other under the Five-Eyes umbrella agreement, intend to “encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services.”…While the rhetoric is sharp, the specifics are vague. Governments won’t specify any particular interception technology, and will leave it to technology companies to create the solutions required that provide lawful access capability.”—– Faster internet speeds for Queensland as undersea cable confirmedDate Published: 07 September 2018URL: https://www.brisbanetimes.com.au/national/queensland/faster-internet-speeds-for-queensland-as-undersea-cable-confirmed-20180907-p5029p.htmlAuthor: Tony MooreExcerpt: “State Development Minister Cameron Dick and Sunshine Coast mayor Mark Jamieson announced on Friday that tech giant RTI Connectivity and the Sunshine Coast Council will build the 550-kilometre undersea cable into the Sunshine Coast by 2020.”—– Here are this week’s noteworthy security bulletins: ASB-2018.0209 – [Android] Google Android devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67930“Multiple security vulnerabilities have been identified in the Android operating system prior to the 2018-09-05 patch level.” ASB-2018.0206 – [Win][UNIX/Linux][BSD][Mobile] Mozilla Firefox: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67834“Multiple vulnerabilities have been identified in Mozilla Firefox prior to version 62. One of these vulnerabilities have been classified as critical.” ESB-2018.2641 – [UNIX/Linux][Debian] curl: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/67782“Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems.” ESB-2018.2631 – [UNIX/Linux] ghostscript: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67742“Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.” Stay safe, stay patched and have a good weekend!Charelle

AUSCERT Week in Review for 31st August 2018 Greetings, Good news, everyone! More than 50% of the Alexa Top 1 Million sites are now actively redirecting to HTTPS. The internet has now scraped a C for transport security – that’s a pass! Now for the slow grind up to a B grade and higher. Unfortunately transport security isn’t the be all and end all, and 130 million people who have stayed in some of China’s biggest hotel chains have had their data sold on the darkweb thanks to a development team leaving a production database dump on their GitHub. At least as the black-hatted entrepreneur was downloading the data, no one was able to read it in transit. And since time is a flat circle, once again Apache Struts is being used to deliver cryptominers onto unsuspecting servers. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Hackers drop crypto mining on vulnerable Strutshttps://www.itnews.com.au/news/hackers-drop-crypto-mining-on-vulnerable-struts-511592Author: Juha SaarinenExcerpt: “Researchers have recorded the first mass automated attacks against servers running unpatched versions of the open source Apache Struts enterprise web application framework. The new vulnerability in Apache Struts was made public four days ago and allows for remote code execution.” —— Data of 130 Million Chinese Hotel Chain Guests Sold on Dark Web Forumhttps://www.bleepingcomputer.com/news/security/data-of-130-million-chinese-hotel-chain-guests-sold-on-dark-web-forum/Author: Catalin CimpanuExcerpt: “A hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin ($56,000) on a Chinese Dark Web forum. The breach was reported today by Chinese media after several cyber-security firms spotted the forum ad. The seller said he obtained the data from Huazhu Hotels Group Ltd (Huazhu from hereafter), one of China’s largest hotel chains, which operates 13 hotel brands across 5,162 hotels in 1,119 Chinese cities.” —— Alexa Top 1 Million Analysis – August 2018https://scotthelme.co.uk/alexa-top-1-million-analysis-august-2018/Author: Scott HelmeExcerpt: “Here’s the one we’ve all been waiting for, and this one is a pretty big announcement too. Not only because we’ve seen amazing growth in HTTPS again in this crawl, but because we’ve passed through 50% of the Alexa Top 1 Million sites actively redirecting to HTTPS for the first time!” —— Cyber security and digital transformation ministries scrappedhttps://www.itnews.com.au/news/cyber-security-and-digital-transformation-ministries-scrapped-511516Author: Justin HendryExcerpt: “Australia is without a dedicated Cyber Security Minister for the first time in two years after Prime Minister Scott Morrison removed the role from his first ministerial line-up. Changes to the cabinet unveiled by the newly appointed PM on Sunday afternoon deletes any mention of the cyber security remit from the ministry, effectively demoting its importance after it was heavily pushed by Malcolm Turnbull.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2018.2569 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67490 While the Joomla! input filter smartly blacklists PHAR file upload, there were some edge cases that would allow them. If the webserver was configured to execute the files, this would enable webshell upload in the worst case. 2) ESB-2018.2539 – [Win][UNIX/Linux][FreeBSD] Node.js: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67370 Node.js has patched several vulnerabilities, including out of bounds memory reading and writing. 3) ASB-2018.0205 – [Win][Linux][Virtual] GitLab: Cross-site request forgery – Remote with user interactionhttps://portal.auscert.org.au/bulletins/67570 GitLab has patched some information leaking vulnerabilities, alongside some CSRF/XSS issues. Stay safe, stay patched and have a good weekend! Tim

AUSCERT Week in Review for 24th August 2018 AUSCERT Week in Review24 August 2018 Greetings, “Six of the best”, no more, and no less.  That is indeed the number of new articles gathered for this week. Yet, for those of you who painfully understand the meaning behind “six of the best”, reading the six articles listed may indeed feel like it is a bit of similar reprimand.  Well, the reading is great material and nicely composed, but the stories contained in the news articles are painful to reminiscence to articles you may have read about 15 years ago. Fraudulent online purchases, websites being owned, credentials being stolen and traded – these are all stories could have been dated August 2003. Yet, they are happening today.   So, please read these articles today, and bear the lessons they inflict.  Then take it upon yourself to do one thing that can possibly avoid this and persist with it for the next fifteen years.  It could be changing default credentials every network attached appliance you touch – with permission from the owners of course – be they from work, yours, or your friends and families. Or perhaps evangelise the “Stop-Think-Connect”[1] mantra to the click addicted. Or, it could be putting yourself in the forefront of reviewing code at work or in a public repository, making that code that little bit more secure. Or, it could be taking on a policy of ensuring you update every system you touch, or at least raise up the need to update every system you touch, be it in the data center or at an internet-cafe.   It sounds like a huge task, but should it be taken on gradually, and concertedly, perhaps we won’t need to take another six-of-the-best in August 2033.  After all there is plenty of time to achieve this,.. right?.. or… is that the very thing we told ourselves fifteen years ago, that has landed us in the place we are today?   Enjoy.. [1]https://www.stopthinkconnect.org/ As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Vulnerability Affects All OpenSSH Versions Released in the Past Two DecadesURL:    https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/Date:   August 22, 2018Author: Catalin Cimpanu Excerpt:“A vulnerability affects all versions of the OpenSSH client released in the past two decades, ever since the application was released in 1999.” ——- Title:  Australia Battles Fraudulent Online PurchasesURL:    https://www.bankinfosecurity.com/australia-battles-fraudulent-online-purchases-a-11408Date:   August 22, 2018Author: Jeremy Kirk Excerpt:“There’s bad news in Australia when it comes to payment card fraud: It’s growing. The biggest source of that fraud is online payments made without the physical card, or card-not-present fraud. That’s due to fraudsters re-using stolen payment card details. CNP fraud in Australia totaled AU$476.3 million (US$350.6 million) last year, up 13.9 percent from 2016, according to a report released Wednesday by the Australian Payments Network, an industry group that collects payments statistics. The figure has risen annually since 2012, when it was $183.1 million.” ——- Title:  Legacy System Exposes Contact Info of BlackHat 2018 AttendeesURL:    https://www.bleepingcomputer.com/news/security/legacy-system-exposes-contact-info-of-blackhat-2018-attendees/Date:   August 22, 2018Author: Ionut Ilascu Excerpt:“Full contact information of everyone attending the BlackHat security conference this year has been exposed in clear text, a researcher has found. The data trove includes name, email, company, and phone number. The BlackHat 2018 conference badge came embedded with a near-field communication (NFC) tag that stored the contact details of the participant, for identification or for vendors to scan for marketing purposes.” ——- Title:  Adobe security updates address 2 critical code execution flaws in Photoshop.URL:    https://securityaffairs.co/wordpress/75539/hacking/adobe-photoshop-flaws.html   Date:   August 22, 2018Author: Pierluigi Paganini Excerpt:“Adobe released updates to address two critical code executions flaws that affect Photoshop for Windows and macOS versions of Photoshop CC. The vulnerabilities, tracked as  CVE-2018-12810 and CVE-2018-12811, are memory corruption issues that could be exploited by a remote attacker to execute arbitrary code in the context of the targeted user.” ——- Title:  Netflix, HBO GO, Hulu passwords found for sale on the Dark WebURL:    https://nakedsecurity.sophos.com/2018/08/22/netflix-hbo-go-hulu-passwords-found-for-sale-on-the-dark-web/Date:   22 Aug 2018 Author: Lisa Vaas Excerpt:“The report from Irdeto found that thieves are selling hundreds of stolen logins for popular “over-the-top” (OTT) services such as pay TV and video on demand on Dark Web marketplaces. Besides HBO GO credentials, the company spotted listings for logins to 42 services, including Netflix, DirecTV and Hulu. All told, during the month of April, Irdeto spotted 854 sets of credentials, listed by 69 separate vendors on 15 marketplaces. On average, an account’s credentials are fetching $8.71 (about £6.60) for one-time use. Some Dark Web sellers are also selling bundles of credentials for several services at higher prices.” ——- Title:  New Apache Struts RCE Flaw Lets Hackers Take Over Web ServersURL:    https://thehackernews.com/2018/08/apache-struts-vulnerability.htmlDate:   August 22, 2018Author: Mohit Kumar Excerpt:“Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. Apache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. The vulnerability (CVE-2018-11776) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1) ASB-2018.0201 – ALERT [Win][UNIX/Linux] Apache Struts 2: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/67162It is possible to perform a RCE attack… (CVE-2018-11776) 2) ESB-2018.2515.2 – UPDATE [Ubuntu] Linux kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67270…could use this to gain elevated privileges. (CVE-2018-13405) 3) ESB-2018.2427 – [Linux][Mac] F5 BIG-IP APM client: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/66898…can allow an unprivileged user to get ownership of files owned by root on the local client host. (CVE-2018-5546) 4) ESB-2018.2517 – ALERT [Appliance] IBM Security Access Manager Appliance: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/67278…could allow remote code execution when Advanced Access Control or Federation services are running. (CVE-2018-1722) 5) ESB-2018.2513 – [Appliance] BD Alaris: Unauthorised access – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/67258…may allow a remote attacker to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump … (CVE-2018-14786) Wishing you the best from AUSCERT and stay safe as we will need you next week to keep users safe,Geoffroy

Targeted blackmail campaign gains momentum Since the dawn of email, spam has constantly pushed our ability to handle arbitrary, unsolicited input. Whether through gauntlets of long-forgotten regexes, or the most sophisticated of convolutional neural nets, detecting and blocking spam has been a Sisyphean battle which has consumed countless IT resources. Not so at AUSCERT. We have the dubious luxury of actively soliciting spam wherever it is to be found. Because of this we’re able to watch as campaigns wax and wane, see how they evolve over time, and get a feel for the objectives of the spammers. Some campaigns are evergreen – fake pharmaceuticals (usually of the male enhancement variety), various advance-fee scams (think Nigerian Prince), phishing for credentials – it’s rare a day goes by without examples of these coming across our inbox. Some campaigns are very flavour-of-the-month, for a few months everyone had their own ICO or crypto investment strategy to hawk to any mail socket willing to listen(). Other campaigns are more sporadic. It’s not unusual for us to see a short burst of activity on one particular topic or script which goes silent, only to re-emerge later. Sometimes this is to facilitate a transition to new infrastructure, or to replenish their supply of compromised accounts. Other times this can be to spend time reworking the script, or refining their technique – this blog deals with one such instance where the renewed campaign was so successful that we’ve seen a large uptick in its output. This particular campaign is a faux sextortion blackmail. The premise of the blackmail is that the spammer has recorded the recipient visiting a pornographic website, through some vulnerability on the website or the recipient’s own computer. Unless the victim pays a sum of cryptocurrency to the spammer, they threaten to release this non-existent video to the victim’s family, friends, or colleagues. The campaign itself is far from new, we have seen minor variations on the same script pop up repeatedly. Recently a new variation emerged, almost exactly the same, but with one small difference: it would present the recipient’s password to them. Given that these passwords were usually out of date, and data breaches and dumps are a great source of email address for spam campaigns, it stands to reason that the spammers were simply pulling passwords for a given email from old breaches and inserting them into the email template. In fact, in our case it would seem if they cannot find a matching password then it fills that portion of the template in with an empty string. We’re certainly not the first to have written about this campaign,[1] but we were spurred to write this post due to the increase in its prevalence that we’re witnessing. Unfortunately this only means one thing: it’s working. We’re also now seeing campaigns where the recipient’s name and phone number are being used in place of the password. It’s not hard to see how as an unsuspecting recipient you could easily be fooled into believing the claims made. Indeed, efforts to catalogue and track the transactions of the various wallet addresses used by the spammers prove that it’s having the desired effect.[2] Some things you can do to protect yourself against such scams: Treat all unsolicited email with a healthy dose of skepticism. If you receive any threatening email, take a sentence or two and search for them. This can help you detect if you’ve received a well-known script or variant. Report the email to your IT department if possible. Practice good password hygiene. If you know you’ve used a strong, unique password for each service then you reduce your exposure when one is breached. Consider a password manager. For reference, here is an example from this campaign that we have received: It appears that, (), is your password. May very well not know me and you are probably wondering why you're getting this e-mail, right? actually, I put in place a malware over the adult videos (adult porn) website and guess what happens, you visited this web site to have fun (you really know what What i'm saying is). When you were watching videos, your internet browser started off working like a RDP (Remote Desktop) which provided me accessibility to your screen and web camera. from then on, my software program obtained your complete contacts from your Messenger, Microsoft outlook, Facebook, as well as emails. What did I really do? I created a double-screen video clip. First part shows the recording you were seeing (you have a good taste haha . . .), and 2nd part shows the recording of your webcam. what exactly should you do? Well, in my opinion, $1200 is a fair price for your little secret. You will make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google). Bitcoin Address: **ADDRESS** (It is case sensitive, so copy and paste it) Very important: You've got some days to make the payment. (I have a unique pixel in this e-mail, and at this moment I know that you've read through this email message). If I do not get the BitCoins, I will certainly send your videos to all of your contacts including relatives, co-workers, and so forth. Having said that, if I receive the payment, I'll destroy the recording immidiately. If you'd like evidence, reply with "Yes!" and I will definitely mail out your videos to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by answering this message. [1] https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/[2] https://twitter.com/SecGuru_OTX/status/1022430328647024640

AUSCERT Week in Review for 17th August 2018 AUSCERT Week in Review17 August 2018 Greetings,Another week gone by, and this one has not been any thinner in bulletins to process. Have you ever applied lots of pressure to a wet bar of soap? It may be a worth-while experiment to perform the next time you get access to a soap bar if the physics are not quite understood. Well, entities are a bit like a bar of wet soap and are keen to avoiding legal problems, whilst maintaining a loyal and satisfied customer base.  After all that is how “quality” is defined, a satisfied customer base.  This may soon become a more complicated juggling act for organisations handling user data either, in transit or at rest, from a service they provide or equipment they manufacture.  Trying to squeeze access to data may result in organisations deciding to relinquish any possibility of access to this user data as legal ramification increase. Adding the risk of time served may alter the way an organisation may provide a service or build a product. Squeezing organisation hard in this manner may diminish, as the chance to get to the data sought slips away. So, should organisations deal with user data, at rest or in transit, from services or equipment manufactured, then perhaps the first news story of this week is worth while to look at and keep an eye if this legislation passes.  For if it does, organisations may have to re-assess their policy, denying themselves access to user-submitted data, lest time be served.      As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Australians who won’t unlock their phones could face 10 years in jailURL:    https://nakedsecurity.sophos.com/2018/08/16/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail/Date:   August 16, 2018Author: Danny Bradbury     Excerpt:“The Australian government wants to force companies to help it get at suspected criminals’ data. If they can’t, it would jail people for up to a decade if they refuse to unlock their phones.” ——- Title:  Hundreds of Instagram accounts were hijacked in a coordinated attack URL:    https://securityaffairs.co/wordpress/75377/hacking/instagram-accounts-hacked.htmlDate:   August 15, 2018 Author: Pierluigi Paganini     Excerpt:“Hundreds of Instagram accounts were hijacked in what appears to be the result of a coordinated attack, all the accounts share common signs of compromise. Alleged attackers have hijacked Instagram accounts and modified personal information making impossible to restore the accounts.” ——- Title:  PhishPoint Phishing Attack – A new technique to Bypass Microsoft Office 365 ProtectionsURL:    https://securityaffairs.co/wordpress/75382/hacking/phishpoint-phishing-attacks.htmlDate:   August 15, 2018 Author: Pierluigi Paganini     Excerpt:“Security experts from the cloud security firm Avanan have discovered a new technique dubbed PhishPoint, that was used by hackers to bypass Microsoft Office 365 protections. PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks. The experts are warning of the new technique that was already used in attacks by scammers and crooks to bypass the Advanced Threat Protection (ATP) mechanism implemented by most popular email services, Microsoft Office 365.” ——- Title:  Academics Discover New Bypasses for Browser Tracking Protections and Ad BlockersURL:    https://www.bleepingcomputer.com/news/security/academics-discover-new-bypasses-for-browser-tracking-protections-and-ad-blockers/Date:   August 16, 2018 Author: Catalin Cimpanu     Excerpt:“Security and user privacy protections included in browsers, ad blockers, and anti-tracking extensions are not as secure as everyone believes, a team of three academics from the Catholic University in Leuven, Belgium (KU Leuven) have revealed yesterday. Their work consisted of analyzing anti-tracking settings that are built into modern browsers, but also the ones provided by some popular extensions (add-ons).” ——- Title:  Princess Evolution Ransomware is a RaaS With a Slick Payment SiteURL:    https://www.bleepingcomputer.com/news/security/princess-evolution-ransomware-is-a-raas-with-a-slick-payment-site/Date:   August 15, 2018 Author: Lawrence Abrams     Excerpt:“A new variant of the Princess Locker ransomware is being distributed called Princess Evolution. Like its predecessor, Princess Evolution is a Ransomware as a Service, or RaaS, that is being promoted on underground criminal forums. As this ransomware is being distributed through different affiliates, there are numerous methods that are possibly being used to distribute this ransomware… ..Unfortunately, at this time there is no known way to decrypt files encrypted by Princess Evolution. For those who are interested in discussing this ransomware or receiving support, you can use our dedicated Princess Evolution Support & Help topic.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1)ESB-2018.2401 – [SUSE] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66786…local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID… 2)ESB-2018.2379 – [Cisco] Cisco Web Security Appliance (WSA): Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66698CVE-2018-0428 …could allow an authenticated, local attacker to elevate privileges to root… 3)ESB-2018.2361 – [Debian] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66626…local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID… 4)ESB-2018.2325 – [SUSE] cups: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66458…a local privilege escalation to root and sandbox bypasses… 5)ESB-2018.2403 – [Win] Tridium Niagara: Administrator compromise – Existing accounthttps://portal.auscert.org.au/bulletins/66794…using a disabled account name and a blank password, granting the attacker administrator access… Wishing you the best from AUSCERT and stay safe as we will need you next week to keep users safe,Geoffroy