Week in review

AUSCERT Week in Review for 31st August 2018

AUSCERT Week in Review for 31st August 2018 Greetings, Good news, everyone! More than 50% of the Alexa Top 1 Million sites are now actively redirecting to HTTPS. The internet has now scraped a C for transport security – that’s a pass! Now for the slow grind up to a B grade and higher. Unfortunately transport security isn’t the be all and end all, and 130 million people who have stayed in some of China’s biggest hotel chains have had their data sold on the darkweb thanks to a development team leaving a production database dump on their GitHub. At least as the black-hatted entrepreneur was downloading the data, no one was able to read it in transit. And since time is a flat circle, once again Apache Struts is being used to deliver cryptominers onto unsuspecting servers. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Hackers drop crypto mining on vulnerable Strutshttps://www.itnews.com.au/news/hackers-drop-crypto-mining-on-vulnerable-struts-511592Author: Juha SaarinenExcerpt: “Researchers have recorded the first mass automated attacks against servers running unpatched versions of the open source Apache Struts enterprise web application framework. The new vulnerability in Apache Struts was made public four days ago and allows for remote code execution.” —— Data of 130 Million Chinese Hotel Chain Guests Sold on Dark Web Forumhttps://www.bleepingcomputer.com/news/security/data-of-130-million-chinese-hotel-chain-guests-sold-on-dark-web-forum/Author: Catalin CimpanuExcerpt: “A hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin ($56,000) on a Chinese Dark Web forum. The breach was reported today by Chinese media after several cyber-security firms spotted the forum ad. The seller said he obtained the data from Huazhu Hotels Group Ltd (Huazhu from hereafter), one of China’s largest hotel chains, which operates 13 hotel brands across 5,162 hotels in 1,119 Chinese cities.” —— Alexa Top 1 Million Analysis – August 2018https://scotthelme.co.uk/alexa-top-1-million-analysis-august-2018/Author: Scott HelmeExcerpt: “Here’s the one we’ve all been waiting for, and this one is a pretty big announcement too. Not only because we’ve seen amazing growth in HTTPS again in this crawl, but because we’ve passed through 50% of the Alexa Top 1 Million sites actively redirecting to HTTPS for the first time!” —— Cyber security and digital transformation ministries scrappedhttps://www.itnews.com.au/news/cyber-security-and-digital-transformation-ministries-scrapped-511516Author: Justin HendryExcerpt: “Australia is without a dedicated Cyber Security Minister for the first time in two years after Prime Minister Scott Morrison removed the role from his first ministerial line-up. Changes to the cabinet unveiled by the newly appointed PM on Sunday afternoon deletes any mention of the cyber security remit from the ministry, effectively demoting its importance after it was heavily pushed by Malcolm Turnbull.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2018.2569 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67490 While the Joomla! input filter smartly blacklists PHAR file upload, there were some edge cases that would allow them. If the webserver was configured to execute the files, this would enable webshell upload in the worst case. 2) ESB-2018.2539 – [Win][UNIX/Linux][FreeBSD] Node.js: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67370 Node.js has patched several vulnerabilities, including out of bounds memory reading and writing. 3) ASB-2018.0205 – [Win][Linux][Virtual] GitLab: Cross-site request forgery – Remote with user interactionhttps://portal.auscert.org.au/bulletins/67570 GitLab has patched some information leaking vulnerabilities, alongside some CSRF/XSS issues. Stay safe, stay patched and have a good weekend! Tim

Learn more

Week in review

AUSCERT Week in Review for 24th August 2018

AUSCERT Week in Review for 24th August 2018 AUSCERT Week in Review24 August 2018 Greetings, “Six of the best”, no more, and no less.  That is indeed the number of new articles gathered for this week. Yet, for those of you who painfully understand the meaning behind “six of the best”, reading the six articles listed may indeed feel like it is a bit of similar reprimand.  Well, the reading is great material and nicely composed, but the stories contained in the news articles are painful to reminiscence to articles you may have read about 15 years ago. Fraudulent online purchases, websites being owned, credentials being stolen and traded – these are all stories could have been dated August 2003. Yet, they are happening today.   So, please read these articles today, and bear the lessons they inflict.  Then take it upon yourself to do one thing that can possibly avoid this and persist with it for the next fifteen years.  It could be changing default credentials every network attached appliance you touch – with permission from the owners of course – be they from work, yours, or your friends and families. Or perhaps evangelise the “Stop-Think-Connect”[1] mantra to the click addicted. Or, it could be putting yourself in the forefront of reviewing code at work or in a public repository, making that code that little bit more secure. Or, it could be taking on a policy of ensuring you update every system you touch, or at least raise up the need to update every system you touch, be it in the data center or at an internet-cafe.   It sounds like a huge task, but should it be taken on gradually, and concertedly, perhaps we won’t need to take another six-of-the-best in August 2033.  After all there is plenty of time to achieve this,.. right?.. or… is that the very thing we told ourselves fifteen years ago, that has landed us in the place we are today?   Enjoy.. [1]https://www.stopthinkconnect.org/ As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Vulnerability Affects All OpenSSH Versions Released in the Past Two DecadesURL:    https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/Date:   August 22, 2018Author: Catalin Cimpanu Excerpt:“A vulnerability affects all versions of the OpenSSH client released in the past two decades, ever since the application was released in 1999.” ——- Title:  Australia Battles Fraudulent Online PurchasesURL:    https://www.bankinfosecurity.com/australia-battles-fraudulent-online-purchases-a-11408Date:   August 22, 2018Author: Jeremy Kirk Excerpt:“There’s bad news in Australia when it comes to payment card fraud: It’s growing. The biggest source of that fraud is online payments made without the physical card, or card-not-present fraud. That’s due to fraudsters re-using stolen payment card details. CNP fraud in Australia totaled AU$476.3 million (US$350.6 million) last year, up 13.9 percent from 2016, according to a report released Wednesday by the Australian Payments Network, an industry group that collects payments statistics. The figure has risen annually since 2012, when it was $183.1 million.” ——- Title:  Legacy System Exposes Contact Info of BlackHat 2018 AttendeesURL:    https://www.bleepingcomputer.com/news/security/legacy-system-exposes-contact-info-of-blackhat-2018-attendees/Date:   August 22, 2018Author: Ionut Ilascu Excerpt:“Full contact information of everyone attending the BlackHat security conference this year has been exposed in clear text, a researcher has found. The data trove includes name, email, company, and phone number. The BlackHat 2018 conference badge came embedded with a near-field communication (NFC) tag that stored the contact details of the participant, for identification or for vendors to scan for marketing purposes.” ——- Title:  Adobe security updates address 2 critical code execution flaws in Photoshop.URL:    https://securityaffairs.co/wordpress/75539/hacking/adobe-photoshop-flaws.html   Date:   August 22, 2018Author: Pierluigi Paganini Excerpt:“Adobe released updates to address two critical code executions flaws that affect Photoshop for Windows and macOS versions of Photoshop CC. The vulnerabilities, tracked as  CVE-2018-12810 and CVE-2018-12811, are memory corruption issues that could be exploited by a remote attacker to execute arbitrary code in the context of the targeted user.” ——- Title:  Netflix, HBO GO, Hulu passwords found for sale on the Dark WebURL:    https://nakedsecurity.sophos.com/2018/08/22/netflix-hbo-go-hulu-passwords-found-for-sale-on-the-dark-web/Date:   22 Aug 2018 Author: Lisa Vaas Excerpt:“The report from Irdeto found that thieves are selling hundreds of stolen logins for popular “over-the-top” (OTT) services such as pay TV and video on demand on Dark Web marketplaces. Besides HBO GO credentials, the company spotted listings for logins to 42 services, including Netflix, DirecTV and Hulu. All told, during the month of April, Irdeto spotted 854 sets of credentials, listed by 69 separate vendors on 15 marketplaces. On average, an account’s credentials are fetching $8.71 (about £6.60) for one-time use. Some Dark Web sellers are also selling bundles of credentials for several services at higher prices.” ——- Title:  New Apache Struts RCE Flaw Lets Hackers Take Over Web ServersURL:    https://thehackernews.com/2018/08/apache-struts-vulnerability.htmlDate:   August 22, 2018Author: Mohit Kumar Excerpt:“Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. Apache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. The vulnerability (CVE-2018-11776) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1) ASB-2018.0201 – ALERT [Win][UNIX/Linux] Apache Struts 2: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/67162It is possible to perform a RCE attack… (CVE-2018-11776) 2) ESB-2018.2515.2 – UPDATE [Ubuntu] Linux kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67270…could use this to gain elevated privileges. (CVE-2018-13405) 3) ESB-2018.2427 – [Linux][Mac] F5 BIG-IP APM client: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/66898…can allow an unprivileged user to get ownership of files owned by root on the local client host. (CVE-2018-5546) 4) ESB-2018.2517 – ALERT [Appliance] IBM Security Access Manager Appliance: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/67278…could allow remote code execution when Advanced Access Control or Federation services are running. (CVE-2018-1722) 5) ESB-2018.2513 – [Appliance] BD Alaris: Unauthorised access – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/67258…may allow a remote attacker to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump … (CVE-2018-14786) Wishing you the best from AUSCERT and stay safe as we will need you next week to keep users safe,Geoffroy

Learn more

Blogs

Targeted blackmail campaign gains momentum

Targeted blackmail campaign gains momentum Since the dawn of email, spam has constantly pushed our ability to handle arbitrary, unsolicited input. Whether through gauntlets of long-forgotten regexes, or the most sophisticated of convolutional neural nets, detecting and blocking spam has been a Sisyphean battle which has consumed countless IT resources. Not so at AUSCERT. We have the dubious luxury of actively soliciting spam wherever it is to be found. Because of this we’re able to watch as campaigns wax and wane, see how they evolve over time, and get a feel for the objectives of the spammers. Some campaigns are evergreen – fake pharmaceuticals (usually of the male enhancement variety), various advance-fee scams (think Nigerian Prince), phishing for credentials – it’s rare a day goes by without examples of these coming across our inbox. Some campaigns are very flavour-of-the-month, for a few months everyone had their own ICO or crypto investment strategy to hawk to any mail socket willing to listen(). Other campaigns are more sporadic. It’s not unusual for us to see a short burst of activity on one particular topic or script which goes silent, only to re-emerge later. Sometimes this is to facilitate a transition to new infrastructure, or to replenish their supply of compromised accounts. Other times this can be to spend time reworking the script, or refining their technique – this blog deals with one such instance where the renewed campaign was so successful that we’ve seen a large uptick in its output. This particular campaign is a faux sextortion blackmail. The premise of the blackmail is that the spammer has recorded the recipient visiting a pornographic website, through some vulnerability on the website or the recipient’s own computer. Unless the victim pays a sum of cryptocurrency to the spammer, they threaten to release this non-existent video to the victim’s family, friends, or colleagues. The campaign itself is far from new, we have seen minor variations on the same script pop up repeatedly. Recently a new variation emerged, almost exactly the same, but with one small difference: it would present the recipient’s password to them. Given that these passwords were usually out of date, and data breaches and dumps are a great source of email address for spam campaigns, it stands to reason that the spammers were simply pulling passwords for a given email from old breaches and inserting them into the email template. In fact, in our case it would seem if they cannot find a matching password then it fills that portion of the template in with an empty string. We’re certainly not the first to have written about this campaign,[1] but we were spurred to write this post due to the increase in its prevalence that we’re witnessing. Unfortunately this only means one thing: it’s working. We’re also now seeing campaigns where the recipient’s name and phone number are being used in place of the password. It’s not hard to see how as an unsuspecting recipient you could easily be fooled into believing the claims made. Indeed, efforts to catalogue and track the transactions of the various wallet addresses used by the spammers prove that it’s having the desired effect.[2] Some things you can do to protect yourself against such scams: Treat all unsolicited email with a healthy dose of skepticism. If you receive any threatening email, take a sentence or two and search for them. This can help you detect if you’ve received a well-known script or variant. Report the email to your IT department if possible. Practice good password hygiene. If you know you’ve used a strong, unique password for each service then you reduce your exposure when one is breached. Consider a password manager. For reference, here is an example from this campaign that we have received: It appears that, (), is your password. May very well not know me and you are probably wondering why you're getting this e-mail, right? actually, I put in place a malware over the adult videos (adult porn) website and guess what happens, you visited this web site to have fun (you really know what What i'm saying is). When you were watching videos, your internet browser started off working like a RDP (Remote Desktop) which provided me accessibility to your screen and web camera. from then on, my software program obtained your complete contacts from your Messenger, Microsoft outlook, Facebook, as well as emails. What did I really do? I created a double-screen video clip. First part shows the recording you were seeing (you have a good taste haha . . .), and 2nd part shows the recording of your webcam. what exactly should you do? Well, in my opinion, $1200 is a fair price for your little secret. You will make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google). Bitcoin Address: **ADDRESS** (It is case sensitive, so copy and paste it) Very important: You've got some days to make the payment. (I have a unique pixel in this e-mail, and at this moment I know that you've read through this email message). If I do not get the BitCoins, I will certainly send your videos to all of your contacts including relatives, co-workers, and so forth. Having said that, if I receive the payment, I'll destroy the recording immidiately. If you'd like evidence, reply with "Yes!" and I will definitely mail out your videos to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by answering this message. [1] https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/[2] https://twitter.com/SecGuru_OTX/status/1022430328647024640

Learn more

Week in review

AUSCERT Week in Review for 17th August 2018

AUSCERT Week in Review for 17th August 2018 AUSCERT Week in Review17 August 2018 Greetings,Another week gone by, and this one has not been any thinner in bulletins to process. Have you ever applied lots of pressure to a wet bar of soap? It may be a worth-while experiment to perform the next time you get access to a soap bar if the physics are not quite understood. Well, entities are a bit like a bar of wet soap and are keen to avoiding legal problems, whilst maintaining a loyal and satisfied customer base.  After all that is how “quality” is defined, a satisfied customer base.  This may soon become a more complicated juggling act for organisations handling user data either, in transit or at rest, from a service they provide or equipment they manufacture.  Trying to squeeze access to data may result in organisations deciding to relinquish any possibility of access to this user data as legal ramification increase. Adding the risk of time served may alter the way an organisation may provide a service or build a product. Squeezing organisation hard in this manner may diminish, as the chance to get to the data sought slips away. So, should organisations deal with user data, at rest or in transit, from services or equipment manufactured, then perhaps the first news story of this week is worth while to look at and keep an eye if this legislation passes.  For if it does, organisations may have to re-assess their policy, denying themselves access to user-submitted data, lest time be served.      As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Australians who won’t unlock their phones could face 10 years in jailURL:    https://nakedsecurity.sophos.com/2018/08/16/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail/Date:   August 16, 2018Author: Danny Bradbury     Excerpt:“The Australian government wants to force companies to help it get at suspected criminals’ data. If they can’t, it would jail people for up to a decade if they refuse to unlock their phones.” ——- Title:  Hundreds of Instagram accounts were hijacked in a coordinated attack URL:    https://securityaffairs.co/wordpress/75377/hacking/instagram-accounts-hacked.htmlDate:   August 15, 2018 Author: Pierluigi Paganini     Excerpt:“Hundreds of Instagram accounts were hijacked in what appears to be the result of a coordinated attack, all the accounts share common signs of compromise. Alleged attackers have hijacked Instagram accounts and modified personal information making impossible to restore the accounts.” ——- Title:  PhishPoint Phishing Attack – A new technique to Bypass Microsoft Office 365 ProtectionsURL:    https://securityaffairs.co/wordpress/75382/hacking/phishpoint-phishing-attacks.htmlDate:   August 15, 2018 Author: Pierluigi Paganini     Excerpt:“Security experts from the cloud security firm Avanan have discovered a new technique dubbed PhishPoint, that was used by hackers to bypass Microsoft Office 365 protections. PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks. The experts are warning of the new technique that was already used in attacks by scammers and crooks to bypass the Advanced Threat Protection (ATP) mechanism implemented by most popular email services, Microsoft Office 365.” ——- Title:  Academics Discover New Bypasses for Browser Tracking Protections and Ad BlockersURL:    https://www.bleepingcomputer.com/news/security/academics-discover-new-bypasses-for-browser-tracking-protections-and-ad-blockers/Date:   August 16, 2018 Author: Catalin Cimpanu     Excerpt:“Security and user privacy protections included in browsers, ad blockers, and anti-tracking extensions are not as secure as everyone believes, a team of three academics from the Catholic University in Leuven, Belgium (KU Leuven) have revealed yesterday. Their work consisted of analyzing anti-tracking settings that are built into modern browsers, but also the ones provided by some popular extensions (add-ons).” ——- Title:  Princess Evolution Ransomware is a RaaS With a Slick Payment SiteURL:    https://www.bleepingcomputer.com/news/security/princess-evolution-ransomware-is-a-raas-with-a-slick-payment-site/Date:   August 15, 2018 Author: Lawrence Abrams     Excerpt:“A new variant of the Princess Locker ransomware is being distributed called Princess Evolution. Like its predecessor, Princess Evolution is a Ransomware as a Service, or RaaS, that is being promoted on underground criminal forums. As this ransomware is being distributed through different affiliates, there are numerous methods that are possibly being used to distribute this ransomware… ..Unfortunately, at this time there is no known way to decrypt files encrypted by Princess Evolution. For those who are interested in discussing this ransomware or receiving support, you can use our dedicated Princess Evolution Support & Help topic.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1)ESB-2018.2401 – [SUSE] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66786…local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID… 2)ESB-2018.2379 – [Cisco] Cisco Web Security Appliance (WSA): Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66698CVE-2018-0428 …could allow an authenticated, local attacker to elevate privileges to root… 3)ESB-2018.2361 – [Debian] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66626…local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID… 4)ESB-2018.2325 – [SUSE] cups: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66458…a local privilege escalation to root and sandbox bypasses… 5)ESB-2018.2403 – [Win] Tridium Niagara: Administrator compromise – Existing accounthttps://portal.auscert.org.au/bulletins/66794…using a disabled account name and a blank password, granting the attacker administrator access… Wishing you the best from AUSCERT and stay safe as we will need you next week to keep users safe,Geoffroy

Learn more

Week in review

AUSCERT Week in Review for 10th August 2018

AUSCERT Week in Review for 10th August 2018 Greetings, As another week comes to a close, here’s a collection of articles for you to enjoy. Have you ever considered the impact cryptomining has on the environment? On a side note, AUSCERT is hiring! The position is for a Senior Information Security Analyst. If interested, you can find more details at (https://www.seek.com.au/job/36851253). Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet Date Published: 08/08/2018 Author: Pierluigi Paganini Excerpt: “In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.   A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.   Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.   There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).   “Recently we discovered the Ramnit C&C server (185.44.75.109) which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.” —– Exploit kits: summer 2018 review Date Published: 07/08/2018 Author: Jerome Segura Excerpt: “In addition, we have witnessed many smaller and unsophisticated attackers using one or two exploits bluntly embedded in compromised websites. In this era of widely-shared exploit proof-of-concepts (PoCs), we are starting to see an increase in what we call “pseudo-exploit kits.” These are drive-by downloads that lack proper infrastructure and are typically the work of a lone author. In this post, we will review the following exploit kits: RIG EK GrandSoft EK Magnitude EK GreenFlash Sundown EK KaiXin EK Underminer EK Pseudo-EKs”” —– Hacker swipes Snapchat’s source code, publishes it on GitHub Date Published: 07/08/2018 Author: Matthew Hughes Excerpt: “The repository has a description of “Source Code for SnapChat,” and is written in Apple’s Objective-C programming language. This strongly suggests that the repo contained part or whole of the company’s iOS application, although there’s no way we can know for certain. It could just as easily be a minor component to the service, or a separate project from the company.   There are two other clues to the identity of the person who published the leaked Snapchat code.   According to the i5xx GitHub account, his name is Khaled Alshehri. This should be taken with a grain of salt, however. For starters, there’s nothing stopping the user from listing a fake name. Furthermore, according to several people TNW has spoken to, the surname “Alshehri” isn’t especially common in Pakistan.   The profile also links to an online business in Saudi Arabia offering a mixed bag of tech services, from security scanning and iCloud removal, to software development and the sale of iTunes giftcards.” —– DeepLocker: How AI Can Power a Stealthy New Breed of Malware Date Published: 08/08/2018 Author: Marc Ph. Stoecklin Excerpt: “What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.   The AI model is trained to behave normally unless it is presented with a specific input: the trigger conditions identifying specific victims. The neural network produces the “key” needed to unlock the attack. DeepLocker can leverage several attributes to identify its target, including visual, audio, geolocation and system-level features. As it is virtually impossible to exhaustively enumerate all possible trigger conditions for the AI model, this method would make it extremely challenging for malware analysts to reverse engineer the neural network and recover the mission-critical secrets, including the attack payload and the specifics of the target. When attackers attempt to infiltrate a target with malware, a stealthy, targeted attack needs to conceal two main components: the trigger condition(s) and the attack payload.   DeepLocker is able to leverage the “black-box” nature of the DNN AI model to conceal the trigger condition. A simple “if this, then that” trigger condition is transformed into a deep convolutional network of the AI model that is very hard to decipher. In addition to that, it is able to convert the concealed trigger condition itself into a “password” or “key” that is required to unlock the attack payload.” —- ICS Threat Broadens: Nation-State Hackers Are No Longer the Only Game in Town Date Published: 07/08/2018 Authors: Israel Barak and Ross Rustici Excerpt: “The honeypot contained bait to entice attackers, including three Internet facing servers (Sharepoint, SQL and domain controller) with remote access services like RDP and SSH and weak passwords. Nothing was done to promote the servers to attackers. However, the servers’ DNS names were registered and the environment’s internal identifiers used a moniker that resembled the name of a major, well-known electricity provider.   Two days after the honeypot was launched, Cybereason determined that a black market seller had discovered it based on a toolset that had been installed in the environment. The tool — xDedic RDP Patch — is commonly found in assets that are being sold in the xDedic black market. It allows a victim and an attacker to use the same credentials to simultaneously log-in to a machine using RDP (Remote Desktop Protocol).   The seller also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic. The backdoors would allow the asset’s new owner to access the honeypot even if the administrator passwords were changed, a scenario that could have otherwise prevented the adversaries from accessing the servers.” Here are this week’s noteworthy security bulletins: 1) ESB-2018.2271 – [Linux][Debian] linux kernel: Multiple vulnerabilities A vulnerability in TCP stream reassembly in the Linux kernel was addressed by a number of vendors this week. Dubbed “SegmentSmack”. The vulnerability allows a remote attacker to crash a vulnerable system by sending a stream of crafted TCP/IP packets. Juniper, F5 Networks and Citrix are among them. 2) ESB-2018.2277 – [Win][UNIX/Linux][FreeBSD] tcp: Denial of service – Remote/unauthenticated Yet another Denial of Service vulnerability targeting TCP. This vulnerability is centred around an inefficient data structure for holding received TCP segments prior to reassembly. An attacker could cause a Denial of service condition by sending a stream of crafted, segmented TCP traffic contributing to a large number of segments awaiting reassembly, leading to CPU resource exhaustion. A patch has been introduced that limits the reassembly queue size per connection. 3) ESB-2018.2279 – [Printer] HP Ink Printers: Multiple vulnerabilities Owners of HP Ink printers had cause to be concerned over a buffer overflow vulnerability triggered by a crafted file received over the network. If exploited, the buffer overflow could lead to code execution or a denial of service condition. HP has released firmware updates to address the issue. Stay safe, stay patched, stay cool and have a good weekend! Nicholas

Learn more

Blogs

Location, location, location

Location, location, location This week we received an email from a person who was concerned about a picture they had uploaded to their profile within an organisation.  They noticed that the GPS coordinates of where the photo was taken was retained in the metadata of the uploaded image.  Curious, they started looking at other people’s profile images to discover coordinates stored in those as well, potentially revealing where these colleagues live. What is EXIF data? Apart from the image itself, an image file can store other information such as date, time, camera information and settings, geolocation, and copyright information. For a photographer, this information is very useful, and saves having to write it down for each photo.  What it also means though, is that when we take a photo with a camera phone, and upload this image to social media, that site now has access to where you are, and at what time you were there.  Not only that, but if the website doesn’t strip the metadata before republishing, others could also see this information and track your location and movements. What can I do? For users: Many social media websites already strip location and other EXIF data, including (at the time of writing) Facebook, Instagram, LinkedIn and Twitter. That said, many other large sites do not strip this metadata, and it can be difficult to know about smaller services or corporate systems, so as a user, it is safer to disable the saving of location information from your device. On Android, this will vary depending on your phone and version. In your camera application, look for ‘Settings‘, then ‘GPS location‘ or ‘Store Location‘, and turn this option off. You can also disable location services completely by going to ‘Settings‘, then under the ‘Personal‘ heading, select ‘Location‘ and turn it off. On an iPhone, in ‘Settings‘ go to ‘Privacy‘, then ‘Location Services‘ and turn this option off for the camera. These steps only disable location information. Time and date stamps, as well as device information will still be retained. For existing photos on your computer, you can use Imagemagick (https://www.imagemagick.org, cross platform) to batch strip EXIF data from your images: $ mogrify -strip * In Windows, you can right click an image, select ‘Properties‘, then the ‘Details‘ tab to see and remove the image’s metadata. Alternatively, there are many other image editing tools to choose from.   For administrators: Please look into stripping metadata when a user uploads an image to your web application, or re-process images so that data isn’t available to other users. Happy (and safe) snapping!Charelle.

Learn more

Week in review

AUSCERT Week in Review for 3rd August 2018

AUSCERT Week in Review for 3rd August 2018 Greetings, As another week comes to a close, give yourselves a pat on the back, because Aussies are almost immune from ransomware attacks!! All the more reason to not let our guard down and keep looking for and applying threat indicators to prevent and detect ransomware activity. Also this week, more ransomware authors seem to be joining forces to deliver their respective malware in a one-two punch using the sample malspam runs. Potential motives: Economies of scale? Easier propagation? This however, undoubtedly remains the year of the cryptojacker.   Hope you enjoy reading this week’s selection of articles: New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign  Date Published: 30/07/2018 Authors:  Proofpoint staff Excerpt: “AZORult is a robust information stealer & downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via exploit kits and in fairly regular email campaigns as both a primary and secondary payload.   Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware. It is always interesting to see malware campaigns where both a stealer and ransomware are present, as this is less common [1], and especially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing access to their files in a subsequent ransomware attack.” —– Massive Coinhive Cryptojacking Campaign Infects 170,000 MikroTik Routers Date Published: 02/08/2018 Author: Catalin Cimpanu Excerpt: “According to Kenin, the attacker used one of those PoCs to alter traffic passing through the MikroTik router and inject a copy of the Coinhive library inside all the pages served through the router.   We know it’s only one threat actor exploiting this flaw because the attacker used only one Coinhive key for all the Coinhive injections he performed during the past week.   Furthermore, Kenin says that he also identified some cases where non-MikroTik users were also impacted. He says this was happening because some Brazilian ISPs were using MikroTik routers for their main network, and hence the attacker managed to inject the malicious Coinhive code in a massive amount of web traffic.   In addition, Kenin says that because of the way the attack was performed, the injection worked both ways, and not necessarily only for traffic going to the user. For example, if a website was hosted on a local network behind an affected MikroTik router, traffic to that website would also be injected with the Coinhive library.” —– Australians almost immune from ransomware, topping lists for data safety Date Published: 31/07/2018 Author: Richard Chirgwin Excerpt: “Take a bow, Australians: we may have had 242 breaches sent to the information commissioner this quarter, but almost nobody fell victim to ransomware attacks. Of all the data breaches reported to the Office of the Australian Information Commissioner (OAIC) between April and June this year, only two were ransomware attacks. However, given the MyHealth Record debate in Australia, the statistics paint a grim picture: the health sector recorded the most notifiable breaches from April to June. The OAIC data, published today, is the first full quarter of data breach statistics since the notification regime came into force on 22 February 2018. Breach notifications rose in each of the months covered by the report, which probably indicates rising business awareness of the legislation: there were 65 notifications in April, 87 in May, and 90 in June, a total of 242 in the quarter.” —– Bisonal Malware Used in Attacks Against Russia and South Korea Date Published: 31/07/2018 Author: Kaoru Hayashi and Vicky Ray Excerpt: “Attacks using Bisonal have been blogged about in the past. In 2013, both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations . In October 2017, AhnLab published a report called “Operation Bitter Biscuit,” an attack campaign against South Korea, Japan, India and Russia using Bisonal and its successors, Bioazih and Dexbia. We believe it is likely these tools are being used by one group of attackers.   Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks. Common features of attacks involving Bisonal include:   Usually targeting organizations related to government, military or defense industries in South Korea, Russia, and Japan. In some cases, the use of Dynamic DNS (DDNS) for C2 servers. The use of a target or campaign code with its C2 to track victim or attack campaign connections. Disguising the Bisonal malware as a PDF, Microsoft Office Document or Excel file. The use of a decoy file in addition to the malicious PE file In some cases, code to handle Cyrillic characters on Russian-language operating systems. We observed all these characteristics in the latest attacks against both Russia and South Korea.” —- Blueprints for 3D printed guns stay offline for now — but we should still be worried Date Published: 01/08/2018 Authors:  Abhimanyu Ghoshal Excerpt: “The truth is that the aforementioned legal battles don’t matter a whole lot right now: DD actually made the files available last Friday on its DEFCAD site, so they’ve already fallen into the hands of those who want them. There’s also a GitHub repository maintained by a group called FOSSCAD, where you can find designs for a range of pistols, rifles, and ammo.   All this points to the fact that we’re getting rather uncomfortably close to a future where anyone with access to a 3D printer could fabricate an untraceable plastic gun that fires real bullets – and could do real damage.” —– Here are this week’s noteworthy security bulletins: 1) ESB-2018.2201 – [Linux] IBM QRadar : Multiple vulnerabilities IBM’s QRadar SIEM had multiple updates this week that addressed multiple vulnerabilies introduced by Apache Tomcat, Java and OpenSSL components. 2) ESB-2018.2218 – [Win][Linux][Solaris][AIX] IBM Security Identity Manager: Execute arbitrary code/commands – Remote/unauthenticated IBM’s Security Identity Manager also had an update addressing a remote code execution vulnerability introduced by Apache Commons. 3) ASB-2018.0188 – [Appliance] Intel Puma: Denial of service – Remote/unauthenticated 2018-08-01 A serious vulnerability was identified in Intel Puma chipsets, widely used in Home Gateways and Cable modems. The vulnerability potentially allows a remote attacker to starve the processors of resources by sending crafted network traffic to the device, giving rise to a denial of service situation. The vendor is apparently working with device manufacturers to roll out a fix. Stay safe, stay patched, keep warm and have a good weekend! Nicholas

Learn more

Week in review

AUSCERT Week in Review for 27th July 2018

AUSCERT Week in Review for 27th July 2018 AUSCERT Week in Review27 July 2018 Good afternoon, and welcome to the end of another week in Infosec. This week saw a brief respite from the cold, harsh Queensland winter.In the AUSCERT office we’re definitely looking forward to the warmer months! Thanks to our members who were able to attend our Melbourne Member meet-upearlier this week, and anyone who stopped by our booth at the 2018 SecurityExhibition & Conference. We appreciate all the feedback we’ve gotten! Here are some of the significant news stories from this week: —– New Spectre attack enables secrets to be leaked over a networkAuthor: Peter BrightDate: 27 July 2018https://arstechnica.com/gadgets/2018/07/new-spectre-attack-enables-secrets-to-be-leaked-over-a-network/ “Researchers from Graz University of Technology, including one of theoriginal Meltdown discoverers, Daniel Gruss, have described NetSpectre:a fully remote attack based on Spectre. With NetSpectre, an attacker canremotely read the memory of a victim system without running any code onthat system.” — Google Chrome Now Labels HTTP Sites as ‘Not Secure’Author: Brian BarrettDate: 24 July 2018https://www.wired.com/story/google-chrome-https-not-secure-label “Nearly two years ago, Google made a pledge: It would name and shamewebsites with unencrypted connections, a strategy designed to spur webdevelopers to embrace HTTPS encryption. On Tuesday, it finally is followingthrough. With the launch of Chrome 68, Google now will call out sites withunencrypted connections as “Not Secure” in the URL bar.” — Google: Security Keys Neutralized Employee PhishingAuthor: Brian KrebsDate: 23 July 2018https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/ “Google has not had any of its 85,000+ employees successfully phished ontheir work-related accounts since early 2017, when it began requiring allemployees to use physical Security Keys in place of passwords and one-timecodes, the company told KrebsOnSecurity.” — Singapore govt health database hackedAuthor: Staff WriterDate: 20 Jul 2018https://www.itnews.com.au/news/singapore-govt-health-database-hacked-498782 “A major cyberattack on Singapore’s government health database resultedin the personal information of about 1.5 million people – including PrimeMinister Lee Hsien Loong – being stolen. The “deliberate, targeted and well-planned,” attack aimed at patients whovisited clinics between May 2015 and July 4 this year, the health ministrysaid in a statement.” Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2018.2133 – Bluetooth devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65666 Several Bluetooth implementations, including Apple, Broadcom and Intel,are vulnerable to Man In The Middle attacks, as a result of a missing stepin validating elliptic curve parameters. 2. ESB-2018.2153 – ClamAV: Denial of service – Remote with user interactionhttps://portal.auscert.org.au/bulletins/65750 Vulnerabilities in ClamAV could cause a hang when scanning speciallycrafted PDF or HWP files. 3. ESB-2018.2129 – python-cryptography: Access confidential data –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/65650 A vulnerability in a popular cryptography library could expose sensitivedata. ——- Stay safe, stay patched, and have a good weekend! Anthony and the team at AUSCERT

Learn more

Blogs

Insecure AWS S3 buckets – an ongoing target

Insecure AWS S3 buckets – an ongoing target Recently, AUSCERT has seen an increase in the number of attacks on unsecured cloud infrastructure. One of the most frequently targeted cloud hosting methods is Amazon’s Scalable Storage Solution, commonly referred to as AWS S3.   S3 is used to store static assets for public websites, such as images and javascript, and is also used as a destination for backup solutions, due to its low storage costs. S3 buckets can be accessed via HTTP/HTTPS, as well as an API that is available to other AWS infrastructure.    However, critically, many buckets have been configured to expose all of their files, as well as a listing of the files in the bucket – a modern equivalent to the open directory listing issue that many misconfigured webservers have suffered from in the past.   Perhaps due to an overload of new practices required when switching to AWS infrastructure, or due to unfamiliarity with the platform, many S3 buckets have been left exposed when they contain sensitive or secret data, such as backups, copies of databases, or private documents. Many of these S3 buckets have been discovered by third parties, which has resulted in some high-profile data breaches. This website maintains a listing of data breaches that were caused by insecure S3 buckets.   Although this issue has been known for a long time, in the last 12 months more tools to enumerate, discover, and even provide public search listings of S3 buckets have become available. This recent trend has prompted AUSCERT to begin scanning AWS for S3 buckets that have easily guessable names relating to our members’ organisations.   Amazon themselves have noted this issue and have taken measures to assist users and prevent further compromises on their platform. Last year, after a large breach that affected millions of Dow Jones customers, Amazon sent an email to the account administrator of every AWS account that had publicly accessible S3 buckets.   In Amazon’s own words, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available. We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don’t intend.”   The official AWS blog contains useful information about securing S3 buckets while still allowing access in a controlled manner. See this article, published in March 2018, for more details.   AUSCERT recommends reviewing all of your AWS infrastructure to ensure access controls are appropriate for your uses.     Anthony Vaccaro, Senior Information Security Analyst at AUSCERT

Learn more

Week in review

AUSCERT Week in Review for 20th July 2018

AUSCERT Week in Review for 20th July 2018 AUSCERT Week in Review20 July 2018 Good afternoon, and welcome to the end of another week in Infosec. This week saw the quarterly Oracle patch day come with a record-breakingnumber of CVEs. I hope our members can keep up with the huge amount ofpatching required to use Oracle products! In addition, the Australian government launched My Health Record thisweek, and was promptly bombarded with opt-out requests. Asking to store(and share) your personal medical data for the rest of your life may notgo down well with many australians, especially as scandals involving databreaches and misuse become more and more common. Here are some of the significant news stories from this week: —– Defence attacked over new technology restrictionsAuthor: Julian BajkowskiDate: 19 July 2018https://www.itnews.com.au/news/defence-attacked-over-new-technology-restrictions-498612 “Australia’s top universities have blasted a massive expansion ofintrusive powers proposed by the Department of Defence. The new powers would allow Defence to enter and search all technologyprojects in Australia and restrict and dictate how information from themis shared between researchers and industry.” —Oracle product vulnerabilities hit all-time highAuthor: Juha SaarinenDate: 18 July 2018https://www.itnews.com.au/news/oracle-product-vulnerabilities-hit-all-time-high-498543 “The July 2018 Critical Patch Update (CPU) set of security fixes for Oracleproducts released overnight closes no fewer than 334 vulnerabilites,up from 251 in April and more than the highest number remedied so far,308 in July 2017. Of the 334 flaws, 61 are considered as critical with high CommonVulnerabilities Scoring System ratings of 9.0 to 10.0.” —My Health Record systems collapse under more opt-outs than expectedAuthor: StilgherrianDate: 16 July 2018https://www.zdnet.com/article/my-health-record-systems-collapse-under-more-opt-outs-than-expected/ “Australians attempting to opt out of the government’s new centralised healthrecords system online have been met with an unreliable website. Those phoningin have faced horrendous wait times, sometimes more than two hours, oftento find that call centre systems were down as well, and staff unable to help. The Australian Digital Health Agency (ADHA), which runs the My HealthRecord system, is reportedly telling callers that they weren’t expectingthe volume of opt-outs.” Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2018.2076 – Cisco Policy Suite: Root compromise –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/65426 Several vulnerabilities in Cisco Policy Suite have a large impact. 2. ESB-2018.2075 – ffmpeg: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65330 Vulnerabilities in ffmpeg could lead to a crash or code execution fromviewing/processing malicious video files. 3. ESB-2018.2103 – Jenkins: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65534 A new vulnerability in Jenkins could allow users to move the configuration file to a new location. ——- Stay safe, stay patched, and have a good weekend! Anthony and the team at AUSCERT

Learn more

Week in review

AUSCERT Week in Review for 13th July 2018

AUSCERT Week in Review for 13th July 2018 AUSCERT Week in Review13 July 2018 Two package compromises this week serve as a reminder that we all rely on each other’s code, which few of us have the luxury of auditing. ESLint, a linter for JavaScript-family languages, published a malicious package which stole Node Package Manager credentials from developers. (While I have this soapbox, linters are great and should be used for any code you write – even if that’s “only” shell scripting, try out ShellCheck!) Microsoft Patch Tuesday also took place this week, with more vulns which could hijack Edge purely from opening a malicious page. If your users ask why they’re advised to delete spam emails, you can point them to the presence of these bugs in almost every Patch Tuesday. In accordance with tradition, here are some interesting news articles from the week: Patch Tuesday, July 2018 EditionAuthor: Brian KrebsDate: 10 July 2018https://krebsonsecurity.com/2018/07/patch-tuesday-july-2018-edition/ Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat. Postmortem for Malicious Packages Published on July 12th, 2018Author: ESLint ProjectDate: 12 July 2018https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker. An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down. Malware Found in Arch Linux AUR Package RepositoryAuthor: Catalin CimpanuDate: 10 July 2018https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages.[…] No other malicious actions were observed, meaning the acroread package wasn’t harming users’ systems, but merely collecting data in preparation for… something else. Airport security card company reveals data hack as AFP investigatesAuthor: ABC NewsDate: 12 July 2018http://www.abc.net.au/news/2018-07-12/afp-investigating-airport-security-card-data-hack/9981796 A company that issues Aviation Security Identity Cards (ASICs) — designed to stop organised criminals and terrorists from accessing planes and other restricted airport zones — has been hacked, leading to concerns that Australian airport security may have been compromised as a result. Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2018.2011 – [Appliance] Universal Robots Robot Controllers: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65058 Industrial robots would execute arbitrary code sent to certain TCP ports. 2. ESB-2018.2021 – ALERT [UNIX/Linux][Debian] cups: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65098 The Common UNIX Printing System patched a root compromise vulnerability. 3. ESB-2018.1984 – [Apple iOS] Apple iOS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64922 Multiple memory corruption and data leak issues in WebKit, used by Safari & other browsers, plus a crash when a China-region phone received the Taiwanese flag emoji. 4. ESB-2018.1756.2 – UPDATE [Win][UNIX/Linux] BIND: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63966 Regression caused defaults to work incorrectly in the BIND nameserver, allowing denials of service (including DNS reflection attacks) and examining the DNS cache. Stay safe, stay patched and have a good weekend,David and the team at AUSCERT

Learn more

Week in review

AUSCERT Week in Review for 6th July 2018

AUSCERT Week in Review for 6th July 2018 AUSCERT Week in Review06 July 2018 Greetings, This week’s events have reminded us to be careful of the software we install. Between browser extensions gone rogue and a major software foundation’s GitHub account serving compromised content, consider whose code you might have run without knowing it. The AUSCERT bulletins service is nearly at number 2,000 by early July, making this the busiest year on record. If you want to change your subscription settings, your inbox may thank you. Log in to the member portal at https://wordpress-admin.auscert.org.au to make the change. If you get stuck or have any questions, contact us at auscert@auscert.org.au! In the news this week: ‘Stylish’ browser extension steals all your internet historyhttps://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/Date: 02 July 2018Author: Robert Heaton Unfortunately, since January 2017, Stylish has been augmented with bonus spyware that records every single website that I and its 2 million other users visit (EDIT – I am told that the Chrome version has had tracking since January 2017, but the Firefox version has only had it since March 2018). Stylish sends our complete browsing activity back to its servers, together with a unique identifier. This allows its new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie. … Stylish’s transition from visual Valhalla to privacy Chernobyl began when the original owner and creator of Stylish sold it in August 2016. In January 2017 the new owner sold it again, announcing that “Stylish is now part of the SimilarWeb family”. The SimilarWeb family’s promotional literature lists “Market Solutions To See All Your Competitors’ Traffic” amongst its interests. [AUSCERT adds: Recall also https://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/ from last year.] Gentoo GitHub Organization hackedhttps://wiki.gentoo.org/wiki/Github/2018-06-28Date: 01 July 2018 An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make various changes to content. Gentoo Developers & Infrastructure escalated to GitHub support and the Gentoo Organization was frozen by GitHub staff. Gentoo has regained control of the Gentoo GitHub Organization and has reverted the bad commits and defaced content. The entity attempted to wipe user content by adding “rm -rf” to various repositories; however this code was unlikely to be executed by end users due to various technical guards in place. Iranian APT Poses As Israeli Cyber-Security Firm That Exposed Its Operationshttps://www.bleepingcomputer.com/news/security/iranian-apt-poses-as-israeli-cyber-security-firm-that-exposed-its-operations/Author: Catalin CimpanuDate: 03 July 2018 According to Israeli cyber-security firm ClearSky Security, the company says the Iranian APT copied its official website and hosted on a lookalike domain at clearskysecurity.net (the official ClearSky website is located at ClearSkySec.com). “Charming Kitten built a phishing website impersonating our company,” ClearkSky said yesterday. “They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services.” “These sign-in options are all phishing pages that would send the victim’s credentials to the attackers,” ClearSky said. “Our legitimate website does not have any sign in option.” Another day, another data breach. Do you even care any more?http://www.abc.net.au/news/science/2018-07-06/data-breach-fatigue-ticketmaster-ticketfly-linkedin/9943720Author: ABC NewsDate: 05 July 2018 Dr Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack. After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction. In other words, Dr Chen said, “we can see that the public is gradually losing interest in reacting to this news”. Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2018.1949 – [Win][Linux] Drupal Universally Unique IDentifier: Create arbitrary files – Existing accounthttps://portal.auscert.org.au/bulletins/64782 A major Drupal module had an arbitrary file upload vulnerability. 2. ESB-2018.1952 – [Debian] dokuwiki: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/64794 Reflected file download vulnerability in DokuWiki allowed execution of arbitrary code. 3. ASB-2018.0145 – [Android] Google Android devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64650 Android’s July patch release fixed several critical bugs. 4. ESB-2018.1931 – [RedHat] python: Access confidential data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/64706 Python2.7 disables the insecure 3DES cypher suites by default.   Stay safe, stay patched and have a good weekend,AUSCERT

Learn more