Week in review

AUSCERT Week in Review for 5th October 2018

AUSCERT Week in Review for 5th October 2018 Greetings, The Shearwater 2018 Hackathon is going to be held on the 16th of November in Sydney, Melbourne, Canberra, and Brisbane. It’s a one-day CTF and learning event with two different challengest and prizes to be won. There’s also a 20% discount if you use the code AUSCERT. In case you’ve missed it, the third AUSCERT and BDO Security Survey is now open. This annual survey identifies and monitors current cyber security trends, issues and threats facing businesses in Australia and New Zealand.By taking part you will gain direct access to our survey report, which contains valuable data that allows you to compare business’ current cyber security efforts with trends in your industry sector.Survey respondents have the chance to go in the draw to win one of three Apple Watches. The survey closes at midnight on Friday, 23 November 2018. The survey is anonymous and takes 15 minutes to complete. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. CompaniesDate Published: 04/10/2018https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companiesAuthor: Jordan Robertson, Michael Riley Excerpt: “Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.” A response from Apple: What Businessweek got wrong about Apple Date Published: 04/10/2018https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/Author: Apple StatementExcerpt: “The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.” A follow up from Bloomberg: The Big Hack: The Software Side of China’s Supply Chain AttackDate Published: 04/10/2018https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-the-software-side-of-china-s-supply-chain-attackAuthor: Jordan Robertson, Michael RileyExcerpt: “In its denial that a chip attack had reached its server network, Apple did acknowledge to Bloomberg Businessweek that it had encountered malware downloaded from Supermicro’s customer portal.” Wi-Fi now has version numbers, and Wi-Fi 6 comes out next yearDate Published: 03/10/2018https://www.theverge.com/2018/10/3/17926212/wifi-6-version-numbers-announcedAuthor: Jacob KastrenakesExcerpt: “If you’ve ever bought a Wi-Fi router, you may have had to sort through specs that read like complete gibberish — like “802.11ac” or “a/b/g/n.” But going forward, Wi-Fi is adopting version numbers so that it’ll be easier to tell whether the router or device you’re buying is on the latest version.” Voice Phishing Scams Are Getting More CleverDate Published: 01/10/2018https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/Author: Brian KrebsExcerpt: “Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).” Everything We Know About Facebook’s Massive Security BreachDate Published: 28/09/2018https://www.wired.com/story/facebook-security-breach-50-million-accounts/Author: Louise Matsakis, Issie LapowskyExcerpt: “Facebook’s privacy problems severely escalated Friday when the social network disclosed that an unprecedented security issue, discovered September 25, impacted almost 50 million user accounts. Unlike the Cambridge Analytica scandal, in which a third-party company erroneously accessed data that a then-legitimate quiz app had siphoned up, this vulnerability allowed attackers to directly take over user accounts.” Here are this week’s noteworthy security bulletins: 1) ESB-2018.3017 – [Cisco] Cisco Identity Services Engine: Execute arbitrary code/commands – Existing account Hardcoded credentials in a Cisco device. 2) ESB-2018.2961 – [Linux][OSX] WebKitGTK+ and WPE WebKit: Multiple vulnerabilities A truckload of vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. 3) ESB-2018.2966 – [UNIX/Linux][Ubuntu] haproxy: Denial of service – Remote/unauthenticated HAProxy could be made to crash if it received a specially crafted request. 4) ASB-2018.0225 – [Android] Google Android devices: Multiple vulnerabilities Multiple security vulnerabilities have been identified in the Android operating system prior to the 2018-10-05 patch level. 5) ESB-2018.2952 – ALERT [Win][Mac] Adobe Acrobat and Reader: Multiple vulnerabilities Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. Stay safe, stay patched and have a good weekend! Charelle  

Learn more

Week in review

AUSCERT Week in Review for 28th September 2018

AUSCERT Week in Review for 28th September 2018 Greetings, Another week with a crazy number of AUSCERT bulletins! 99! That is an average of 19.8 bulletins per day! The worst thing is when you see CVE numbers like CVE-2011-2767 in a 2018 bulletin, oops forgot to fix that vulnerability didn’t we? It’s really hard to see the light at the end of the tunnel sometimes…but hopefully with the continual investment in what we now call Cyber Security and better development lifecycles we’ll perhaps see the end of the proliferation of the same vulnerabilities again and again. However, does it all matter in the end when that user still clicks on that URL in that PDF to a fake OneDrive page and inputs their credentials in to a look-a-like O365 web page? Repeat after me: Multi-factor authentication is now a REQUIREMENT in 2018. It is no longer optional. Especially if Chrome goes further down the rabbit hole, and kills off all sub-domains resulting in a compromised *.sharepoint.com phishing pages looking 100% legitimate to unsuspecting users? At AUSCERT 2018, we announced a new service, the AUSCERT Daily Intelligence Report. ADIR is now in private beta. If you’re a member interested in receiving a daily summary of cybersecurity news, please contact us at auscert@auscert.org.au to subscribe. In other news the third AUSCERT and BDO Security Survey is now open.   This annual survey identifies and monitors current cyber security trends, issues and threats facing businesses in Australia and New Zealand.By taking part you will gain direct access to our survey report, which contains valuable data that allows you to compare business’ current cyber security efforts with trends in your industry sector.Survey respondents have the chance to go in the draw to win one of three Apple Watches. The survey closes at midnight on Friday, 23 November 2018. The survey is anonymous and takes 15 minutes to complete. https://bdoaustralia.checkboxonline.com/2018CSS.survey Here is a summary (including excerpts) of some of the more interesting stories we have seen this week: Title: Gone in 15 Minutes: Australia’s Phone Number Theft ProblemAuthor: BankInfoSecurityExcerpt: SIM hijacking is not a new attack, but there’s increasing interest in stealing phone numbers. That’s because banks often send two-step verification codes over SMS. Additionally, major services such as Google, LinkedIn, Facebook and Instagram use the mobile channel in some scenarios for password resets.Over the past two years, fraud involving unauthorized phone ports has increased, mostly due to organized crime, says Detective Chief Inspector Matthew Craft of the New South Wales Police’s Financial Crimes Squad. Craft says because of the mobile industry’s “inability to implement some simple measures to prevent it from occurring,” the problems have continued.—– Title: Decryption laws enter parliamentAuthor: iTnewsExcerpt: The federal government has moved to introduce the legislation underpinning its controversial crackdown on encrypted communications services.The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill was introduced into parliament by home affairs minister Peter Dutton on Thursday.It comes less than two weeks after the Department of Home Affairs closed public consultation on the exposure draft of the bill, in which more than 14,000 submissions are said to have been made. —– Title: Mass WordPress compromises redirect to tech support scamsAuthor: Malwarebytes LabsExcerpt: Thousands of WordPress sites have been injected with the same malicious redirection. We review the infection details and the malicious traffic leading to browser lockers. —– Title: Uber to pay $148 million to states for 2016 data breachAuthor: CyberScoopExcerpt:  Ridehailing company Uber will pay $148 million across all 50 [American] states and Washington, D.C., as part of a settlement stemming from a data breach that revealed sensitive information on 57 million of the company’s users.The breach took place in October 2016 and revealed names, email addresses, phone numbers and U.S. driver’s license numbers. The company paid the hackers $100,000 to stay quiet and delete the data.Several attorneys general released statements after the settlement was announced, with each state getting a varying amount. —–Title: United Nations WordPress Site Exposes Thousands of ResumesAuthor: BleepingComputerExcerpt: Disclosure vulnerabilities in a web app from the United Nations leave open to public access CVs from job applicants and the organization failed to plug the leak despite receiving a private report on the issues.Security researcher Mohamed Baset of penetration testing company Seekurity found a path disclosure and an information disclosure bug in one of the UN’s WordPress websites, which gives unfettered access to job applications since 2016. He claims that thousands of documents have been uploaded. —–Here are this week’s noteworthy security bulletins: 1) ESB-2018.2842 – [UNIX/Linux][Debian] mediawiki: Multiple vulnerabilities Multiple vulnerabilities have been found in the popular Wiki. These result in incorrectly configured rate limits, information disclosure in Special:Redirect/logid and bypass of an account lock. 2) ESB-2018.2900 – [Win][UNIX/Linux] Apache HTTP Server: Denial of service – Remote/unauthenticated Apache HTTP Server is vulnerable to a Remote/Unauthenticated Denial of Service; if you value your uptime in the end a minor downtime to patch is recommended. 3) Cisco has released their 2018 Semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication that can be found in the three ESBs below. ESB-2018.2902 – [Cisco] Cisco IOS XE: Multiple vulnerabilitiesESB-2018.2903 – [Cisco] Cisco IOS Software: Multiple vulnerabilitiesESB-2018.2904 – [Cisco] Cisco IOS and IOS XE: Denial of service – Remote/unauthenticated Stay safe, stay patched and have a good weekend! Ananda

Learn more

Week in review

AUSCERT Week in Review for 21st September 2018

AUSCERT Week in Review for 21st September 2018 There were again numerous updates and patches released this week. While Microsoft had its turn last week with Patch Tuesday, it seems that it was Apple’s turn this week.Apple released a new version of iOS as well as fixes for Safari, Apple Watch and Apple TV. Below is a summary (including excerpts) of some of the more interestingstories we’ve seen this week: — Title: iOS 12 Patches Memory Bugs, Safari 12 Fixes Data Leaks Date Published: 17-09-2018 URL: https://www.bleepingcomputer.com/news/security/ios-12-patches-memory-bugs-safari-12-fixes-data-leaks/ Author: Ionut Ilascu Excerpts: “A new round of security updates is available from Apple, fixing bugs in Safari, watchOS, tvOS, and iOS.” “Apple released its newest version of iOS today, and apart from adding a performance boost to older iPhone models, it also comes with solutions for security problems.” — Title: Hackers Mining Cryptos Using Leaked NSA Surveillance Tools, New Report Reveals Date Published: 20-09-2018 URL: Hackers Mining Cryptos Using Leaked NSA Surveillance Tools, New Report Reveals Author: Steve Kaaru Excerpt: “The report revealed that cryptojacking incidences have spiked by over 450 percent in 2018, attributing the increased incidences to an NSA tool that was leaked in late 2017 which has been used by North Korean and Russian hackers in the past to infiltrate strategic targets. Now, the tool is being used to mine cryptos, and the hackers show no sign of slowing down with their lucrative venture.” — Title: Adobe releases patch out of schedule to squash critical code execution bug Date Published: 20-09-2018 URL: https://www.zdnet.com/article/adobe-releases-patch-out-of-schedule-to-squash-code-execution-bugs/ Author: Charlie Osborne Excerpts: “Adobe has released a patch out of the usual security update schedules to resolve a set of severe vulnerabilities in Adobe Acrobat and Reader.” “Deemed critical, CVE-2018-12848 can lead to arbitrary code execution in the context of the current user if exploited by attackers.” — Title: Western Digital goes quiet on unpatched MyCloud flaw Date Published: 20-09-2018 URL: https://nakedsecurity.sophos.com/2018/09/20/western-digital-goes-quiet-on-unpatched-mycloud-flaw/ Author: John E Dunn Excerpt: “No admin password, nothing – just a simple CGI request to MyCloud’s web server and an attacker would be in via a local network” — Title: ICO Fines Equifax £500K After 2017 Breach Date Published: 20-09-2018 URL: https://www.infosecurity-magazine.com/news/ico-fines-equifax-500k-after-2017/ Author: Phil Muncaster Excerpt: “The Information Commissioner’s Office (ICO) has issued the maximum fine possible to Equifax in response to failings which led to a major 2017 breach.” —   Here are a few of this week’s noteworthy security bulletins: ESB-2018.2832 – ALERT [Win][Mac] Adobe Acrobat and Reader: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/68614 Some recent Adobe Acrobat and Reader vulnerabilites to address.   ESB-2018.2824 – [SUSE] pango: Denial of service – Remote with user interaction https://portal.auscert.org.au/bulletins/68582 Denial of Service from parsing Emoji!   ESB-2018.2782 – [Apple iOS] Apple Support 2.4 for iOS: Access confidential data – Remote/unauthenticated https://portal.auscert.org.au/bulletins/68394 One of a number of Apple advisories released this week which included others for tvOS, watchOS and Safari.   ESB-2018.2807 – [Ubuntu] ghostscript: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/68506 Many linux distros released ghostscript fixes this week addressing remote code execution, information disclosure and denial of service issues.   ASB-2018.0221 – [Linux] Multiple McAfee products: Denial of service – Remote/unauthenticated https://portal.auscert.org.au/bulletins/68534 Multiple McAfee products based on linux are affected by the kernel vulnerability know as “SegmentSmack” which allows remote attackers to cause a denial of service condition.A list of products that were vulnerable, not-vulnerable and available patches and mitigations was released. — Stay safe, stay patched and have a good weekend! Marcus.  

Learn more

Week in review

AUSCERT Week in Review for 14th September 2018

AUSCERT Week in Review for 14th September 2018 Greetings, Another work week is over and there has probably been significant patching activities again following Microsoft’s patch Tuesday. 17 critical vulnerabilities were addressed and also the recently disclosed Zero-Day Task Scheduler vulnerability. In one of the articles referenced below, we see another example of private data exfiltration from our personal electronic devices, and this time from one of the big security players (Trend Micro). Below is a summary (including excerpts) of some of the more interesting stories we’ve seen this week: —– Microsoft September 2018 Patch Tuesday Fixes 17 Critical Vulnerabilities Date Published: 11-09-2018https://www.bleepingcomputer.com/news/security/microsoft-september-2018-patch-tuesday-fixes-17-critical-vulnerabilities/Author: Lawrence Abrams Excerpt: “This Patch Tuesday fixes 17 Critical security vulnerabilities that when exploited could lead to code execution. These vulnerabilities are the most dangerous as if they are exploited could allow a remote attacker to execute commands on a vulnerable computer and essentially take full control.” —– Election infrastructure security: Should we use Internet voting? Date Published: 10-09-2018https://www.helpnetsecurity.com/2018/09/10/election-infrastructure-security/Author: Help Net Security Excerpt: “To protect the integrity and security of U.S. elections, all local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election, says a new report from the National Academies of Sciences, Engineering, and Medicine.” —– NSW puts digital driver’s licence on a blockchain Date Published: 10-09-2018https://www.itnews.com.au/news/nsw-puts-digital-drivers-licence-on-a-blockchain-512298Author: Justin Hendry Excerpt: “The NSW government’s digital driver’s licence will be underpinned by blockchain technology developed by Australian firm Secure Logic.” “It plans to make digital driver’s licences and digital photo cards available to citizens across the state by the end of 2019.” —– Trend Micro blames data collection issue on code library re-use Date Published: 11-09-2018https://www.cyberscoop.com/trend-micro-mac-app-store-browser-history/Author: Greg Otto Excerpt: “Cybersecurity giant Trend Micro has apologized after researchers discovered that a number of the company’s consumer-facing apps were  collecting users’ browser histories.” —– 2 Billion Bluetooth Devices Remain Exposed to Airborne Attack Vulnerabilities Date Published: 13-09-2018https://www.darkreading.com/attacks-breaches/2-billion-bluetooth-devices-remain-exposed-to-airborne-attack-vulnerabilities/d/d-id/1332815Author: Jai Vijayan Excerpt: “One year after security vendor Armis disclosed a set of nine exploitable vulnerabilities in Bluetooth, some 2 billion devices — including hundreds of millions of Android and iOS smartphones — remain exposed to the threat.” —– Here are a few of this week’s noteworthy security bulletins: 1) ASB-2018.0211.2 https://portal.auscert.org.au/bulletins/68074 Patch Tuesday Windows Updates. 2) ESB-2018.2682 https://portal.auscert.org.au/bulletins/67966 Multiple vulnerabilities including RCEs patched in Chromium. 3) ESB-2018.2683 https://portal.auscert.org.au/bulletins/67970 Multiple vulnerabilities including RCEs patches in Firefox. 4) ESB-2018.2731 https://portal.auscert.org.au/bulletins/68186 More Flash issues. 5) ESB-2018.2698 https://portal.auscert.org.au/bulletins/68030 Linux kernel information leaks, privilege escalations and DOS issues. Stay safe, stay patched and have a good weekend! Marcus.

Learn more

Week in review

AUSCERT Week in Review for 7th September 2018

AUSCERT Week in Review for 7th September 2018 Greetings, Submissions close shortly for comments on the Assistance and Access Bill 2018. This bill is for communication providers to allow law enforcement to access encrypted communication. The type of assistance the bill has requested includes: – removing one or more forms of electronic protection that are or were applied by, or on behalf of, the provider– assisting access to devices or services– installing, maintaining, testing or using software or equipment or assisting with those activities where the provider is already capable of removing this protection– concealing that any other thing has been covertly performed in accordance with the law Souce: https://www.homeaffairs.gov.au/consultations/Documents/industry-assistance-factsheet.pdf https://www.homeaffairs.gov.au/about/consultations/assistance-and-access-bill-2018 Public feedback is open until September the 10th. For more information on having your say, see https://digitalrightswatch.org.au/2018/08/19/defend-encryption/ Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: NIST Releases Draft on BGP SecurityDate Published: 05 September 2018URL: https://www.darkreading.com/perimeter/nist-releases-draft-on-bgp-security/d/d-id/1332740Author: Dark Reading StaffExcerpt: “A new draft publication from the NIST National Cybersecurity Center of Excellence (NCCoE) takes aim at security concerns about the Border Gateway Protocol (BGP), the default routing protocol to route traffic among Internet domains. The paper, “Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation,” is open for public comment until Oct. 15.”—– Google Wants to Kill the URLDate Published: 04 September 2018URL: https://www.wired.com/story/google-wants-to-kill-the-url/Author: Lily Hay NewmanExcerpt: “The focus right now, they say, is on identifying all the ways people use URLs to try to find an alternative that will enhance security and identity integrity on the web while also adding convenience for everyday tasks like sharing links on mobile devices.”—– Five-Eyes nations to force encryption backdoorsDate Published: 03 September 2018URL: https://www.itnews.com.au/news/five-eyes-nations-to-force-encryption-backdoors-511865Author: Juha SaarinenExcerpt: “At the Five Country Ministerial meeting on the Gold Coast last week, security and immigration ministers put forward a range of proposals to combat terrorism and crime, with a particular emphasis on the internet.As part of that, the countries that share intelligence with each other under the Five-Eyes umbrella agreement, intend to “encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services.”…While the rhetoric is sharp, the specifics are vague. Governments won’t specify any particular interception technology, and will leave it to technology companies to create the solutions required that provide lawful access capability.”—– Faster internet speeds for Queensland as undersea cable confirmedDate Published: 07 September 2018URL: https://www.brisbanetimes.com.au/national/queensland/faster-internet-speeds-for-queensland-as-undersea-cable-confirmed-20180907-p5029p.htmlAuthor: Tony MooreExcerpt: “State Development Minister Cameron Dick and Sunshine Coast mayor Mark Jamieson announced on Friday that tech giant RTI Connectivity and the Sunshine Coast Council will build the 550-kilometre undersea cable into the Sunshine Coast by 2020.”—– Here are this week’s noteworthy security bulletins: ASB-2018.0209 – [Android] Google Android devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67930“Multiple security vulnerabilities have been identified in the Android operating system prior to the 2018-09-05 patch level.” ASB-2018.0206 – [Win][UNIX/Linux][BSD][Mobile] Mozilla Firefox: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67834“Multiple vulnerabilities have been identified in Mozilla Firefox prior to version 62. One of these vulnerabilities have been classified as critical.” ESB-2018.2641 – [UNIX/Linux][Debian] curl: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/67782“Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems.” ESB-2018.2631 – [UNIX/Linux] ghostscript: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67742“Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.” Stay safe, stay patched and have a good weekend!Charelle

Learn more

Week in review

AUSCERT Week in Review for 31st August 2018

AUSCERT Week in Review for 31st August 2018 Greetings, Good news, everyone! More than 50% of the Alexa Top 1 Million sites are now actively redirecting to HTTPS. The internet has now scraped a C for transport security – that’s a pass! Now for the slow grind up to a B grade and higher. Unfortunately transport security isn’t the be all and end all, and 130 million people who have stayed in some of China’s biggest hotel chains have had their data sold on the darkweb thanks to a development team leaving a production database dump on their GitHub. At least as the black-hatted entrepreneur was downloading the data, no one was able to read it in transit. And since time is a flat circle, once again Apache Struts is being used to deliver cryptominers onto unsuspecting servers. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Hackers drop crypto mining on vulnerable Strutshttps://www.itnews.com.au/news/hackers-drop-crypto-mining-on-vulnerable-struts-511592Author: Juha SaarinenExcerpt: “Researchers have recorded the first mass automated attacks against servers running unpatched versions of the open source Apache Struts enterprise web application framework. The new vulnerability in Apache Struts was made public four days ago and allows for remote code execution.” —— Data of 130 Million Chinese Hotel Chain Guests Sold on Dark Web Forumhttps://www.bleepingcomputer.com/news/security/data-of-130-million-chinese-hotel-chain-guests-sold-on-dark-web-forum/Author: Catalin CimpanuExcerpt: “A hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin ($56,000) on a Chinese Dark Web forum. The breach was reported today by Chinese media after several cyber-security firms spotted the forum ad. The seller said he obtained the data from Huazhu Hotels Group Ltd (Huazhu from hereafter), one of China’s largest hotel chains, which operates 13 hotel brands across 5,162 hotels in 1,119 Chinese cities.” —— Alexa Top 1 Million Analysis – August 2018https://scotthelme.co.uk/alexa-top-1-million-analysis-august-2018/Author: Scott HelmeExcerpt: “Here’s the one we’ve all been waiting for, and this one is a pretty big announcement too. Not only because we’ve seen amazing growth in HTTPS again in this crawl, but because we’ve passed through 50% of the Alexa Top 1 Million sites actively redirecting to HTTPS for the first time!” —— Cyber security and digital transformation ministries scrappedhttps://www.itnews.com.au/news/cyber-security-and-digital-transformation-ministries-scrapped-511516Author: Justin HendryExcerpt: “Australia is without a dedicated Cyber Security Minister for the first time in two years after Prime Minister Scott Morrison removed the role from his first ministerial line-up. Changes to the cabinet unveiled by the newly appointed PM on Sunday afternoon deletes any mention of the cyber security remit from the ministry, effectively demoting its importance after it was heavily pushed by Malcolm Turnbull.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2018.2569 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67490 While the Joomla! input filter smartly blacklists PHAR file upload, there were some edge cases that would allow them. If the webserver was configured to execute the files, this would enable webshell upload in the worst case. 2) ESB-2018.2539 – [Win][UNIX/Linux][FreeBSD] Node.js: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67370 Node.js has patched several vulnerabilities, including out of bounds memory reading and writing. 3) ASB-2018.0205 – [Win][Linux][Virtual] GitLab: Cross-site request forgery – Remote with user interactionhttps://portal.auscert.org.au/bulletins/67570 GitLab has patched some information leaking vulnerabilities, alongside some CSRF/XSS issues. Stay safe, stay patched and have a good weekend! Tim

Learn more

Week in review

AUSCERT Week in Review for 24th August 2018

AUSCERT Week in Review for 24th August 2018 AUSCERT Week in Review24 August 2018 Greetings, “Six of the best”, no more, and no less.  That is indeed the number of new articles gathered for this week. Yet, for those of you who painfully understand the meaning behind “six of the best”, reading the six articles listed may indeed feel like it is a bit of similar reprimand.  Well, the reading is great material and nicely composed, but the stories contained in the news articles are painful to reminiscence to articles you may have read about 15 years ago. Fraudulent online purchases, websites being owned, credentials being stolen and traded – these are all stories could have been dated August 2003. Yet, they are happening today.   So, please read these articles today, and bear the lessons they inflict.  Then take it upon yourself to do one thing that can possibly avoid this and persist with it for the next fifteen years.  It could be changing default credentials every network attached appliance you touch – with permission from the owners of course – be they from work, yours, or your friends and families. Or perhaps evangelise the “Stop-Think-Connect”[1] mantra to the click addicted. Or, it could be putting yourself in the forefront of reviewing code at work or in a public repository, making that code that little bit more secure. Or, it could be taking on a policy of ensuring you update every system you touch, or at least raise up the need to update every system you touch, be it in the data center or at an internet-cafe.   It sounds like a huge task, but should it be taken on gradually, and concertedly, perhaps we won’t need to take another six-of-the-best in August 2033.  After all there is plenty of time to achieve this,.. right?.. or… is that the very thing we told ourselves fifteen years ago, that has landed us in the place we are today?   Enjoy.. [1]https://www.stopthinkconnect.org/ As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Vulnerability Affects All OpenSSH Versions Released in the Past Two DecadesURL:    https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/Date:   August 22, 2018Author: Catalin Cimpanu Excerpt:“A vulnerability affects all versions of the OpenSSH client released in the past two decades, ever since the application was released in 1999.” ——- Title:  Australia Battles Fraudulent Online PurchasesURL:    https://www.bankinfosecurity.com/australia-battles-fraudulent-online-purchases-a-11408Date:   August 22, 2018Author: Jeremy Kirk Excerpt:“There’s bad news in Australia when it comes to payment card fraud: It’s growing. The biggest source of that fraud is online payments made without the physical card, or card-not-present fraud. That’s due to fraudsters re-using stolen payment card details. CNP fraud in Australia totaled AU$476.3 million (US$350.6 million) last year, up 13.9 percent from 2016, according to a report released Wednesday by the Australian Payments Network, an industry group that collects payments statistics. The figure has risen annually since 2012, when it was $183.1 million.” ——- Title:  Legacy System Exposes Contact Info of BlackHat 2018 AttendeesURL:    https://www.bleepingcomputer.com/news/security/legacy-system-exposes-contact-info-of-blackhat-2018-attendees/Date:   August 22, 2018Author: Ionut Ilascu Excerpt:“Full contact information of everyone attending the BlackHat security conference this year has been exposed in clear text, a researcher has found. The data trove includes name, email, company, and phone number. The BlackHat 2018 conference badge came embedded with a near-field communication (NFC) tag that stored the contact details of the participant, for identification or for vendors to scan for marketing purposes.” ——- Title:  Adobe security updates address 2 critical code execution flaws in Photoshop.URL:    https://securityaffairs.co/wordpress/75539/hacking/adobe-photoshop-flaws.html   Date:   August 22, 2018Author: Pierluigi Paganini Excerpt:“Adobe released updates to address two critical code executions flaws that affect Photoshop for Windows and macOS versions of Photoshop CC. The vulnerabilities, tracked as  CVE-2018-12810 and CVE-2018-12811, are memory corruption issues that could be exploited by a remote attacker to execute arbitrary code in the context of the targeted user.” ——- Title:  Netflix, HBO GO, Hulu passwords found for sale on the Dark WebURL:    https://nakedsecurity.sophos.com/2018/08/22/netflix-hbo-go-hulu-passwords-found-for-sale-on-the-dark-web/Date:   22 Aug 2018 Author: Lisa Vaas Excerpt:“The report from Irdeto found that thieves are selling hundreds of stolen logins for popular “over-the-top” (OTT) services such as pay TV and video on demand on Dark Web marketplaces. Besides HBO GO credentials, the company spotted listings for logins to 42 services, including Netflix, DirecTV and Hulu. All told, during the month of April, Irdeto spotted 854 sets of credentials, listed by 69 separate vendors on 15 marketplaces. On average, an account’s credentials are fetching $8.71 (about £6.60) for one-time use. Some Dark Web sellers are also selling bundles of credentials for several services at higher prices.” ——- Title:  New Apache Struts RCE Flaw Lets Hackers Take Over Web ServersURL:    https://thehackernews.com/2018/08/apache-struts-vulnerability.htmlDate:   August 22, 2018Author: Mohit Kumar Excerpt:“Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. Apache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. The vulnerability (CVE-2018-11776) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1) ASB-2018.0201 – ALERT [Win][UNIX/Linux] Apache Struts 2: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/67162It is possible to perform a RCE attack… (CVE-2018-11776) 2) ESB-2018.2515.2 – UPDATE [Ubuntu] Linux kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/67270…could use this to gain elevated privileges. (CVE-2018-13405) 3) ESB-2018.2427 – [Linux][Mac] F5 BIG-IP APM client: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/66898…can allow an unprivileged user to get ownership of files owned by root on the local client host. (CVE-2018-5546) 4) ESB-2018.2517 – ALERT [Appliance] IBM Security Access Manager Appliance: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/67278…could allow remote code execution when Advanced Access Control or Federation services are running. (CVE-2018-1722) 5) ESB-2018.2513 – [Appliance] BD Alaris: Unauthorised access – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/67258…may allow a remote attacker to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump … (CVE-2018-14786) Wishing you the best from AUSCERT and stay safe as we will need you next week to keep users safe,Geoffroy

Learn more

Week in review

AUSCERT Week in Review for 17th August 2018

AUSCERT Week in Review for 17th August 2018 AUSCERT Week in Review17 August 2018 Greetings,Another week gone by, and this one has not been any thinner in bulletins to process. Have you ever applied lots of pressure to a wet bar of soap? It may be a worth-while experiment to perform the next time you get access to a soap bar if the physics are not quite understood. Well, entities are a bit like a bar of wet soap and are keen to avoiding legal problems, whilst maintaining a loyal and satisfied customer base.  After all that is how “quality” is defined, a satisfied customer base.  This may soon become a more complicated juggling act for organisations handling user data either, in transit or at rest, from a service they provide or equipment they manufacture.  Trying to squeeze access to data may result in organisations deciding to relinquish any possibility of access to this user data as legal ramification increase. Adding the risk of time served may alter the way an organisation may provide a service or build a product. Squeezing organisation hard in this manner may diminish, as the chance to get to the data sought slips away. So, should organisations deal with user data, at rest or in transit, from services or equipment manufactured, then perhaps the first news story of this week is worth while to look at and keep an eye if this legislation passes.  For if it does, organisations may have to re-assess their policy, denying themselves access to user-submitted data, lest time be served.      As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  Australians who won’t unlock their phones could face 10 years in jailURL:    https://nakedsecurity.sophos.com/2018/08/16/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail/Date:   August 16, 2018Author: Danny Bradbury     Excerpt:“The Australian government wants to force companies to help it get at suspected criminals’ data. If they can’t, it would jail people for up to a decade if they refuse to unlock their phones.” ——- Title:  Hundreds of Instagram accounts were hijacked in a coordinated attack URL:    https://securityaffairs.co/wordpress/75377/hacking/instagram-accounts-hacked.htmlDate:   August 15, 2018 Author: Pierluigi Paganini     Excerpt:“Hundreds of Instagram accounts were hijacked in what appears to be the result of a coordinated attack, all the accounts share common signs of compromise. Alleged attackers have hijacked Instagram accounts and modified personal information making impossible to restore the accounts.” ——- Title:  PhishPoint Phishing Attack – A new technique to Bypass Microsoft Office 365 ProtectionsURL:    https://securityaffairs.co/wordpress/75382/hacking/phishpoint-phishing-attacks.htmlDate:   August 15, 2018 Author: Pierluigi Paganini     Excerpt:“Security experts from the cloud security firm Avanan have discovered a new technique dubbed PhishPoint, that was used by hackers to bypass Microsoft Office 365 protections. PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks. The experts are warning of the new technique that was already used in attacks by scammers and crooks to bypass the Advanced Threat Protection (ATP) mechanism implemented by most popular email services, Microsoft Office 365.” ——- Title:  Academics Discover New Bypasses for Browser Tracking Protections and Ad BlockersURL:    https://www.bleepingcomputer.com/news/security/academics-discover-new-bypasses-for-browser-tracking-protections-and-ad-blockers/Date:   August 16, 2018 Author: Catalin Cimpanu     Excerpt:“Security and user privacy protections included in browsers, ad blockers, and anti-tracking extensions are not as secure as everyone believes, a team of three academics from the Catholic University in Leuven, Belgium (KU Leuven) have revealed yesterday. Their work consisted of analyzing anti-tracking settings that are built into modern browsers, but also the ones provided by some popular extensions (add-ons).” ——- Title:  Princess Evolution Ransomware is a RaaS With a Slick Payment SiteURL:    https://www.bleepingcomputer.com/news/security/princess-evolution-ransomware-is-a-raas-with-a-slick-payment-site/Date:   August 15, 2018 Author: Lawrence Abrams     Excerpt:“A new variant of the Princess Locker ransomware is being distributed called Princess Evolution. Like its predecessor, Princess Evolution is a Ransomware as a Service, or RaaS, that is being promoted on underground criminal forums. As this ransomware is being distributed through different affiliates, there are numerous methods that are possibly being used to distribute this ransomware… ..Unfortunately, at this time there is no known way to decrypt files encrypted by Princess Evolution. For those who are interested in discussing this ransomware or receiving support, you can use our dedicated Princess Evolution Support & Help topic.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1)ESB-2018.2401 – [SUSE] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66786…local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID… 2)ESB-2018.2379 – [Cisco] Cisco Web Security Appliance (WSA): Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66698CVE-2018-0428 …could allow an authenticated, local attacker to elevate privileges to root… 3)ESB-2018.2361 – [Debian] kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66626…local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID… 4)ESB-2018.2325 – [SUSE] cups: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/66458…a local privilege escalation to root and sandbox bypasses… 5)ESB-2018.2403 – [Win] Tridium Niagara: Administrator compromise – Existing accounthttps://portal.auscert.org.au/bulletins/66794…using a disabled account name and a blank password, granting the attacker administrator access… Wishing you the best from AUSCERT and stay safe as we will need you next week to keep users safe,Geoffroy

Learn more

Blogs

Targeted blackmail campaign gains momentum

Targeted blackmail campaign gains momentum Since the dawn of email, spam has constantly pushed our ability to handle arbitrary, unsolicited input. Whether through gauntlets of long-forgotten regexes, or the most sophisticated of convolutional neural nets, detecting and blocking spam has been a Sisyphean battle which has consumed countless IT resources. Not so at AUSCERT. We have the dubious luxury of actively soliciting spam wherever it is to be found. Because of this we’re able to watch as campaigns wax and wane, see how they evolve over time, and get a feel for the objectives of the spammers. Some campaigns are evergreen – fake pharmaceuticals (usually of the male enhancement variety), various advance-fee scams (think Nigerian Prince), phishing for credentials – it’s rare a day goes by without examples of these coming across our inbox. Some campaigns are very flavour-of-the-month, for a few months everyone had their own ICO or crypto investment strategy to hawk to any mail socket willing to listen(). Other campaigns are more sporadic. It’s not unusual for us to see a short burst of activity on one particular topic or script which goes silent, only to re-emerge later. Sometimes this is to facilitate a transition to new infrastructure, or to replenish their supply of compromised accounts. Other times this can be to spend time reworking the script, or refining their technique – this blog deals with one such instance where the renewed campaign was so successful that we’ve seen a large uptick in its output. This particular campaign is a faux sextortion blackmail. The premise of the blackmail is that the spammer has recorded the recipient visiting a pornographic website, through some vulnerability on the website or the recipient’s own computer. Unless the victim pays a sum of cryptocurrency to the spammer, they threaten to release this non-existent video to the victim’s family, friends, or colleagues. The campaign itself is far from new, we have seen minor variations on the same script pop up repeatedly. Recently a new variation emerged, almost exactly the same, but with one small difference: it would present the recipient’s password to them. Given that these passwords were usually out of date, and data breaches and dumps are a great source of email address for spam campaigns, it stands to reason that the spammers were simply pulling passwords for a given email from old breaches and inserting them into the email template. In fact, in our case it would seem if they cannot find a matching password then it fills that portion of the template in with an empty string. We’re certainly not the first to have written about this campaign,[1] but we were spurred to write this post due to the increase in its prevalence that we’re witnessing. Unfortunately this only means one thing: it’s working. We’re also now seeing campaigns where the recipient’s name and phone number are being used in place of the password. It’s not hard to see how as an unsuspecting recipient you could easily be fooled into believing the claims made. Indeed, efforts to catalogue and track the transactions of the various wallet addresses used by the spammers prove that it’s having the desired effect.[2] Some things you can do to protect yourself against such scams: Treat all unsolicited email with a healthy dose of skepticism. If you receive any threatening email, take a sentence or two and search for them. This can help you detect if you’ve received a well-known script or variant. Report the email to your IT department if possible. Practice good password hygiene. If you know you’ve used a strong, unique password for each service then you reduce your exposure when one is breached. Consider a password manager. For reference, here is an example from this campaign that we have received: It appears that, (), is your password. May very well not know me and you are probably wondering why you're getting this e-mail, right? actually, I put in place a malware over the adult videos (adult porn) website and guess what happens, you visited this web site to have fun (you really know what What i'm saying is). When you were watching videos, your internet browser started off working like a RDP (Remote Desktop) which provided me accessibility to your screen and web camera. from then on, my software program obtained your complete contacts from your Messenger, Microsoft outlook, Facebook, as well as emails. What did I really do? I created a double-screen video clip. First part shows the recording you were seeing (you have a good taste haha . . .), and 2nd part shows the recording of your webcam. what exactly should you do? Well, in my opinion, $1200 is a fair price for your little secret. You will make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google). Bitcoin Address: **ADDRESS** (It is case sensitive, so copy and paste it) Very important: You've got some days to make the payment. (I have a unique pixel in this e-mail, and at this moment I know that you've read through this email message). If I do not get the BitCoins, I will certainly send your videos to all of your contacts including relatives, co-workers, and so forth. Having said that, if I receive the payment, I'll destroy the recording immidiately. If you'd like evidence, reply with "Yes!" and I will definitely mail out your videos to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by answering this message. [1] https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/[2] https://twitter.com/SecGuru_OTX/status/1022430328647024640

Learn more

Week in review

AUSCERT Week in Review for 10th August 2018

AUSCERT Week in Review for 10th August 2018 Greetings, As another week comes to a close, here’s a collection of articles for you to enjoy. Have you ever considered the impact cryptomining has on the environment? On a side note, AUSCERT is hiring! The position is for a Senior Information Security Analyst. If interested, you can find more details at (https://www.seek.com.au/job/36851253). Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet Date Published: 08/08/2018 Author: Pierluigi Paganini Excerpt: “In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.   A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.   Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.   There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).   “Recently we discovered the Ramnit C&C server (185.44.75.109) which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.” —– Exploit kits: summer 2018 review Date Published: 07/08/2018 Author: Jerome Segura Excerpt: “In addition, we have witnessed many smaller and unsophisticated attackers using one or two exploits bluntly embedded in compromised websites. In this era of widely-shared exploit proof-of-concepts (PoCs), we are starting to see an increase in what we call “pseudo-exploit kits.” These are drive-by downloads that lack proper infrastructure and are typically the work of a lone author. In this post, we will review the following exploit kits: RIG EK GrandSoft EK Magnitude EK GreenFlash Sundown EK KaiXin EK Underminer EK Pseudo-EKs”” —– Hacker swipes Snapchat’s source code, publishes it on GitHub Date Published: 07/08/2018 Author: Matthew Hughes Excerpt: “The repository has a description of “Source Code for SnapChat,” and is written in Apple’s Objective-C programming language. This strongly suggests that the repo contained part or whole of the company’s iOS application, although there’s no way we can know for certain. It could just as easily be a minor component to the service, or a separate project from the company.   There are two other clues to the identity of the person who published the leaked Snapchat code.   According to the i5xx GitHub account, his name is Khaled Alshehri. This should be taken with a grain of salt, however. For starters, there’s nothing stopping the user from listing a fake name. Furthermore, according to several people TNW has spoken to, the surname “Alshehri” isn’t especially common in Pakistan.   The profile also links to an online business in Saudi Arabia offering a mixed bag of tech services, from security scanning and iCloud removal, to software development and the sale of iTunes giftcards.” —– DeepLocker: How AI Can Power a Stealthy New Breed of Malware Date Published: 08/08/2018 Author: Marc Ph. Stoecklin Excerpt: “What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.   The AI model is trained to behave normally unless it is presented with a specific input: the trigger conditions identifying specific victims. The neural network produces the “key” needed to unlock the attack. DeepLocker can leverage several attributes to identify its target, including visual, audio, geolocation and system-level features. As it is virtually impossible to exhaustively enumerate all possible trigger conditions for the AI model, this method would make it extremely challenging for malware analysts to reverse engineer the neural network and recover the mission-critical secrets, including the attack payload and the specifics of the target. When attackers attempt to infiltrate a target with malware, a stealthy, targeted attack needs to conceal two main components: the trigger condition(s) and the attack payload.   DeepLocker is able to leverage the “black-box” nature of the DNN AI model to conceal the trigger condition. A simple “if this, then that” trigger condition is transformed into a deep convolutional network of the AI model that is very hard to decipher. In addition to that, it is able to convert the concealed trigger condition itself into a “password” or “key” that is required to unlock the attack payload.” —- ICS Threat Broadens: Nation-State Hackers Are No Longer the Only Game in Town Date Published: 07/08/2018 Authors: Israel Barak and Ross Rustici Excerpt: “The honeypot contained bait to entice attackers, including three Internet facing servers (Sharepoint, SQL and domain controller) with remote access services like RDP and SSH and weak passwords. Nothing was done to promote the servers to attackers. However, the servers’ DNS names were registered and the environment’s internal identifiers used a moniker that resembled the name of a major, well-known electricity provider.   Two days after the honeypot was launched, Cybereason determined that a black market seller had discovered it based on a toolset that had been installed in the environment. The tool — xDedic RDP Patch — is commonly found in assets that are being sold in the xDedic black market. It allows a victim and an attacker to use the same credentials to simultaneously log-in to a machine using RDP (Remote Desktop Protocol).   The seller also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic. The backdoors would allow the asset’s new owner to access the honeypot even if the administrator passwords were changed, a scenario that could have otherwise prevented the adversaries from accessing the servers.” Here are this week’s noteworthy security bulletins: 1) ESB-2018.2271 – [Linux][Debian] linux kernel: Multiple vulnerabilities A vulnerability in TCP stream reassembly in the Linux kernel was addressed by a number of vendors this week. Dubbed “SegmentSmack”. The vulnerability allows a remote attacker to crash a vulnerable system by sending a stream of crafted TCP/IP packets. Juniper, F5 Networks and Citrix are among them. 2) ESB-2018.2277 – [Win][UNIX/Linux][FreeBSD] tcp: Denial of service – Remote/unauthenticated Yet another Denial of Service vulnerability targeting TCP. This vulnerability is centred around an inefficient data structure for holding received TCP segments prior to reassembly. An attacker could cause a Denial of service condition by sending a stream of crafted, segmented TCP traffic contributing to a large number of segments awaiting reassembly, leading to CPU resource exhaustion. A patch has been introduced that limits the reassembly queue size per connection. 3) ESB-2018.2279 – [Printer] HP Ink Printers: Multiple vulnerabilities Owners of HP Ink printers had cause to be concerned over a buffer overflow vulnerability triggered by a crafted file received over the network. If exploited, the buffer overflow could lead to code execution or a denial of service condition. HP has released firmware updates to address the issue. Stay safe, stay patched, stay cool and have a good weekend! Nicholas

Learn more

Blogs

Location, location, location

Location, location, location This week we received an email from a person who was concerned about a picture they had uploaded to their profile within an organisation.  They noticed that the GPS coordinates of where the photo was taken was retained in the metadata of the uploaded image.  Curious, they started looking at other people’s profile images to discover coordinates stored in those as well, potentially revealing where these colleagues live. What is EXIF data? Apart from the image itself, an image file can store other information such as date, time, camera information and settings, geolocation, and copyright information. For a photographer, this information is very useful, and saves having to write it down for each photo.  What it also means though, is that when we take a photo with a camera phone, and upload this image to social media, that site now has access to where you are, and at what time you were there.  Not only that, but if the website doesn’t strip the metadata before republishing, others could also see this information and track your location and movements. What can I do? For users: Many social media websites already strip location and other EXIF data, including (at the time of writing) Facebook, Instagram, LinkedIn and Twitter. That said, many other large sites do not strip this metadata, and it can be difficult to know about smaller services or corporate systems, so as a user, it is safer to disable the saving of location information from your device. On Android, this will vary depending on your phone and version. In your camera application, look for ‘Settings‘, then ‘GPS location‘ or ‘Store Location‘, and turn this option off. You can also disable location services completely by going to ‘Settings‘, then under the ‘Personal‘ heading, select ‘Location‘ and turn it off. On an iPhone, in ‘Settings‘ go to ‘Privacy‘, then ‘Location Services‘ and turn this option off for the camera. These steps only disable location information. Time and date stamps, as well as device information will still be retained. For existing photos on your computer, you can use Imagemagick (https://www.imagemagick.org, cross platform) to batch strip EXIF data from your images: $ mogrify -strip * In Windows, you can right click an image, select ‘Properties‘, then the ‘Details‘ tab to see and remove the image’s metadata. Alternatively, there are many other image editing tools to choose from.   For administrators: Please look into stripping metadata when a user uploads an image to your web application, or re-process images so that data isn’t available to other users. Happy (and safe) snapping!Charelle.

Learn more

Week in review

AUSCERT Week in Review for 3rd August 2018

AUSCERT Week in Review for 3rd August 2018 Greetings, As another week comes to a close, give yourselves a pat on the back, because Aussies are almost immune from ransomware attacks!! All the more reason to not let our guard down and keep looking for and applying threat indicators to prevent and detect ransomware activity. Also this week, more ransomware authors seem to be joining forces to deliver their respective malware in a one-two punch using the sample malspam runs. Potential motives: Economies of scale? Easier propagation? This however, undoubtedly remains the year of the cryptojacker.   Hope you enjoy reading this week’s selection of articles: New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign  Date Published: 30/07/2018 Authors:  Proofpoint staff Excerpt: “AZORult is a robust information stealer & downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via exploit kits and in fairly regular email campaigns as both a primary and secondary payload.   Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware. It is always interesting to see malware campaigns where both a stealer and ransomware are present, as this is less common [1], and especially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing access to their files in a subsequent ransomware attack.” —– Massive Coinhive Cryptojacking Campaign Infects 170,000 MikroTik Routers Date Published: 02/08/2018 Author: Catalin Cimpanu Excerpt: “According to Kenin, the attacker used one of those PoCs to alter traffic passing through the MikroTik router and inject a copy of the Coinhive library inside all the pages served through the router.   We know it’s only one threat actor exploiting this flaw because the attacker used only one Coinhive key for all the Coinhive injections he performed during the past week.   Furthermore, Kenin says that he also identified some cases where non-MikroTik users were also impacted. He says this was happening because some Brazilian ISPs were using MikroTik routers for their main network, and hence the attacker managed to inject the malicious Coinhive code in a massive amount of web traffic.   In addition, Kenin says that because of the way the attack was performed, the injection worked both ways, and not necessarily only for traffic going to the user. For example, if a website was hosted on a local network behind an affected MikroTik router, traffic to that website would also be injected with the Coinhive library.” —– Australians almost immune from ransomware, topping lists for data safety Date Published: 31/07/2018 Author: Richard Chirgwin Excerpt: “Take a bow, Australians: we may have had 242 breaches sent to the information commissioner this quarter, but almost nobody fell victim to ransomware attacks. Of all the data breaches reported to the Office of the Australian Information Commissioner (OAIC) between April and June this year, only two were ransomware attacks. However, given the MyHealth Record debate in Australia, the statistics paint a grim picture: the health sector recorded the most notifiable breaches from April to June. The OAIC data, published today, is the first full quarter of data breach statistics since the notification regime came into force on 22 February 2018. Breach notifications rose in each of the months covered by the report, which probably indicates rising business awareness of the legislation: there were 65 notifications in April, 87 in May, and 90 in June, a total of 242 in the quarter.” —– Bisonal Malware Used in Attacks Against Russia and South Korea Date Published: 31/07/2018 Author: Kaoru Hayashi and Vicky Ray Excerpt: “Attacks using Bisonal have been blogged about in the past. In 2013, both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations . In October 2017, AhnLab published a report called “Operation Bitter Biscuit,” an attack campaign against South Korea, Japan, India and Russia using Bisonal and its successors, Bioazih and Dexbia. We believe it is likely these tools are being used by one group of attackers.   Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks. Common features of attacks involving Bisonal include:   Usually targeting organizations related to government, military or defense industries in South Korea, Russia, and Japan. In some cases, the use of Dynamic DNS (DDNS) for C2 servers. The use of a target or campaign code with its C2 to track victim or attack campaign connections. Disguising the Bisonal malware as a PDF, Microsoft Office Document or Excel file. The use of a decoy file in addition to the malicious PE file In some cases, code to handle Cyrillic characters on Russian-language operating systems. We observed all these characteristics in the latest attacks against both Russia and South Korea.” —- Blueprints for 3D printed guns stay offline for now — but we should still be worried Date Published: 01/08/2018 Authors:  Abhimanyu Ghoshal Excerpt: “The truth is that the aforementioned legal battles don’t matter a whole lot right now: DD actually made the files available last Friday on its DEFCAD site, so they’ve already fallen into the hands of those who want them. There’s also a GitHub repository maintained by a group called FOSSCAD, where you can find designs for a range of pistols, rifles, and ammo.   All this points to the fact that we’re getting rather uncomfortably close to a future where anyone with access to a 3D printer could fabricate an untraceable plastic gun that fires real bullets – and could do real damage.” —– Here are this week’s noteworthy security bulletins: 1) ESB-2018.2201 – [Linux] IBM QRadar : Multiple vulnerabilities IBM’s QRadar SIEM had multiple updates this week that addressed multiple vulnerabilies introduced by Apache Tomcat, Java and OpenSSL components. 2) ESB-2018.2218 – [Win][Linux][Solaris][AIX] IBM Security Identity Manager: Execute arbitrary code/commands – Remote/unauthenticated IBM’s Security Identity Manager also had an update addressing a remote code execution vulnerability introduced by Apache Commons. 3) ASB-2018.0188 – [Appliance] Intel Puma: Denial of service – Remote/unauthenticated 2018-08-01 A serious vulnerability was identified in Intel Puma chipsets, widely used in Home Gateways and Cable modems. The vulnerability potentially allows a remote attacker to starve the processors of resources by sending crafted network traffic to the device, giving rise to a denial of service situation. The vendor is apparently working with device manufacturers to roll out a fix. Stay safe, stay patched, keep warm and have a good weekend! Nicholas

Learn more