Publications

AUSCERT Week in Review for 10th August 2018 Greetings, As another week comes to a close, here’s a collection of articles for you to enjoy. Have you ever considered the impact cryptomining has on the environment? On a side note, AUSCERT is hiring! The position is for a Senior Information Security Analyst. If interested, you can find more details at (https://www.seek.com.au/job/36851253). Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet Date Published: 08/08/2018 Author: Pierluigi Paganini Excerpt: “In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.   A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.   Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.   There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).   “Recently we discovered the Ramnit C&C server (185.44.75.109) which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.” —– Exploit kits: summer 2018 review Date Published: 07/08/2018 Author: Jerome Segura Excerpt: “In addition, we have witnessed many smaller and unsophisticated attackers using one or two exploits bluntly embedded in compromised websites. In this era of widely-shared exploit proof-of-concepts (PoCs), we are starting to see an increase in what we call “pseudo-exploit kits.” These are drive-by downloads that lack proper infrastructure and are typically the work of a lone author. In this post, we will review the following exploit kits: RIG EK GrandSoft EK Magnitude EK GreenFlash Sundown EK KaiXin EK Underminer EK Pseudo-EKs”” —– Hacker swipes Snapchat’s source code, publishes it on GitHub Date Published: 07/08/2018 Author: Matthew Hughes Excerpt: “The repository has a description of “Source Code for SnapChat,” and is written in Apple’s Objective-C programming language. This strongly suggests that the repo contained part or whole of the company’s iOS application, although there’s no way we can know for certain. It could just as easily be a minor component to the service, or a separate project from the company.   There are two other clues to the identity of the person who published the leaked Snapchat code.   According to the i5xx GitHub account, his name is Khaled Alshehri. This should be taken with a grain of salt, however. For starters, there’s nothing stopping the user from listing a fake name. Furthermore, according to several people TNW has spoken to, the surname “Alshehri” isn’t especially common in Pakistan.   The profile also links to an online business in Saudi Arabia offering a mixed bag of tech services, from security scanning and iCloud removal, to software development and the sale of iTunes giftcards.” —– DeepLocker: How AI Can Power a Stealthy New Breed of Malware Date Published: 08/08/2018 Author: Marc Ph. Stoecklin Excerpt: “What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.   The AI model is trained to behave normally unless it is presented with a specific input: the trigger conditions identifying specific victims. The neural network produces the “key” needed to unlock the attack. DeepLocker can leverage several attributes to identify its target, including visual, audio, geolocation and system-level features. As it is virtually impossible to exhaustively enumerate all possible trigger conditions for the AI model, this method would make it extremely challenging for malware analysts to reverse engineer the neural network and recover the mission-critical secrets, including the attack payload and the specifics of the target. When attackers attempt to infiltrate a target with malware, a stealthy, targeted attack needs to conceal two main components: the trigger condition(s) and the attack payload.   DeepLocker is able to leverage the “black-box” nature of the DNN AI model to conceal the trigger condition. A simple “if this, then that” trigger condition is transformed into a deep convolutional network of the AI model that is very hard to decipher. In addition to that, it is able to convert the concealed trigger condition itself into a “password” or “key” that is required to unlock the attack payload.” —- ICS Threat Broadens: Nation-State Hackers Are No Longer the Only Game in Town Date Published: 07/08/2018 Authors: Israel Barak and Ross Rustici Excerpt: “The honeypot contained bait to entice attackers, including three Internet facing servers (Sharepoint, SQL and domain controller) with remote access services like RDP and SSH and weak passwords. Nothing was done to promote the servers to attackers. However, the servers’ DNS names were registered and the environment’s internal identifiers used a moniker that resembled the name of a major, well-known electricity provider.   Two days after the honeypot was launched, Cybereason determined that a black market seller had discovered it based on a toolset that had been installed in the environment. The tool — xDedic RDP Patch — is commonly found in assets that are being sold in the xDedic black market. It allows a victim and an attacker to use the same credentials to simultaneously log-in to a machine using RDP (Remote Desktop Protocol).   The seller also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic. The backdoors would allow the asset’s new owner to access the honeypot even if the administrator passwords were changed, a scenario that could have otherwise prevented the adversaries from accessing the servers.” Here are this week’s noteworthy security bulletins: 1) ESB-2018.2271 – [Linux][Debian] linux kernel: Multiple vulnerabilities A vulnerability in TCP stream reassembly in the Linux kernel was addressed by a number of vendors this week. Dubbed “SegmentSmack”. The vulnerability allows a remote attacker to crash a vulnerable system by sending a stream of crafted TCP/IP packets. Juniper, F5 Networks and Citrix are among them. 2) ESB-2018.2277 – [Win][UNIX/Linux][FreeBSD] tcp: Denial of service – Remote/unauthenticated Yet another Denial of Service vulnerability targeting TCP. This vulnerability is centred around an inefficient data structure for holding received TCP segments prior to reassembly. An attacker could cause a Denial of service condition by sending a stream of crafted, segmented TCP traffic contributing to a large number of segments awaiting reassembly, leading to CPU resource exhaustion. A patch has been introduced that limits the reassembly queue size per connection. 3) ESB-2018.2279 – [Printer] HP Ink Printers: Multiple vulnerabilities Owners of HP Ink printers had cause to be concerned over a buffer overflow vulnerability triggered by a crafted file received over the network. If exploited, the buffer overflow could lead to code execution or a denial of service condition. HP has released firmware updates to address the issue. Stay safe, stay patched, stay cool and have a good weekend! Nicholas

Location, location, location This week we received an email from a person who was concerned about a picture they had uploaded to their profile within an organisation.  They noticed that the GPS coordinates of where the photo was taken was retained in the metadata of the uploaded image.  Curious, they started looking at other people’s profile images to discover coordinates stored in those as well, potentially revealing where these colleagues live. What is EXIF data? Apart from the image itself, an image file can store other information such as date, time, camera information and settings, geolocation, and copyright information. For a photographer, this information is very useful, and saves having to write it down for each photo.  What it also means though, is that when we take a photo with a camera phone, and upload this image to social media, that site now has access to where you are, and at what time you were there.  Not only that, but if the website doesn’t strip the metadata before republishing, others could also see this information and track your location and movements. What can I do? For users: Many social media websites already strip location and other EXIF data, including (at the time of writing) Facebook, Instagram, LinkedIn and Twitter. That said, many other large sites do not strip this metadata, and it can be difficult to know about smaller services or corporate systems, so as a user, it is safer to disable the saving of location information from your device. On Android, this will vary depending on your phone and version. In your camera application, look for ‘Settings‘, then ‘GPS location‘ or ‘Store Location‘, and turn this option off. You can also disable location services completely by going to ‘Settings‘, then under the ‘Personal‘ heading, select ‘Location‘ and turn it off. On an iPhone, in ‘Settings‘ go to ‘Privacy‘, then ‘Location Services‘ and turn this option off for the camera. These steps only disable location information. Time and date stamps, as well as device information will still be retained. For existing photos on your computer, you can use Imagemagick (https://www.imagemagick.org, cross platform) to batch strip EXIF data from your images: $ mogrify -strip * In Windows, you can right click an image, select ‘Properties‘, then the ‘Details‘ tab to see and remove the image’s metadata. Alternatively, there are many other image editing tools to choose from.   For administrators: Please look into stripping metadata when a user uploads an image to your web application, or re-process images so that data isn’t available to other users. Happy (and safe) snapping!Charelle.

AUSCERT Week in Review for 3rd August 2018 Greetings, As another week comes to a close, give yourselves a pat on the back, because Aussies are almost immune from ransomware attacks!! All the more reason to not let our guard down and keep looking for and applying threat indicators to prevent and detect ransomware activity. Also this week, more ransomware authors seem to be joining forces to deliver their respective malware in a one-two punch using the sample malspam runs. Potential motives: Economies of scale? Easier propagation? This however, undoubtedly remains the year of the cryptojacker.   Hope you enjoy reading this week’s selection of articles: New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign  Date Published: 30/07/2018 Authors:  Proofpoint staff Excerpt: “AZORult is a robust information stealer & downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via exploit kits and in fairly regular email campaigns as both a primary and secondary payload.   Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware. It is always interesting to see malware campaigns where both a stealer and ransomware are present, as this is less common [1], and especially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing access to their files in a subsequent ransomware attack.” —– Massive Coinhive Cryptojacking Campaign Infects 170,000 MikroTik Routers Date Published: 02/08/2018 Author: Catalin Cimpanu Excerpt: “According to Kenin, the attacker used one of those PoCs to alter traffic passing through the MikroTik router and inject a copy of the Coinhive library inside all the pages served through the router.   We know it’s only one threat actor exploiting this flaw because the attacker used only one Coinhive key for all the Coinhive injections he performed during the past week.   Furthermore, Kenin says that he also identified some cases where non-MikroTik users were also impacted. He says this was happening because some Brazilian ISPs were using MikroTik routers for their main network, and hence the attacker managed to inject the malicious Coinhive code in a massive amount of web traffic.   In addition, Kenin says that because of the way the attack was performed, the injection worked both ways, and not necessarily only for traffic going to the user. For example, if a website was hosted on a local network behind an affected MikroTik router, traffic to that website would also be injected with the Coinhive library.” —– Australians almost immune from ransomware, topping lists for data safety Date Published: 31/07/2018 Author: Richard Chirgwin Excerpt: “Take a bow, Australians: we may have had 242 breaches sent to the information commissioner this quarter, but almost nobody fell victim to ransomware attacks. Of all the data breaches reported to the Office of the Australian Information Commissioner (OAIC) between April and June this year, only two were ransomware attacks. However, given the MyHealth Record debate in Australia, the statistics paint a grim picture: the health sector recorded the most notifiable breaches from April to June. The OAIC data, published today, is the first full quarter of data breach statistics since the notification regime came into force on 22 February 2018. Breach notifications rose in each of the months covered by the report, which probably indicates rising business awareness of the legislation: there were 65 notifications in April, 87 in May, and 90 in June, a total of 242 in the quarter.” —– Bisonal Malware Used in Attacks Against Russia and South Korea Date Published: 31/07/2018 Author: Kaoru Hayashi and Vicky Ray Excerpt: “Attacks using Bisonal have been blogged about in the past. In 2013, both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations . In October 2017, AhnLab published a report called “Operation Bitter Biscuit,” an attack campaign against South Korea, Japan, India and Russia using Bisonal and its successors, Bioazih and Dexbia. We believe it is likely these tools are being used by one group of attackers.   Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks. Common features of attacks involving Bisonal include:   Usually targeting organizations related to government, military or defense industries in South Korea, Russia, and Japan. In some cases, the use of Dynamic DNS (DDNS) for C2 servers. The use of a target or campaign code with its C2 to track victim or attack campaign connections. Disguising the Bisonal malware as a PDF, Microsoft Office Document or Excel file. The use of a decoy file in addition to the malicious PE file In some cases, code to handle Cyrillic characters on Russian-language operating systems. We observed all these characteristics in the latest attacks against both Russia and South Korea.” —- Blueprints for 3D printed guns stay offline for now — but we should still be worried Date Published: 01/08/2018 Authors:  Abhimanyu Ghoshal Excerpt: “The truth is that the aforementioned legal battles don’t matter a whole lot right now: DD actually made the files available last Friday on its DEFCAD site, so they’ve already fallen into the hands of those who want them. There’s also a GitHub repository maintained by a group called FOSSCAD, where you can find designs for a range of pistols, rifles, and ammo.   All this points to the fact that we’re getting rather uncomfortably close to a future where anyone with access to a 3D printer could fabricate an untraceable plastic gun that fires real bullets – and could do real damage.” —– Here are this week’s noteworthy security bulletins: 1) ESB-2018.2201 – [Linux] IBM QRadar : Multiple vulnerabilities IBM’s QRadar SIEM had multiple updates this week that addressed multiple vulnerabilies introduced by Apache Tomcat, Java and OpenSSL components. 2) ESB-2018.2218 – [Win][Linux][Solaris][AIX] IBM Security Identity Manager: Execute arbitrary code/commands – Remote/unauthenticated IBM’s Security Identity Manager also had an update addressing a remote code execution vulnerability introduced by Apache Commons. 3) ASB-2018.0188 – [Appliance] Intel Puma: Denial of service – Remote/unauthenticated 2018-08-01 A serious vulnerability was identified in Intel Puma chipsets, widely used in Home Gateways and Cable modems. The vulnerability potentially allows a remote attacker to starve the processors of resources by sending crafted network traffic to the device, giving rise to a denial of service situation. The vendor is apparently working with device manufacturers to roll out a fix. Stay safe, stay patched, keep warm and have a good weekend! Nicholas

AUSCERT Week in Review for 27th July 2018 AUSCERT Week in Review27 July 2018 Good afternoon, and welcome to the end of another week in Infosec. This week saw a brief respite from the cold, harsh Queensland winter.In the AUSCERT office we’re definitely looking forward to the warmer months! Thanks to our members who were able to attend our Melbourne Member meet-upearlier this week, and anyone who stopped by our booth at the 2018 SecurityExhibition & Conference. We appreciate all the feedback we’ve gotten! Here are some of the significant news stories from this week: —– New Spectre attack enables secrets to be leaked over a networkAuthor: Peter BrightDate: 27 July 2018https://arstechnica.com/gadgets/2018/07/new-spectre-attack-enables-secrets-to-be-leaked-over-a-network/ “Researchers from Graz University of Technology, including one of theoriginal Meltdown discoverers, Daniel Gruss, have described NetSpectre:a fully remote attack based on Spectre. With NetSpectre, an attacker canremotely read the memory of a victim system without running any code onthat system.” — Google Chrome Now Labels HTTP Sites as ‘Not Secure’Author: Brian BarrettDate: 24 July 2018https://www.wired.com/story/google-chrome-https-not-secure-label “Nearly two years ago, Google made a pledge: It would name and shamewebsites with unencrypted connections, a strategy designed to spur webdevelopers to embrace HTTPS encryption. On Tuesday, it finally is followingthrough. With the launch of Chrome 68, Google now will call out sites withunencrypted connections as “Not Secure” in the URL bar.” — Google: Security Keys Neutralized Employee PhishingAuthor: Brian KrebsDate: 23 July 2018https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/ “Google has not had any of its 85,000+ employees successfully phished ontheir work-related accounts since early 2017, when it began requiring allemployees to use physical Security Keys in place of passwords and one-timecodes, the company told KrebsOnSecurity.” — Singapore govt health database hackedAuthor: Staff WriterDate: 20 Jul 2018https://www.itnews.com.au/news/singapore-govt-health-database-hacked-498782 “A major cyberattack on Singapore’s government health database resultedin the personal information of about 1.5 million people – including PrimeMinister Lee Hsien Loong – being stolen. The “deliberate, targeted and well-planned,” attack aimed at patients whovisited clinics between May 2015 and July 4 this year, the health ministrysaid in a statement.” Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2018.2133 – Bluetooth devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65666 Several Bluetooth implementations, including Apple, Broadcom and Intel,are vulnerable to Man In The Middle attacks, as a result of a missing stepin validating elliptic curve parameters. 2. ESB-2018.2153 – ClamAV: Denial of service – Remote with user interactionhttps://portal.auscert.org.au/bulletins/65750 Vulnerabilities in ClamAV could cause a hang when scanning speciallycrafted PDF or HWP files. 3. ESB-2018.2129 – python-cryptography: Access confidential data –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/65650 A vulnerability in a popular cryptography library could expose sensitivedata. ——- Stay safe, stay patched, and have a good weekend! Anthony and the team at AUSCERT

Insecure AWS S3 buckets – an ongoing target Recently, AUSCERT has seen an increase in the number of attacks on unsecured cloud infrastructure. One of the most frequently targeted cloud hosting methods is Amazon’s Scalable Storage Solution, commonly referred to as AWS S3.   S3 is used to store static assets for public websites, such as images and javascript, and is also used as a destination for backup solutions, due to its low storage costs. S3 buckets can be accessed via HTTP/HTTPS, as well as an API that is available to other AWS infrastructure.    However, critically, many buckets have been configured to expose all of their files, as well as a listing of the files in the bucket – a modern equivalent to the open directory listing issue that many misconfigured webservers have suffered from in the past.   Perhaps due to an overload of new practices required when switching to AWS infrastructure, or due to unfamiliarity with the platform, many S3 buckets have been left exposed when they contain sensitive or secret data, such as backups, copies of databases, or private documents. Many of these S3 buckets have been discovered by third parties, which has resulted in some high-profile data breaches. This website maintains a listing of data breaches that were caused by insecure S3 buckets.   Although this issue has been known for a long time, in the last 12 months more tools to enumerate, discover, and even provide public search listings of S3 buckets have become available. This recent trend has prompted AUSCERT to begin scanning AWS for S3 buckets that have easily guessable names relating to our members’ organisations.   Amazon themselves have noted this issue and have taken measures to assist users and prevent further compromises on their platform. Last year, after a large breach that affected millions of Dow Jones customers, Amazon sent an email to the account administrator of every AWS account that had publicly accessible S3 buckets.   In Amazon’s own words, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available. We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don’t intend.”   The official AWS blog contains useful information about securing S3 buckets while still allowing access in a controlled manner. See this article, published in March 2018, for more details.   AUSCERT recommends reviewing all of your AWS infrastructure to ensure access controls are appropriate for your uses.     Anthony Vaccaro, Senior Information Security Analyst at AUSCERT

AUSCERT Week in Review for 20th July 2018 AUSCERT Week in Review20 July 2018 Good afternoon, and welcome to the end of another week in Infosec. This week saw the quarterly Oracle patch day come with a record-breakingnumber of CVEs. I hope our members can keep up with the huge amount ofpatching required to use Oracle products! In addition, the Australian government launched My Health Record thisweek, and was promptly bombarded with opt-out requests. Asking to store(and share) your personal medical data for the rest of your life may notgo down well with many australians, especially as scandals involving databreaches and misuse become more and more common. Here are some of the significant news stories from this week: —– Defence attacked over new technology restrictionsAuthor: Julian BajkowskiDate: 19 July 2018https://www.itnews.com.au/news/defence-attacked-over-new-technology-restrictions-498612 “Australia’s top universities have blasted a massive expansion ofintrusive powers proposed by the Department of Defence. The new powers would allow Defence to enter and search all technologyprojects in Australia and restrict and dictate how information from themis shared between researchers and industry.” —Oracle product vulnerabilities hit all-time highAuthor: Juha SaarinenDate: 18 July 2018https://www.itnews.com.au/news/oracle-product-vulnerabilities-hit-all-time-high-498543 “The July 2018 Critical Patch Update (CPU) set of security fixes for Oracleproducts released overnight closes no fewer than 334 vulnerabilites,up from 251 in April and more than the highest number remedied so far,308 in July 2017. Of the 334 flaws, 61 are considered as critical with high CommonVulnerabilities Scoring System ratings of 9.0 to 10.0.” —My Health Record systems collapse under more opt-outs than expectedAuthor: StilgherrianDate: 16 July 2018https://www.zdnet.com/article/my-health-record-systems-collapse-under-more-opt-outs-than-expected/ “Australians attempting to opt out of the government’s new centralised healthrecords system online have been met with an unreliable website. Those phoningin have faced horrendous wait times, sometimes more than two hours, oftento find that call centre systems were down as well, and staff unable to help. The Australian Digital Health Agency (ADHA), which runs the My HealthRecord system, is reportedly telling callers that they weren’t expectingthe volume of opt-outs.” Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2018.2076 – Cisco Policy Suite: Root compromise –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/65426 Several vulnerabilities in Cisco Policy Suite have a large impact. 2. ESB-2018.2075 – ffmpeg: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65330 Vulnerabilities in ffmpeg could lead to a crash or code execution fromviewing/processing malicious video files. 3. ESB-2018.2103 – Jenkins: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65534 A new vulnerability in Jenkins could allow users to move the configuration file to a new location. ——- Stay safe, stay patched, and have a good weekend! Anthony and the team at AUSCERT

AUSCERT Week in Review for 13th July 2018 AUSCERT Week in Review13 July 2018 Two package compromises this week serve as a reminder that we all rely on each other’s code, which few of us have the luxury of auditing. ESLint, a linter for JavaScript-family languages, published a malicious package which stole Node Package Manager credentials from developers. (While I have this soapbox, linters are great and should be used for any code you write – even if that’s “only” shell scripting, try out ShellCheck!) Microsoft Patch Tuesday also took place this week, with more vulns which could hijack Edge purely from opening a malicious page. If your users ask why they’re advised to delete spam emails, you can point them to the presence of these bugs in almost every Patch Tuesday. In accordance with tradition, here are some interesting news articles from the week: Patch Tuesday, July 2018 EditionAuthor: Brian KrebsDate: 10 July 2018https://krebsonsecurity.com/2018/07/patch-tuesday-july-2018-edition/ Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat. Postmortem for Malicious Packages Published on July 12th, 2018Author: ESLint ProjectDate: 12 July 2018https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker. An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down. Malware Found in Arch Linux AUR Package RepositoryAuthor: Catalin CimpanuDate: 10 July 2018https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages.[…] No other malicious actions were observed, meaning the acroread package wasn’t harming users’ systems, but merely collecting data in preparation for… something else. Airport security card company reveals data hack as AFP investigatesAuthor: ABC NewsDate: 12 July 2018http://www.abc.net.au/news/2018-07-12/afp-investigating-airport-security-card-data-hack/9981796 A company that issues Aviation Security Identity Cards (ASICs) — designed to stop organised criminals and terrorists from accessing planes and other restricted airport zones — has been hacked, leading to concerns that Australian airport security may have been compromised as a result. Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2018.2011 – [Appliance] Universal Robots Robot Controllers: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65058 Industrial robots would execute arbitrary code sent to certain TCP ports. 2. ESB-2018.2021 – ALERT [UNIX/Linux][Debian] cups: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/65098 The Common UNIX Printing System patched a root compromise vulnerability. 3. ESB-2018.1984 – [Apple iOS] Apple iOS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64922 Multiple memory corruption and data leak issues in WebKit, used by Safari & other browsers, plus a crash when a China-region phone received the Taiwanese flag emoji. 4. ESB-2018.1756.2 – UPDATE [Win][UNIX/Linux] BIND: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63966 Regression caused defaults to work incorrectly in the BIND nameserver, allowing denials of service (including DNS reflection attacks) and examining the DNS cache. Stay safe, stay patched and have a good weekend,David and the team at AUSCERT

AUSCERT Week in Review for 6th July 2018 AUSCERT Week in Review06 July 2018 Greetings, This week’s events have reminded us to be careful of the software we install. Between browser extensions gone rogue and a major software foundation’s GitHub account serving compromised content, consider whose code you might have run without knowing it. The AUSCERT bulletins service is nearly at number 2,000 by early July, making this the busiest year on record. If you want to change your subscription settings, your inbox may thank you. Log in to the member portal at https://wordpress-admin.auscert.org.au to make the change. If you get stuck or have any questions, contact us at auscert@auscert.org.au! In the news this week: ‘Stylish’ browser extension steals all your internet historyhttps://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/Date: 02 July 2018Author: Robert Heaton Unfortunately, since January 2017, Stylish has been augmented with bonus spyware that records every single website that I and its 2 million other users visit (EDIT – I am told that the Chrome version has had tracking since January 2017, but the Firefox version has only had it since March 2018). Stylish sends our complete browsing activity back to its servers, together with a unique identifier. This allows its new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie. … Stylish’s transition from visual Valhalla to privacy Chernobyl began when the original owner and creator of Stylish sold it in August 2016. In January 2017 the new owner sold it again, announcing that “Stylish is now part of the SimilarWeb family”. The SimilarWeb family’s promotional literature lists “Market Solutions To See All Your Competitors’ Traffic” amongst its interests. [AUSCERT adds: Recall also https://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/ from last year.] Gentoo GitHub Organization hackedhttps://wiki.gentoo.org/wiki/Github/2018-06-28Date: 01 July 2018 An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make various changes to content. Gentoo Developers & Infrastructure escalated to GitHub support and the Gentoo Organization was frozen by GitHub staff. Gentoo has regained control of the Gentoo GitHub Organization and has reverted the bad commits and defaced content. The entity attempted to wipe user content by adding “rm -rf” to various repositories; however this code was unlikely to be executed by end users due to various technical guards in place. Iranian APT Poses As Israeli Cyber-Security Firm That Exposed Its Operationshttps://www.bleepingcomputer.com/news/security/iranian-apt-poses-as-israeli-cyber-security-firm-that-exposed-its-operations/Author: Catalin CimpanuDate: 03 July 2018 According to Israeli cyber-security firm ClearSky Security, the company says the Iranian APT copied its official website and hosted on a lookalike domain at clearskysecurity.net (the official ClearSky website is located at ClearSkySec.com). “Charming Kitten built a phishing website impersonating our company,” ClearkSky said yesterday. “They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services.” “These sign-in options are all phishing pages that would send the victim’s credentials to the attackers,” ClearSky said. “Our legitimate website does not have any sign in option.” Another day, another data breach. Do you even care any more?http://www.abc.net.au/news/science/2018-07-06/data-breach-fatigue-ticketmaster-ticketfly-linkedin/9943720Author: ABC NewsDate: 05 July 2018 Dr Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack. After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction. In other words, Dr Chen said, “we can see that the public is gradually losing interest in reacting to this news”. Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2018.1949 – [Win][Linux] Drupal Universally Unique IDentifier: Create arbitrary files – Existing accounthttps://portal.auscert.org.au/bulletins/64782 A major Drupal module had an arbitrary file upload vulnerability. 2. ESB-2018.1952 – [Debian] dokuwiki: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/64794 Reflected file download vulnerability in DokuWiki allowed execution of arbitrary code. 3. ASB-2018.0145 – [Android] Google Android devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64650 Android’s July patch release fixed several critical bugs. 4. ESB-2018.1931 – [RedHat] python: Access confidential data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/64706 Python2.7 disables the insecure 3DES cypher suites by default.   Stay safe, stay patched and have a good weekend,AUSCERT

AUSCERT Week in Review for 29th June 2018 AUSCERT Week in Review29 June 2018 Greetings, Business Email Compromise (BEC) has been in the news this week, with a flurry of incidents and investigations. Do you have two-factor authentication enabled on your Outlook accounts? It’s the single easiest way to foil these attacks. Privacy and consent haven’t been solved yet, but the revelation that the HealthEngine booking system was selling personal health data to ambulance-chasers has made waves this week. The Drupalgeddon v3 vulnerability is still being exploited by cryptocurrency miners. If you haven’t patched yet, please make it a priority. Of the data breaches around the world, three caught our eye: Adidas, Exactis (a marketing and aggregation firm) and Ticketmaster. Exactis in particular may have exceeded the infamous Equifax breach in scope. In the news this week: MasterChef finalist caught in conveyancing hacker attackhttps://www.brisbanetimes.com.au/business/companies/masterchef-finalist-caught-in-conveyancing-hacker-attack-20180622-p4zn4o.html Date:    22 June 2018Author: Simon Johanson A former Masterchef contestant and her family are homeless after hackers stole $250,000 from their home sale. MasterChef finalist Dani Venn woke to a housing nightmare on Monday when it was confirmed $250,000 from the settlement of her semi-rural property on the outskirts of Melbourne was stolen after her conveyancer’s account was hacked. Two people charged over alleged email scamhttp://www.police.nsw.gov.au/news/news_article?sq_content_src=%2BdXJsPWh0dHBzJTNBJTJGJTJGZWJpenByZC5wb2xpY2UubnN3Lmdvdi5hdSUyRm1lZGlhJTJGNzEyNDQuaHRtbCZhbGw9MQ Date:    28 June 2018Author: NSW Police A man and woman will face court next month after being charged over alleged email scams netting more than $70,000. Detectives from the State Crime Command’s Cybercrime Squad established Strike Force Cabernet to investigate organised criminal groups committing large scale business email compromises. Medical appointment booking app HealthEngine sharing clients’ personal information with lawyershttp://www.abc.net.au/news/2018-06-25/healthengine-sharing-patients-information-with-lawyers/9894114 Date:    26 June 2018 Author: ABC News Health Minister Greg Hunt has ordered an “urgent review” of Australia’s biggest online doctor appointment booking service, HealthEngine. The ABC earlier reported that the HealthEngine app has funnelled hundreds of users’ private medical information to law firms seeking clients for personal injury claims. Hackers Exploit Drupal Flaw for Monero Mininghttps://www.securityweek.com/hackers-exploit-drupal-flaw-monero-miningAuthor: Ionut Arghire Date:    22 June 2018 Tracked as CVE-2018-7602 and considered a highly critical issue that could result in remote code execution, the vulnerability impacts Drupal’s versions 7 and 8 and was addressed in April this year. Last month, hackers were observed targeting both security vulnerabilities to deliver a variety of threats, including cryptocurrency miners, remote administration tools (RATs) and tech support scams. Trend Micro now says they noticed network attacks exploiting CVE-2018-7602 to turn affected systems into Monero-mining bots. As part of the observed incidents, the exploit fetches a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader. Articles about the most significant data breaches: Equifax: https://www.cnet.com/news/exactis-340-million-people-may-have-been-exposed-in-bigger-breach-than-equifax/Adidas: https://www.bloomberg.com/news/articles/2018-06-28/adidas-says-millions-of-u-s-customers-being-alerted-of-breachTicketmaster: https://security.ticketmaster.com.au Here are this week’s noteworthy security bulletins (in no particular order): 1. ASB-2018.0138 – [Win][UNIX/Linux][Mobile] Mozilla Firefox: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64390 Memory corruption leading to probable remote code execution, cross-site request forgery, crashes and a sandbox escape. 2. ESB-2018.1854 – [Win][UNIX/Linux] Jenkins plugins: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64390 Major plugins for Jenkins were subject to a mixed bag of vulnerabilities: cross-site request forgery, storage of credentials in plaintext, unauthorised config viewing, zip file directory traversal, etc. 3. ESB-2018.1865 – [RedHat] ansible: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/64430 Credentials were logged in cleartext. 4. ESB-2018.1874 – [RedHat] Red Hat Virtualization Manager: Access confidential data – Existing accounthttps://portal.auscert.org.au/bulletins/64466 More cleartext credential logging. 5. ESB-2018.1891 – [Appliance] F5 products: Denial of service – Existing accounthttps://portal.auscert.org.au/bulletins/64538 Linux kernel bug dating back to 2012 allowed authenticated (local) users to deny service.   Stay safe, stay protected and have a good weekend,David and the team at AUSCERT

AUSCERT Week in Review for 22nd June 2018 AUSCERT Week in Review22 June 2018 Greetings, As Friday 22nd June comes to a close, I’d like to bring your attention to an old read from 1996, but a good read titled “Smashing The Stack For Fun And Profit” [1].  Why bring to light this 1996 classic? Well, because it highlights that it is hard to wipe out a class of vulnerability.  Even, 22 years on, and a whole lot of smart people at the problem, with today’s automatic code checking, and secure coding frameworks, classes of vulnerabilities still get through to production.  Also, the time between a fix being available and news of it can be weeks. For example, Firefox was out with a release on the 6th June with [mfsa2018-14] and it seem to only make general news this week on Monday 18th June.  Surely nothing bad could really happen in a couple of weeks.Yes, incidents will happen and a function in an organisation that has its fingers on the pulse of these incidents, that can analyse the depth of the impact can be a worthwhile investment in cyber security.Incidents could be just a wake-up call, with port 8000 being suddenly and unusually requested “en masse”.  Could that function be able to find the relationship of those port requests with the “XiongMai uc-httpd 1.0.0 Buffer Overflow Exploit” and then check if it reached any exposed IoT in the organisation, with the vulnerable code.Sounds simple but the difficulty is in the detail. Just drop the words “Vulnerability Management” around the work place and look for the reaction.  Perhaps, you only need to fine tune your VM SOPs by adding a task of digesting some industry news and perhaps some advisories of the week.  Enjoy.   Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: ——- Title:  Google Developer Discovers a Critical Bug in Modern Web BrowsersURL:  https://thehackernews.com/2018/06/browser-cross-origin-vulnerability.htmlDate:  20th June 2018 Author: Mohit Kumar Excerpt:“Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.” ——- Title:  Botnets never Die, Satori REFUSES to Fade AwayURL:    http://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/Date:   15th June 2018Author: NetLab Excerpt:“Two days ago, on 2018-06-14, we noticed that an updated Satori botnet began to perform network wide scan looking for uc-httpd 1.0.0 devices. Most likely for the vulnerability of XiongMai uc-httpd 1.0.0 “ ——- Title:  Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted DrivesURL:    https://thehackernews.com/2018/06/apple-macos-quicklook.htmlDate:   18th June 2018Author: Swati Khandelwal Excerpt:“Security researchers are warning of almost a decade old issue with one of the Apple’s macOS feature which was designed for users’ convenience but is potentially exposing the contents of files stored on password-protected encrypted drives.” ——- Title:  SamSam ransomware: controlled distribution for an elusive malware URL:    https://blog.malwarebytes.com/threat-analysis/2018/06/samsam-ransomware-controlled-distribution/Date:   19th June 2018Author: Malwarebytes Labs Excerpt:“SamSam ransomware has been involved in some high profile attacks recently, and remains a somewhat elusive malware. In its time being active, SamSam has gone through a slight evolution, adding more features and alterations into the mix. These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing.” ——- Title:  All That Port 8000 Traffic This Week! Yeah, That’s Satori Looking for New BotsURL:    https://www.bleepingcomputer.com/news/security/all-that-port-8000-traffic-this-week-yeah-thats-satori-looking-for-new-bots/Date:   15th June 2018Author: Catalin Cimpanu Excerpt:“The PoC code was for a buffer overflow vulnerability (CVE-2018-10088) in XionMai uc-httpd 1.0.0, a lightweight web server package often found embedded inside the firmware of routers and IoT equipment sold by some Chinese vendors.The exploit allows an attacker to send a malformed package via ports 80 or 8000 and execute code on the device, effectively taking it over.” ——- Title:  Firefox fixes critical buffer overflowURL:    https://nakedsecurity.sophos.com/2018/06/18/firefox-fixes-critical-buffer-overflow/Date:   18th June 2018Author: Maria Varmazis Excerpt:“Earlier this month Mozilla announced a security advisory (MFSA2018-14) for its Firefox browser, noting that version 60.0.2 of both Firefox and Firefox Extended Support Release (ESR) as well as the legacy ESR (ESR 52.8.1) now have a fix for a critical-level buffer overflow vulnerability.” ——- Title:  Google’s Newest Feature: Find My HomeURL:    https://www.tripwire.com/state-of-security/vert/googles-newest-feature-find-my-home/#.WyfDEMLoy-g.twitterDate:   18th June 2018Author: Craig Young Excerpt:“Despite all of these efforts to thwart unwanted online tracking, it turns out that our connected gadgets may not only uniquely identify us but, in some cases, they can reveal precise physical locations. In this blog post, I will reveal a new attack against Google Home and Chromecast devices that does exactly that.” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2018.1810 – ALERT [Cisco] Cisco NX-OS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64198CVE-2018-0313 A successful exploit could allow the attacker to execute arbitrary commands with root privileges. 2.    ESB-2018.1809 – ALERT [Cisco] Cisco FXOS and Cisco NX-OS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64194CVE-2018-0304 …which could allow the attacker to read sensitive memory content, create a DoS condition, or execute arbitrary code as root. 3.    ESB-2018.1836 – [Win][Linux][IBM i][HP-UX][Solaris][AIX] IBM WebSphere Application Server: Multiple vulnerabilities    https://portal.auscert.org.au/bulletins/64302CVE-2014-0114 …to manipulate the ClassLoader and execute arbitrary code on the system. 4.    ESB-2018.1834 – [Win][UNIX/Linux] phpMyAdmin: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64294CVE-2018-12581 …attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin. 5.    ESB-2018.1829 – [Win] Delta Industrial Automation COMMGR: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/64274CVE-2018-10594 This may allow remote code execution, cause the application to crash, or result in a denial-of-service condition in the application server. Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy P.S. Just as an exercise, of the bulletins AUSCERT processed this week, it may be instructive to count how many of them hints at the 1996 technique.

Malicious emails via WeTransfer AUSCERT has seen direct evidence of malicious emails being sent via WeTransfer, as part of an ongoing campaign affecting Australian organisations. We have summarised our findings and provided advice, which can be found at the end of this post. WeTransfer is a legitimate file-hosting service with a simple business model: users can upload a file, enter a recipient email address, and enter a sender email address. The uploaded file will be sent to the recipient with an explanatory email template, and the sender will also receive an email receipt. However, WeTransfer perform minimal validation on email addresses provided by users, which is a major security hole. By default, users may enter any sender address. The WeTransfer FAQ makes it clear that they allow address spoofing on purpose: “Our ease of use is a core value, that’s why we allow our users to enter any email address they want. This sometimes has the effect you are experiencing, where someone else uses your email address. Most likely even by mistake!” An attacker can enter something like the following: This will send a legitimate-looking file transfer email to both parties, using WeTransfer’s branding and legitimate email headers.     This means that WeTransfer is allowing targeted phishing and malspam emails to be delivered, based on the strength of their own brand. This vulnerability, and others, have been known for months.    When AUSCERT contacted WeTransfer to report this security hole, we received a response, the gist of which was: They’ve blocked the sender and their IP address. They’ve removed the malicious file, so nobody can download it. They consider this kind of abuse a “very rare effect”. They have a “new email verification feature”. Fill out a form and they’ll send a verification token to your email address every time it is used as a sender. They can block a specific email address so it cannot be used to send spam.   This is inadequate, for the following reasons: Verification of the sender should be default, not opt-in. IP address blacklists provide minimal security. It is not the responsibility of an organisation or individual to disallow third-party services from spoofing them.   AUSCERT recommends: All emails sent from WeTransfer should be treated as suspicious. Until mail blacklists begin to block WeTransfer’s emails automatically, flag suspicious emails as junk. Mail administrators should consider looking for recent WeTransfer emails and following up with users. Malicious emails are sent from noreply@wetransfer.com.

AUSCERT Week in Review for 15th June 2018 Greetings, This week demonstrated AI’s potential to assist humanity, as it came out from this month’s Microsoft Patch Tuesday that Cortana would helpfully execute code for you even when the system was locked. All that was required was for the executable to have been indexed, and Cortana was more than happy to run it for you with elevated privileges. The 3rd wave of speculative execution side-channels is upon us, dubbed “LazyFP”, but luckily is not quite as ubiquitous as its predecessors. Patches for some distributions have been released, so please make sure you’re up to date if a fix is available. The EU has passed a motion that would see it phasing out the use of the AV vendor Kaspersky’s products in its institutions. They join the list of governing bodies worried about the company’s susceptibility to Russian influence. For its part, Kaspersky have been an active contributor to several anti-cyber crime initiatives, and have been a frequent collaborator with Interpol. The company has suspended any further collaboration in response. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Meltdown-Like ‘LazyFP’ Vulnerability Impacts Intel CPUsPublished: 14 Jun 2018https://www.securityweek.com/meltdown-lazyfp-vulnerability-impacts-intel-cpus Author: Eduard KovacsExcerpt: “Intel and software vendors have started informing users about a new vulnerability involving side channel speculative execution that could be exploited by malicious actors to obtain sensitive information from the targeted system. Dubbed LazyFP, the security hole is related to the floating point unit (FPU), also known as the math coprocessor. The FPU is used by the operating system when switching between processes – it saves the state of the current process and restores the state of the new process.” —— Locked Win10 PCs can leak sensitive data via CortanaPublished: 14 Jun 2018https://www.itnews.com.au/news/locked-win10-pcs-can-leak-sensitive-data-via-cortana-493692 Author: Juha SaarinenExcerpt: “Researchers from security vendor McAfee have demonstrated a way to use Microsoft’s personal digital assistant Cortana as an attack vector to get into locked Windows 10 PCs.” —— Citation needed: Europe claims Kaspersky wares ‘confirmed as malicious’Published: 13 Jun 2018https://www.theregister.co.uk/2018/06/13/eu_kaspersky_cyber_defence_motion/ Author: Richard SpeedExcerpt: “The wide-ranging non-binding motion is primarily concerned with cyber defence, stating that “the EU and the Member States face an unprecedented threat in the form of politically motivated, state-sponsored cyber attacks”.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2018.1770 – [Linux][RedHat] kernel: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/64030 Red Hat has released patches for the new LazyFP side-channel vulnerability. 2) ESB-2018.1756 – [Win][UNIX/Linux] BIND: Denial of service – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/63966 A regression in how BIND handles its configuration could allow recursive queries where they should be denied. This would allow the server to be used for reflective DoS attacks. 3) ESB-2018.1758 – [Win][UNIX/Linux] OpenSSL: Denial of service – Remote with user interactionhttps://portal.auscert.org.au/bulletins/63974 During handshake negotiation, a malicious server could send a large prime to the client, which would leave it scratching its head trying to generate a key and cause a DoS. 4) ESB-2018.1739 – [Win][UNIX/Linux][Debian] perl: Modify arbitrary files – Remote with user interactionhttps://portal.auscert.org.au/bulletins/63874 The Tar archiving module in perl would happily traverse the filesystem as it pleased while extracting, allowing archives to contain such files as ../etc/passwd ../../etc/passwd etc. Stay safe, stay patched and have a good weekend! Tim