Week in review

AUSCERT Week in Review for 8th June 2018

AUSCERT Week in Review for 8th June 2018 Greetings, AUSCERT is back to business as usual after the conference, and so is the security ecosystem. This week delivered the usual suspects in vulnerability reporting – a Flash 0day, updates for both Firefox and Chrome, an Android update, and a slew of Cisco updates. PageUp (a HR SaaS provider) has reported a breach of its systems, likely the largest in scope reported under the new mandatory breach notification laws. The company has as clients various Australian government departments, large Australian businesses across multiple sectors, and parts of the education sector. Clients such as Wesfarmers (Coles, Target, Kmart, amongst others), the Australian Red Cross, and Medibank have made statements that they have suspended access to the service pending further updates and assurances. Since the system is customisable, the data potentially exposed may vary by client. Australia Post has stated that it requested TFNs, bank and superannuation details, and driver licence numbers from successful candidates via the service. Though passwords were salted and hashed, users are recommended to change their passwords. No matter how heat-death-of-the-universe-scale your hashing algorithm’s time complexity is, it’s no match for “Password123”. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Malware hits HR software firm PageUp with possible data compromisehttps://www.zdnet.com/article/malware-hits-hr-software-firm-pageup-with-possible-data-compromise/ Author: Asha McLeanExcerpt: “Australia-based human resources firm PageUp has confirmed it found “unusual” activity on its IT infrastructure last month, which has resulted in the potential compromise of client data.” —— ATO becomes ASD Top 4 complianthttps://www.itnews.com.au/news/ato-becomes-asd-top-4-compliant-492588 Author: Justin HendryExcerpt: “The department reached full compliance with the Australian Signal’s Directorate’s (ASD) ‘top four strategies to mitigate cyber security incidents’ in November last year, after failing a cyber resilience audit only months earlier.” —— Aussie cyber security spend surged last yearhttps://www.arnnet.com.au/article/641899/aussie-security-spend-surged-last-year/ Author: Samira SarrafExcerpt: “A new report by Australia’s Cyber Emergency Response Team (AUSCERT) showed that 58 per cent of organisations in Australia and New Zealand surveyed increased their security spend in 2017 – with respondents’ figures representing a 35 per cent year-on-year increase in security investment.” —— Adobe Patches Zero-Day Flash Flawhttps://krebsonsecurity.com/tag/cve-2018-5002/ Author: Brian KrebsExcerpt: “Adobe has released an emergency update to address a critical security hole in its Flash Player browser plugin that is being actively exploited to deploy malicious software. If you’ve got Flash installed – and if you’re using Google Chrome or a recent version of Microsoft Windows you do – it’s time once again to make sure your copy of Flash is either patched, hobbled or removed.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2018.1706 – ALERT [Win][Linux][Mac] Adobe Flash Player: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63742 Another week, another Flash 0day. 2) ASB-2018.0126 – [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63714 Google has patched an issue in Chrome where the CSP header was handled incorrectly. No technical details yet, but always keep your browser up to date. 3) ESB-2018.1664 – [Debian] Debian 7: Reduced security – Unknown/unspecifiedhttps://portal.auscert.org.au/bulletins/63558 It had a good run, but Debian 7 has reached End of Life. Jessie and Stretch are eagerly awaiting your upgrade. 4) ESB-2018.1702 – [Cisco] Multiple Cisco Products: Denial of service – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/63722 Turns out more than a few Cisco products have unbounded log file sizes which can be exploited to DoS the products by consuming all available disk space. Stay safe, stay patched and have a good weekend! Tim

Learn more

Week in review

AUSCERT Week in Review for 1st June 2018

AUSCERT Week in Review for 1st June 2018 Greetings, This slightly belated Week in Review comes on the heels of a big week in the form of the AUSCERT2018 conference! It was that time once again for us to all come together and put names to faces, see some great talks, and hopefully learn some new skills. Big thank-you to everyone who was able to come and join us, but worry not for those who couldn’t, because planning for AUSCERT2019 has already begun! Just remember not to connect to any unsecured WiFi. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: AUSCERT and the Award for Information Security ExcellenceDate Published: 01 June 2018https://www.troyhunt.com/auscert-and-the-award-for-information-security-excellence/Author: Troy HuntExcerpt: “Yes, that guy is wearing a cape, it was a Star Wars thing.” —– AUSCERT 2018 – AwardsDate Published: 01 June 2018https://www.cso.com.au/article/641857/auscert-2018-awards/Author: Anthony CaruanaExcerpt: “AUSCERT’s annual awards, sponsored by the SANS Institute, night kicked off in spectacular fashion with fire-breathing commedian/musician Brian Brushwood carrying out his own version of a penetration test when he hammered a nail into his head through is nasal cavity.” —– Python May Let Security Tools See What Operations the Runtime Is PerformingDate Published: 28 May 2018https://www.bleepingcomputer.com/news/security/python-may-let-security-tools-see-what-operations-the-runtime-is-performing/Author: Catalin CimpanuExcerpt: “A new feature proposal for the Python programming language wants to add “transparency” to the runtime and let security and auditing tools view when Python may be running potentially dangerous operations.” —– Ghostery Tries to Comply With GDPR, but Ends Up Violating GDPR in the ProcessDate Published: 28 May 2018https://www.bleepingcomputer.com/news/technology/ghostery-tries-to-comply-with-gdpr-but-ends-up-violating-gdpr-in-the-process/Author: Catalin CimpanuExcerpt: “The company behind Ghostery, a privacy-focused browser and an ad-blocking browser extension, has apologized for a technical error that occurred last Friday when its staff was sending out GDPR-themed notification emails.” —– Here are this week’s noteworthy security bulletins: 1) ASB-2018.0123 – ASB-2018.0123 – [Win][Linux][Mac] Google Chrome: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63394 Another release of Chrome patches the usual culprits – RCE, XSS, DoS. 2) ESB-2018.1647 – [Linux][RedHat] xmlrpc3: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/63490 Deserialisation leading to RCE. 3) ESB-2018.1626 – [Ubuntu] apport: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/63406 Ubuntu’s crash reporting utility could lead to privilege escalation if expectedfiles were missing from /proc Code poorly and you might end up as root! 4) ESB-2018.1625 – [RedHat] Red Hat Enterprise Linux 7.3https://portal.auscert.org.au/bulletins/63402 RHEL 7.3 Extended Update Support is rapidly approaching end of life, and supportwill cease November 30, 2018. 5) ESB-2018.1619 – [Linux] VMware Horizon Client: Root compromise – Existing account SUID strikes again, in the form of a root compromise for Linux hosts with theVMWare Horizon Client installed. Stay safe, stay patched and have a good weekend! Tim

Learn more

Week in review

AUSCERT Week in Review for 25th May 2018

AUSCERT Week in Review for 25th May 2018 AUSCERT Week in Review25 May 2018 Greetings, Happy GDPR compliance deadline day!  I’m sure you’ve been receiving many privacy policy update emails this week.  Also this week we saw CVE-2018-3639 and CVE-2018-3640 announced, aka Spectre and Meltdown variants 3A and 4.  While they are hardware-level vulnerabilities which affect various processors from AMD, ARM, IBM POWER8, and  POWER9, and Intel, it’s still important to apply the latest microcode updates and software patches. With Microsoft’s $250,000 bounty, and more researchers looking at speculative execution vulnerabilities, it will be interesting to see how many more are discovered this year. AUSCERT has generated a new PGP/GPG Key to use for signing and receiving encrypted data, and this key comes into effect today. For more details: https://wordpress-admin.auscert.org.au/render.html?it=1967 Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Alert (TA18-141A) Side-Channel Vulnerability Variants 3a and 4Date Published: 21 May 2018https://www.us-cert.gov/ncas/alerts/TA18-141AAuthor: US-CERTExcerpt: “On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed. These variants–known as 3A and 4–can allow an attacker to obtain access to sensitive information on affected systems.” —– Server? What server? Site forgotten for 12 years attracts hacks, finesDate Published:  22 May 2018https://nakedsecurity.sophos.com/2018/05/22/server-what-server-site-forgotten-for-12-years-attracts-hacks-fines/Author: John E DunnExcerpt: “A web server set up by an enterprising student for a conference in 2004 and then forgotten about has left the University of Greenwich nursing a ?120,000 ($160,000) fine from Britain’s Information Commissioner (ICO).” —– Here’s Amazon’s explanation for the Alexa eavesdropping scandalDate Published:  24 May 2018https://www.recode.net/2018/5/24/17391480/amazon-alexa-woman-secret-recording-echo-explanationAuthor: Jason Del ReyExcerpt:  “Asked for more details, Amazon provided Recode with the following explanation: “Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right”. As unlikely as this string of events is, we are evaluating options to make this case even less likely.” —– Chrome to remove ‘secure’ and padlock icon for HTTPSDate Published: 18 May 2018https://www.itnews.com.au/news/chrome-to-remove-secure-and-padlock-icon-for-https-491217Author: Juha SaarinenExcerpt: “Google will treat Transport Layer Security encrypted pages as the default soon with no indications shown, and call out unencoded HTTP web content as unsafe.” —– ASADA latest to access smartphone-hacking tool raising fresh privacy concernsDate Published: 23 May 2018http://www.abc.net.au/news/science/2018-05-23/asada-access-cellebrite-smartphone-hacking-technology/9786106Author: Ariel BogleExcerpt: “Critics flagged concerns about potential misuse of the technology, after Fairfax Media reported in 2017 that Centrelink, the Australian Taxation Office and the Australian Securities and Investment Commission have also deployed it. The use of such tools typically requires a warrant.” —– Here are this week’s noteworthy security bulletins: 1) ASB-2018.0122 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63206 An XSS vulnerability has been identified in Joomla! in versions prior through 3.8.7 2) ASB-2018.0121 – ALERT [Win][UNIX/Linux][Virtual][Mobile] CPU Microcode: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/63066 Two new speculative execution side-channel vulnerabilities announced. 3) ESB-2018.1547 – [Win][UNIX/Linux] Zookeeper: Provide misleading information – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/63082 No authentication/authorization is enforced when a server attempts to join a quorum. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader. 4) ESB-2018.1543 – [Debian] Debian 8: Deprecationhttps://portal.auscert.org.au/bulletins/63062 This is an advance notice that regular security support for Debian GNU/Linux 8 (code name “jessie”) will be terminated on the 17th of June. 5) ASB-2018.0119 – [Win][UNIX/Linux] Mozilla Thunderbird: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/63034 Multiple security vulnerabilities have been identified in Mozilla Thunderbird prior to version 52.8. Stay safe, stay patched and have a good weekend! Charelle

Learn more

Week in review

AUSCERT Week in Review for 18th May 2018

AUSCERT Week in Review for 18th May 2018 Greetings, We’ve seen a spate of bulletins this week following Twitter’s revelation that they were accidentally logging some passwords in clear-text, indicating that some products have also exposed sensitive data. NSW Family Planning has suffered a ransomware attack, leading to concerns that personal data may have been exposed. In other news, the AUSCERT 2018 conference is almost upon us!We look forward to seeing some of you there from Tuesday the 29th of May. In the news this week: ——————————————————————————– Family Planning NSW ransomware attack sees personal information of 8000 people at risk URL: https://www.healthcareit.com.au/article/family-planning-nsw-ransomware-attack-sees-personal-information-8000-people-risk-0 Author: Lynne Minion Excerpt: A ransomware attack on Family Planning NSW two weeks ago has potentially exposed the personal information of up to 8000 people, including women who sought information on abortions and contraception, but the reproductive and sexual health organisation claims medical records were never under threat. … In the attack on ANZAC Day, the hackers demanded a $15,000 ransom be paid in bitcoin. ——————————————————————————– Shadowy Hackers Accidentally Reveal Two Zero-Days to Security Researchers Date published: 15-05-2018 URL: https://www.bleepingcomputer.com/news/security/shadowy-hackers-accidentally-reveal-two-zero-days-to-security-researchers/ Author: Catalin Cimpanu Excerpt: An unidentified hacker group appears to have accidentally exposed two fully-working zero-days when they’ve uploaded a weaponized PDF file to a public malware scanning engine. The zero-days were spotted by security researchers from Slovak antivirus vendor ESET, who reported the issues to Adobe and Microsoft, which in turn, had them patched within two months. [These vulnerabilities have been patched in the last week.] ——————————————————————————– ‘Efail’ vulnerability lies in apps, not PGP and GnuPG Date published: 15-05-2018 Author: Juha Saarinen URL: https://www.itnews.com.au/news/efail-vulnerability-lies-in-apps-not-pgp-and-gnupg-490961 Excerpt: A security scare said to affect the popular Pretty Good Privacy (PGP) and Gnu Privacy Guard (GnuPG) protocols used to encrypt email messages is in fact caused by bugs in older mail apps. The issue arose after researchers from three German universities claimed to have devised an attack the called Efail, which they said would allow the decryption of current and past emails scrambled with PGP or GnuPG and exfiltration of the decoded content. But maintainers of the open source GnuPG set of encryption tools quickly issued a statement on Efail, pointing out that the issue affects older email applications and not the protocol itself. ——————————————————————————– WordPress releases GDPR features URL: https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-release/ Author: Allen Snook Excerpt: It’s important to understand that while the GDPR is a European regulation, its requirements apply to all sites and online businesses that collect, store, and process personal data about EU residents no matter where the business is located. … We’re committed to supporting site owners around the world in their work to comply with this important law. As part of that effort, we’ve added a number of new privacy features in this release. ——————————————————————————– And lastly, here are this week’s most noteworthy security bulletins: ESB-2018.1526 – [RedHat] sensu: Access privileged data – Existing account https://portal.auscert.org.au/bulletins/62978 Sensitive data, including passwords, was logged in clear-text. ——————————————————————————– ESB-2018.1468 – [Win][UNIX/Linux] IBM MQ Managed File Transfer: Access privileged data – Existing account https://portal.auscert.org.au/bulletins/62738 Passwords were logged in clear-text. ——————————————————————————– ESB-2018.1489 – [RedHat] ovirt-ansible-roles: Access privileged data – Existing account https://portal.auscert.org.au/bulletins/62822 Passwords were logged in clear-text. ——————————————————————————– ESB-2018.1506 – [Win][Mac] Adobe Acrobat & Reader: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/62898 Multiple vulnerabilities when handling malicious PDF files could lead to execution of arbitrary code or data leakage. ——————————————————————————– ASB-2018.0106.2 – UPDATE [Win][Mac] Microsoft Office products: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/62450 Multiple vulnerabilities in Microsoft Office when handling malicious files could lead to execution of arbitrary code. ——————————————————————————– ESB-2018.1419 – [Win][Linux][Mac] Adobe Flash Player: Execute arbitrary code/commands – Remote with user interaction https://portal.auscert.org.au/bulletins/62514 Flash also executes arbitrary code. ——————————————————————————– Stay safe, stay patched and have a great weekend.David

Learn more

Week in review

AUSCERT Week in Review for 11th May 2018

AUSCERT Week in Review for 11th May 2018 Greetings, Another week, another drink from the firehose of information security. Microsoft’s patch Tuesday was largely uneventful, but Chrome, Firefox and Safari have all received significant security updates. DLA Piper have published some discussion of the major NotPetya ransomware attack they endured. The AUSCERT conference is in three weeks – we look forward to seeing some of you there! This week in cybersecurity: ——————————————————————————- DLA Piper paid 15,000 hours of IT overtime after NotPetya attackhttps://www.itnews.com.au/news/dla-piper-paid-15000-hours-of-it-overtime-after-notpetya-attack-490495Date: May 8 2018Author: Ry Crozier Excerpt: Law firm DLA Piper has revealed its IT team put in 15,000 hours of paid overtime to recover from the NotPetya malware infection. The company was also forced to wipe its entire Windows environment and “start afresh” after the first two weeks showed nothing in the existing environment was “salvageable”. ——————————————————————————- Misinterpretation of Intel docs is the root cause for the CVE-2018-8897 flaw in Hypervisors and OSshttps://securityaffairs.co/wordpress/72323/hacking/cve-2018-8897-misinterpretation-intel-docs.htmlDate: May 10 2018Author: Pierluigi Paganini Excerpt: The CERT/CC published a security advisory to warn of the CVE-2018-8897 flaw that impact the Linux kernel and software developed by major tech firms including Apple, the DragonFly BSD Project, Red Hat, the FreeBSD Project, Microsoft, SUSE Linux, Canonical, VMware, and the Xen Project (CERT/CC published the complete list of companies whose products may be impacted). … Experts explained that in the case of Linux, the flaw can trigger a denial-of-service (DoS) condition or cause the crash of the kernel. According to Microsoft, an attacker can exploit the security flaw on Windows for privilege escalation. ——————————————————————————- baseStriker: Office 365 attack https://www.avanan.com/resources/basestriker-vulnerability-office-365Date: May 8 2018Author: Yoav Nathaniel Excerpt: In this example, Office 365 only performs the lookup on the base domain, ignoring the relative URL in the rest of the body. Because only part of the URL is tested, it mistakenly appears to not exist in the malicious URL database and the email is let through. Furthermore, Safelinks does not replace the malicious link, and the user get the original malicious link, can click it to get right to the phishing page.  ——————————————————————————- Drupal Sites Fall Victims to Cryptojacking Campaigns https://www.bleepingcomputer.com/news/security/drupal-sites-fall-victims-to-cryptojacking-campaigns/Date: May 8 2018Author: Catalin Cimpanu Excerpt: Their efforts and expectations were fully rewarded, as the two vulnerabilities —CVE-2018-7600 and CVE-2018-7602— left over one million websites vulnerable to hacks if they didn’t receive immediate updates. Some webmasters updated their sites, but many didn’t, and those websites quickly fell victims to backdoors and coinminers shortly after the publication of proof-of-concept attack code. ——————————————————————————- And lastly, here are this week’s most noteworthy security bulletins:   1. Adobe Flash Player update https://portal.auscert.org.au/bulletins/62514 Another remote code execution vulnerability if users run malicious content.   2. MOV/POP SS crash https://portal.auscert.org.au/bulletins/62466 A user running unprivileged code can crash the Linux kernel, and probably the Windows kernel, owing to a long-running misunderstanding of how certain CPU instructions work.   3. WebKit RCE from web content https://portal.auscert.org.au/bulletins/62398 WebKit and its Linux port WebKitGTK+ contained memory corruption bugs which could lead to remote code execution from a web browser.   4. Firefox vulnerabilities https://portal.auscert.org.au/bulletins/62570 Continuing the theme of RCEs from web browsers, more memory corruption issues were addressed in Firefox and Firefox Extended Support Release.   Stay safe, stay patched and have a good weekend. David

Learn more

Week in review

AUSCERT Week in Review for 4th May 2018

AUSCERT Week in Review for 4th May 2018 AUSCERT Week in Review04 May 2018 Greetings, Happy Friday all.Plenty of patches and some interesting security stories again this week. Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: Twitter to All Users: Change Your Password Now!Date Published: 03-05-2018URL: https://krebsonsecurity.com/2018/05/twitter-to-all-users-change-your-password-now/Author: Brian KrebsExcerpt:“Twitter just asked all 300+ million users to reset their passwords, citingthe exposure of user passwords via a bug that stored passwords in plain text” —– Title: Somebody Tried to Hide a Backdoor in a Popular JavaScript npm PackageDate Published: 03-05-2018URL: https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/Author: Catalin CimpanuExcerpt:“The Node Package Manager (npm) team avoided a disaster today when itdiscovered and blocked the distribution of a cleverly hidden backdoormechanism” —– Title: Australia’s Biggest Bank Loses 20 Million Customer RecordsDate Published: 03-05-2018URL: https://www.securityweek.com/australias-biggest-bank-loses-20-million-customer-recordsAuthor: AFPExcerpt:“Australia’s troubled Commonwealth Bank admitted Thursday it had lostfinancial records for almost 20 million customers in a major securityblunder — but insisted there was no need to worry.” —– Title: DDoS Attacks Go Down 60% Across Europe Following WebStresser’s TakedownDate Published: 02-05-2018URL: https://www.bleepingcomputer.com/news/security/ddos-attacks-go-down-60-percent-across-europe-following-webstressers-takedown/Author: Catalin CimpanuExcerpt:“Link11, a DDoS mitigation firm, says that DDoS attacks fell 60% acrossEurope following the takedown of WebStresser, the largest DDoS-for-hireportal on the market.” —– Title: Fancy Bear abuses LoJack security software in targeted attacksDate Published: 03-05-2018URL: https://securityaffairs.co/wordpress/72072/apt/fancy-bear-abuses-lojack.htmlAuthor: Pierluigi PaganiniExcerpt:“Recently, several LoJack agents were found to be connecting to serversthat are believed to be controlled by the notorious Russia-linked FancyBear APT group” —– Here are this week’s noteworthy security bulletins: 1) ESB-2018.1312 – ALERT [RedHat] Red Hat: Root compromise – Existing account https://portal.auscert.org.au/bulletins/62054 Red Hat released updates for Openshift Container Platforms versions 3.1,3.2 … 3.9 which had root compromise vulnerabilities.   2) ESB-2018.1381 – [Win] Philips Brilliance Computed Tomography (CT)System: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/62326 From the ICS-CERT’s advisory: “Successful exploitation of thesevulnerabilities may allow an attacker to attain elevated privilegesand access unauthorized system resources, including access to executesoftware or to view/update files including patient health information(PHI), directories, or system configuration.”   3) ESB-2018.1294 – [Mac] Safari: Execute arbitrary code/commands – Remotewith user interaction https://portal.auscert.org.au/bulletins/61978 Vulnerabilities in Webkit affected Safari in various Apple products.   4) ESB-2018.1363 – [Win][UNIX/Linux][Debian] jackson-databind: Executearbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/62258 Jackson-databind is a widely used Java library for parsing JSON and othedata formats, so this issue could have ramifications on many products andoperating systems.   5) ESB-2018.1337 – [Linux] IBM QRadar SIEM: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/62154 One of many IBM bulletins relating to Java vulnerabilities.   Stay safe, stay patched and have a good weekend! Marcus  

Learn more

Week in review

AUSCERT Week in Review for 27th April 2018

AUSCERT Week in Review for 27th April 2018 AUSCERT Week in Review27 April 2018 Greetings, We have reached the end of another week, so I hope that you can all havean enjoyable and relaxing weekend.As always, there were numerous security vulnerabilities reported andfixes released.Of particular note (especially to us in the Education sector) were thedrupal issues (https://www.drupal.org/sa-core-2018-004). Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: Hackers Don’t Give Site Owners Time to Patch, Start Exploiting New Drupal Flaw Within HoursDate Published: 25/04/2018URL:  https://www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours/Author: Catalin CimpanuExcerpt: “Five hours after the Drupal team published a security updatefor the Drupal CMS, hackers have found a way to weaponize the patchedvulnerability, and are actively exploiting it in the wild.”—– Title: Australia joins NATO Cyber Defence CentreDate Published: 24/04/2018URL: https://www.itnews.com.au/news/australia-joins-nato-cyber-defence-centre-489536Author: Juha SaarinenExcerpt: “Australia will take part in the North Atlantic TreatyOrganisation’s cyber warfare centre in Tallinn, Estonia, in order to practicehow to defend critical infrastructure against attacks from hostile nations.”—– Title: Hotel, motel, Holiday Inn? Doesn’t matter – they may need toupdate their room key softwareDate Published: 25/04/2018URL: https://www.theregister.co.uk/2018/04/25/hotel_room_key_security_flaw/Author: Kat HallExcerpt: “Infosec outfit F-Secure has uncovered security vulnerabilitiesin hotel keycard systems that can be exploited by miscreants to break intorooms across the globe.”—– Title: Researchers Hacked Amazon’s Alexa to Spy On Users, AgainDate Published: 25/04/2018URL: https://threatpost.com/researchers-hacked-amazons-alexa-to-spy-on-users-again/131401/Author: Lindsey O’DonnellExcerpt: “A malicious proof-of-concept Amazon Echo Skill shows how attackerscan abuse the Alexa virtual assistant to eavesdrop on consumers with smartdevices – and automatically transcribe every word said.”—– Title: Ransomware Hits HPE iLO Remote Management InterfacesDate Published: 25/04/2018URL: https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/Author: Lawrence AbramsExcerpt: “Attackers are targeting Internet accessible HPE iLO 4 remotemanagement interfaces, supposedly encrypting the hard drives, and thendemanding Bitcoins to get access to the data again.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2018.1279.2 – UPDATED ALERT [Win][UNIX/Linux] Drupal core: Executearbitrary code/commands – Existing accounthttps://portal.auscert.org.au/bulletins/61918 As expected, this vulnerability was being exploited in the wild withinhours of release so needed quick remediation. 2) ESB-2018.1285 – [Apple iOS] iOS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/61942 Included some RCE vulnerabilities. 3) ESB-2018.1281 – [RedHat] kernel: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/61922 Another linux kernel root compromise 4) ESB-2018.1257 – [RedHat] patch: Execute arbitrary code/commands –Remote with user interactionhttps://portal.auscert.org.au/bulletins/61830 “Malicious patch files cause ed to execute arbitrary commands” 5) ESB-2018.1252 – [RedHat] java-1.8.0-oracle: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/61810 There were also numerous fixes released for java 1.6, 1.7 and 1.8 inRHEL-based systems Stay safe, stay patched and have a good weekend! Marcus.  

Learn more

Week in review

AUSCERT Week in Review for 20th April 2018

AUSCERT Week in Review for 20th April 2018 Greetings,   Right off the back of Microsoft’s patch Tuesday and Red Hat’s RHEL 7.5 updates, this week we have Oracle’s quarterly Critical Patch Updates and a slew of Cisco Advisories and Alerts – phew!   Bonus: A short video from CrikeyCon 2018 (a community-run information security conference in Brisbane) https://www.youtube.com/watch?v=VeOM-FxXOzY Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices Date Published: Mon, 16th April 2018 Author: US-CERT Excerpt: “Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals.” —– Title: Why is the kernel community replacing iptables with BPF? Date Published: Tue, 17th April 2018 Author: Thomas Graf Excerpt: “Facebook has presented exciting work on BPF/XDP based load-balancing to replace IPVS that also includes DDoS mitigation logic. While IPVS is a tempting next step compared to iptables, Facebook is already migrating away from IPVS to BPF after seeing roughly a 10x improvement in performance.” —– Title: FDA Wants Medical Devices to Have Mandatory Built-In Update Mechanisms Date Published: Thur, 19th April 2018 Author: Catalin Cimpanu Excerpt: “An FDA document released this week reveals several of the FDA’s plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.” “In addition, the FDA also plans to force device makers to create a document called “Software Bill of Materials” that will be provided for each medical device and will include software-related details for each product.” —–  Title: Microsoft Debuts Azure Sphere for IoT Security From Chip to Cloud Date Published: Mon, 16th April 2018Author: Rob Marvin Excerpt: “Smith said Microsoft is making the Azure Sphere Security Service compatible not only with Azure, but with other cloud infrastructure providers such as Amazon Web Services (AWS), Google Cloud, IBM, Oracle, and others. The company is doing this for the same reason it’s releasing a Linux-based OS: making sure billions of IoT devices are secure.” —–   Here are this week’s noteworthy security bulletins:   1) ESB-2018.1182 – [Appliance] Abbott Laboratories Defibrillator: Multiple vulnerabilities Abbott has produced firmware updates to help mitigate identified vulnerabilities in their eligible ICDs and CRT-Ds that utilize radio frequency (RF) communications. A third-party security research firm has verified the new firmware updates mitigate the identified vulnerabilities.   2) ESB-2018.1232 – [Win][UNIX/Linux] Drupal core: Cross-site scripting – Remote with user interaction   CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. 3) ESB-2018.1229 – [SUSE] Linux kernel: Multiple vulnerabilities The SUSE Linux Enterprise 12 SP3 Realtime kernel was updated to 4.4.120 to receive various security and bugfixes.   4) ASB-2018.0077 – [Win][UNIX/Linux] Oracle Database Server: Multiple vulnerabilities Difficult to exploit vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise Java VM.  While the vulnerability is in Java VM, attacks may significantly impact additional products. 5) ESB-2018.1142 – [Win][UNIX/Linux][BSD][Debian] perl: Execute arbitrary code/commands – Remote with user interaction GwanYeong Kim reported that ‘pack()’ could cause a heap buffer write overflow with a large item count. Stay safe, stay patched and have a good weekend!   Charelle.

Learn more

Week in review

AUSCERT Week in Review for 13th April 2018

AUSCERT Week in Review for 13th April 2018 Greetings, Happy Friday the 13th all! Well, Cisco’s Smart Install protocol vulnerability that potentially leads to Remote denial of service and code execution attacks, now has a publicly available exploit. So get fixing it! AUSCERT members exposed to this vulnerability will receive MSINs addressing the issue.  Microsoft had 5 security updates addressing it’s browsers, Windows OS and Office products. None had known publicly available exploits at the time. Then, there’s the lighter side of things, like PUBG ransomware (PUBG doesn’t stand for pub games unfortunately). It requires victims to play Player Unknown’s Battleground for 1 hour to decrypt it, but wait, there’s more! Read on. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Researchers discovered several flaws that expose electrical substations to hack Date Published: 12/04/2018 Author: Pierluigi Paganini, Security Affairs Excerpt: “By exploiting these vulnerabilities, an attacker is able to change the configuration of power-system protection relay which can lead to disruption of the power equipment protection function (and potentially to an accident) or customer curtailment.”   The most severe vulnerability (rated high severity), tracked as CVE-2018-4840 can be exploited by a remote and unauthenticated attacker to modify the device’s configuration and overwrite access passwords.   “The device engineering mechanism allows an unauthenticated remote user to upload a modified device configuration overwriting access authorization passwords. ” reads the security advisory published by Siemens.   The second flaw, tracked as CVE-2018-4839, is a medium severity issue that could be exploited by a local or network attacker to recover the access authorization password by intercepting network traffic or obtaining data from the targeted device. Once the attacker has obtained the password he can use it to gain complete access to a device.” —– Title: Health holds crown as the most breached sector in Australia Date Published: 11/04/2018 Author: Asha McLean, ZDNet Excerpt: “The Quarterly Statistics Report: January 2018-March 2018 revealed that health service providers accounted for 15 breaches; legal, accounting, and management services suffered 10; finance, including superannuation, reported eight breaches; education suffered six; and charities four.   The NDB scheme requires agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm” as soon as practicable after becoming aware of a breach.   According to the OAIC report [PDF], 73 percent of eligible data breaches reported involved the personal information of less than 100 individuals, with just over half of the notifications involving the personal information of between one and nine individuals.” —– Title: Barracuda Threat Spotlight: New URL File Outbreak Could be a Ransomware Attempt Date Published: 10/04/2018 Author: Jonathan Tanner, Barracuda Excerpt: “Multiple downloaders, malicious apps that download further malicious apps to infected devices, have made it onto the Google Play Store. The downloaders are capable of downloading further apps that pose as system apps, some of which are capable of stealing Facebook login credentials. To do so, the malicious apps use social engineering tactics to trick victims into giving them up.” —– Title: PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown’s Battlegrounds Date Published: 09/04/2018 Author: Lawrence Abrams, Bleeping Computer Excerpt: “Once a user plays the game and the process is detected, the ransomware will automatically decrypt the victim’s files.  This ransomware is not too advanced as it only looks for the process name and does not check for other information to confirm that the game is actually being played. That means you can simply run any executable called TslGame.exe and it will decrypt the files. This is not the first time a joke ransomware has been created that requires you to play a game before files will be encrypted. In 2017, MalwareHunterTeam also found RensenWare, which required you to play the TH12 Game and score .2 billion points in order to get recover your files.” —- Title: Major uptick in mobile phishing URL click rate Date Published: 10/04/2018 Author: HelpNet Security Excerpt: “Phishing attacks are particularly effective on mobile devices because hidden email headers and URLs make it easy to spoof email addresses and websites while new vectors, including SMS and messaging apps, enable attackers to make their campaigns personal. “It’s critical for enterprises to realize that when it comes to mobile devices, email is not the only phishing attack vector,” said Cockerill. “Attackers now take advantage of SMS, as well as some of today’s most popular and highly used social media apps and messaging platforms, such as WhatsApp, Facebook Messenger, and Instagram, as a means of phishing. Security professionals who overlook these new routes of attack put their organizations at risk.”” Here are this week’s noteworthy security bulletins: 1) ESB-2018.1122 – [Cisco] Cisco IOS and IOS XE: Multiple vulnerabilities Leading the way is this advisory from Cisco addressing multiple vulnerabilities in its Smart Install Client and related protocol that can be exploited to result in Remote code execution or denial of service. An exploit is publicly available. Immediate patching is highly advised. 2) ESB-2018.1080 – [Win][Linux][OSX] Adobe Flash Player: Multiple vulnerabilities More code execution vulnerabilities fixed in Adobe Flash Player. 3) ASB-2018.0075.2 – UPDATE [Win] Microsoft Windows: Multiple vulnerabilities This update for Microsoft Windows addressed a number of vulnerabilities including a two-year old privilege escalation vulnerability that affects Windows 10 as well. Stay safe, stay patched, stay cool and have a good weekend! Nicholas

Learn more

Blogs

Russia, diplomacy and potential repercussions in Australian cyberspace

Russia, diplomacy and potential repercussions in Australian cyberspace Background We recently witnessed the “largest expulsion of Russian diplomats” by 27-odd countries in support of the UK, following the attempted murder of a Russian double agent on British soil. Russia in turn directed threats of retaliatory action to the countries involved, including Australia. Australia has signalled intent to boycott the World Cup, which will be held in Russia this year. With the Gold Coast Commonwealth Games on right now, that may be just be sufficient cause for Russian “cyber activists” to direct some nasty traffic our way.   Russia’s track record of using cyber attacks in support of its political agenda [1] 2007, Estonia. Large scale DDoS attack.            Triggered by planned relocation of a Russian World War 2 memorial. 2008, Lithuania. Government site defacements.            Triggered by the Lithuanian government banning display of Soviet symbols. 2008, Georgia. Internal communications shutdown.            Triggered by Georgia sending troops to reclaim a breakaway republic supported by Russia. This was followed by a Russian military invasion. 2009, Kygyzstan. DDoS against two ISPs.            Triggered by the need to exert pressure on the government to evict a US military base. It worked! 2009, Kazhakstan. DDoS on media outlet.            Triggered by release of an article that was critical of Russia. 2009, Georgia. DoS of Twitter and Facebook in Georgia.            Triggered by the first anniversary of the invasion of  Georgia! 2014, Ukraine. DoS on Ukrainian election commission.            Triggered by attempts to create chaos in support of the pro-Russian candidate. 2015, Germany. Compromise of German Bundestag.            Triggered by an attempt to retrieve information on German and NATO leaders. 2015, Holland – Pull out reports on MH17 investigation. 2015, USA. Compromise of Democratic Party computers.            Triggered by attempts to undermine elections. 2016, Finland. Compromise of Finnish foreign ministry computers. 2016, Germany. Emerging claims of malicious activity being conducted by Russian hackers to discredit incumbent chancellor, Angela Merkel.   Increasing confidence The above sequence indicates an increasingly confident nation state, reaching further and deeper into foreign spheres to satisfy its political agenda. One common thread in all the above attacks is an attempt to highlight weaknesses in the targeted country’s government and/or commercial infrastructure. Even stealthy attacks, once exposed to the media, serve to question the security posture of the victim nation.  While the above list contains all the acts attributed to Russia, other nation states, such as North Korea have also been attributed with malicious acts against other nations. Perhaps most significant in the context of the Commonwealth Games is the “Olympic Destroyer” [2] malware that was deployed against South Korea during the Pyeongchang winter Olympics. This malware was capable of permanently damaging computer systems employed in the games.   What does this mean for us? Possibly a two prong approach: Noisy hacktivist type attacks Government website defacements (e.g. foreign ministry) Commonwealth games site defacement Denial of Service attacks against Commonwealth Games infrastructure (similar to Olympic Destroyer) Stealthy attacks Advanced Persistent Threats (APTs) to obtain sensitive data from Government and commercial entities Harvesting Commonwealth Games visitor information (which the Gold Coast City Council admitted doing, by collecting user’s Facebook accounts when they connect to the high-speed public Wi-Fi network) How can we protect ourselves? Tune preventive controls to indicators of exploit traffic, DDoS traffic, and APTs. Have a DDoS response plan. [3] Watch for acts of cyber-aggression against countries threatened with retaliation as a potential indicator of elevated threats again Australia Don’t use unprotected public Wi-Fi networks (or “protected” public Wi-Fi networks). If you absolutely must, use encrypted chat channels and mail clients for communication. Elevated monitoring of Industrial Control System processes and infrastructure for anomalous behaviour. Read Security bulletins for the latest vulnerabilities affecting devices and software in your environment that might be exploited, and take necessary measures to patch them based on a risk-based prioritisation schedule   References https://www.nbcnews.com/storyline/hacking-in-america/timeline-ten-years-russian-cyber-attacks-other-nations-n697111 http://blog.talosintelligence.com/2018/02/olympic-destroyer.html https://zeltser.com/ddos-incident-cheat-sheet/  

Learn more

Week in review

AUSCERT Week in Review for 6th April 2018

AUSCERT Week in Review for 6th April 2018 AUSCERT Week in Review6 April 2018 Greetings, As Friday the 6th of April closes, kernel updates and Spectre Meltdown patches looks to be an ongoing source of bulletins.  On the note of patches, it seems that Easter was the time of giving, with PSIRTs providing all their Easter gifts over the long weekend, resulting in a solid volume of bulletins this week. At least the onslaught of patches was expected, of sorts, and an impact that is expected loses most of its sting.Perhaps this is the same for EU’s GDPR and the expected impact of businesses dealing with Europe.  It could be that the implementation of the Privacy Act Amendment here in Australia may have provided the impetus for concerned companies about assessing their processes and risks in using and storing private information. As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: ——- Title:   Intel admits a load of its CPUs have Spectre v2 flaw that can’t be fixedURL:    http://www.theregister.co.uk/2018/04/04/intel_spectre_microcode_updates/Date:   4th April 2018Author: Simon Sharwood Excerpt:“Intel has issued fresh “microcode revision guidance” that reveals it won’t address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it’s too tricky to remove the Spectre v2 class of vulnerabilities. The new guidance, issued April 2, adds a “stopped” status to Intel’s “production status” category in its array of available Meltdown and Spectre security updates. “Stopped” indicates there will be no microcode patch to kill off Meltdown and Spectre.” ——- Title:  The EU’s General Data Protection Regulation, explainedURL:    https://www.cnet.com/how-to/gdpr-eu-general-data-protection-regulation-explained/Date:   4th April 2018Author: Justin Jaffe Excerpt:“The European Union is raising the standards — and stakes — of personal data privacy. In May 2018, the General Data Protection Regulation (GDPR), will take effect and change the rules of the road for companies that collect, store or process large amounts of user information. That means you, Facebook.” ——- Title:   GDPR is Not a Ticking Timebomb for Huge FinesURL:     https://www.infosecurity-magazine.com/opinions/gdpr-timebomb-huge-fines/Date:    5th April 2018Author:  Jason Coggins Excerpt:“One of the biggest misconceptions that organizations have is that if an incident occurs then you will automatically be faced with a fine. I was reading a blog written by Elizabeth Denham of the ICO recently, and she made the point that fines are a last resort. The point of GDPR is to ensure fair and proportionate (proportionate being the operative word here) action is taken against those that fail to meet the agreed standards. There are warnings, recommendations and finally fines for those worst-case scenarios.” ——- Title:  Facebook: It wasn’t 50M hit by Cambridge Analytica breach, but rather 87MURL:    https://arstechnica.com/tech-policy/2018/04/facebook-now-says-87-million-people-affected-by-cambridge-analytica-breach/Date:   5th April 2018Author: Cyrus Farivar and Sean Gallagher Excerpt:“At the end of a lengthy piece, authored by Facebook CTO Mike Schroepfer, the company said simply: “In total, we believe the Facebook information of up to 87 million people—mostly in the US—may have been improperly shared with Cambridge Analytica.” Last month, the British data analytics contractor which worked with Donald Trump’s presidential campaign retained private data from 50 million Facebook users despite claiming to have deleted it. The scandal has spawned numerous lawsuits, and it has put significant pressure on Cambridge Analytica and Facebook.” ——- Title:  CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AVURL:    https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/Date:   4th April 2018Author: Lawrence Abrams Excerpt:“Windows has a built-in program called CertUtil, which can  be used to manage certificates in Windows. Using this program you can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. One of the features of CertUtil is the ability to download a certificate, or any other file for that matter, from a remote URL and save it as a local file using the syntax “certutil.exe -urlcache -split -f [URL] output.file”.”——- Title:  Researchers Hijack Over 2,000 Subdomains From Legitimate Sites in CloudFront ExperimentURL:    https://www.bleepingcomputer.com/news/security/researchers-hijack-over-2-000-subdomains-from-legitimate-sites-in-cloudfront-experiment/Date:   5th April 2018Author: Catalin Cimpanu Excerpt:“Experts found that CloudFront’s CDN routing mechanism that linked a site’s domain and subdomains to a specific server contained a flaw that allowed attackers to point misconfigured subdomains to their own endpoint instead, effectively hijacking the subdomain from legitimate CloudFront users.” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ASB-2018.0066 – [Win] Microsoft Windows: Administrator compromise – Existing account https://portal.auscert.org.au/bulletins/60506 Windows 7 and 2008 server ulnerable to a Windows Kernel Elevation of Privilege Vulnerability. 2.    ESB-2018.0999 – [Win] Microsoft Malware Protection Engine: Administrator compromise – Remote with user interactionhttps://portal.auscert.org.au/bulletins/60678 A remote code execution vulnerability patched in the Microsoft Malware Protection Engine. 3.    ESB-2018.0967 – [Mac] High Sierra: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/60546 A malicious application may be able to execute arbitrary code with kernel privileges. 4.    ESB-2018.1040 – [Appliance] Moxa MXview: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/60850 The private key of the web server is able to be read and accessed via an HTTP GET request. 5.    ESB-2018.1042 – [RedHat] python-paramiko: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/60862 A customized SSH client can simply skip the authentication step. — Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

Learn more

Week in review

AUSCERT Week in Review for 29th March 2018

AUSCERT Week in Review for 29th March 2018 AUSCERT Week in Review29 March 2018 Greetings, As Thursday the 29th of March closes, there are a few things on the AUSCERT’s team’s mind.First and foremost is the two (2) days of AUSCERT Conference at the Gold Coast on Thursday May 30, and Friday June 1st.  Equally important is that the registration for the AUSCERT tutorials that precede the conference is out and remember that tutorials are complimentary for anyone who holds a Full Conference Registration. You can find further information on each of the tutorials via https://conference.auscert.org.au/conference-program/  The conference is a big event but there is also another big event at the Gold Coast which may draw unwanted interest from spammers. This is the GC2018 Commonwealth Games.  So making your users aware that spammers may make the most of events and craft emails in ways that entice them to open attachments or follow link, could be worth the while. And to make a difference, on the first hour of the last day of the week, instead of the last hour of the last day of the week, Drupal Core has a patch available where by they expect the PoC to come out “hours or days” after the disclosure.  So I do hope you got the SMS from AUSCERT’s Bulletin service this morning.   As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: ——- Title:  Drupal Fixes Drupalgeddon2 Security Flaw That Allows Hackers to Take Over SitesURL:    https://www.bleepingcomputer.com/news/security/drupal-fixes-drupalgeddon2-security-flaw-that-allows-hackers-to-take-over-sites/Date:   March 28, 2018Author: Catalin Cimpanu Excerpt:“The Drupal CMS team has fixed a highly critical security flaw that allows hackers to take over a site just by accessing an URL.Drupal site owners should immediately —and we mean right now— update their sites to Drupal 7.58 or Drupal 8.5.1, depending on the version they’re running.The Drupal team pre-announced today’s patches last week when it said “exploits might be developed within hours or days” after today’s disclosure” ——- Title:  Don’t get hacked during the Games  URL:    https://www.technologydecisions.com.au/content/security/news/don-t-get-hacked-during-the-games-634148475Date:   March 23, 2018 Author: Technology Decisions Excerpt:“It is expected that the Gold Coast Commonwealth Games will attract high levels of cybercrime, with businesses urged to stay alert for the possibility…Potential attacks to be aware of during the 2018 Commonwealth Games include: o hacks through public Wi-Fi hotspots that will be available throughout the Games; o email-based spear phishing campaigns that trick people into divulging personal information or clicking on links that release malware into their systems; o hacked social media and business websites; o point-of-sale attacks that let cybercriminals obtain credit card details; o ransomware attacks that prey on the time-sensitive nature of Games-related activities to force victims to pay higher ransoms, fast; o fraudulent invoices and payment details.”“——- Title:  In-Browser Cryptojacking Is Getting Harder to DetectURL:    https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/Date:   March 27, 2018Author: Catalin Cimpanu Excerpt:“Cyber-criminals aren’t stupid. If you find a way to block their code, they’re going to find a way to around your block.That’s how it’s been for decades in the antivirus business, and this is exactly what’s happening right now on the in-browser cryptocurrency mining (cryptojacking) scene…” ——- Title:  Intel CPUs Vulnerable to New ‘BranchScope’ AttackURL:    https://www.securityweek.com/intel-cpus-vulnerable-new-branchscope-attackDate:   March 27, 2018 Author: Eduard Kovacs Excerpt:“Researchers have discovered a new side-channel attack method that can be launched against devices with Intel processors, and the patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.The new attack, dubbed BranchScope, has been identified and demonstrated by a team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University.” ——- Title:  Crooks infiltrate Google Play with malware in QR reading utilitiesURL:    https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities/Date:   March 23, 2018Author: Paul Ducklin Excerpt:“…First, the apps were, at least on the surface, what they claimed: six were QR code reading apps; one was a so-called “smart compass”.In other words, if you were just trying out apps for fun, or for a one-off purpose, you’d be inclined to judge them by their own descriptions.Second, the crooks didn’t fire up the adware part of their apps right away, lurking innocently for a few hours before unleashing a barrage of ads.Third, the adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app.” ——- Title:  Thousands of etcd installations are currently leaking 750MB worth of passwords, keys, and sensitive data.URL:    http://securityaffairs.co/wordpress/70611/hacking/etcd-installs-data-leak.htmlDate:   March 25, 2018Author: Pierluigi Paganini Excerpt:“Thousands of servers belonging to private businesses and organizations are leaking credentials and potentially sensitive data.It is quite easy for hackers to use the credentials to access the servers and steal sensitive data or use the machines to power cyber attacks.According to the researcher Giovanni Collazo, querying the popular Shodan search engine he found almost 2,300 servers exposed online that were running etcd, which is a distributed key value store that provides a reliable way to store data across a cluster of machines.” ——- Title:  Facebook Collected Call and SMS Metadata From Some Users’ SmartphonesURL:    https://www.bleepingcomputer.com/news/technology/facebook-collected-call-and-sms-metadata-from-some-users-smartphones/Date:   March 24, 2018Author: Catalin Cimpanu Excerpt:“Several Facebook users who downloaded an archive of their Facebook data in the wake of the Facebook-Cambridge Analytica scandal discovered this week that the social network’s mobile applications have been recording —in some cases— much more information than most people were expecting. Logged information includes data on all phone calls made on the phone, the start time o each call, its duration, and the contact’s name. The Facebook app did not log phone calls to and from numbers not saved in the phone’s address book.” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2018.0844 – [SUSE] kernel: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/60038 The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.120 to receive various security and bugfixes including executing code. 2.    ESB-2018.0863 – [Win][UNIX/Linux][RedHat] slf4j: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/60114 Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution. 3.    ESB-2018.0883 – [SUSE] LibVNCServer: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/60198 Heap-based buffer overflow in rfbproto.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code. 4.    ASB-2018.0063 – [Win][UNIX/Linux] Mozilla Firefox: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/60158 Use-after-free in compositor results in a potentially exploitable crash. 5.    ESB-2018.0888 – [Win][UNIX/Linux][Debian][Apple iOS][Android] mupdf: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/60218 Two vulnerabilities were discovered in MuPDF, a PDF, XPS, and e-book viewer, which may result in denial of service or remote code execution. —And lastly for an even more up-and-coming event, a long four (4) day weekend looks nice, but beware little emails bearing easter eggs, and please get your Drupal site patched.   Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

Learn more