Personal tools

AusCERT Conference

The annual AusCERT conference is Australia's best cyber security event for anyone with an interest in cyber and information security.

AusCERT PKI certificate service

The AusCERT Certificate Service offers PKI certificates for people, servers and software for Australian and New Zealand education and research organisations.

AusCERT Vision & Mission Statement

AusCERT is the trusted cyber emergency response team for the Australian information economy, providing valued incident prevention and detection.

AusCERT Week in Review for 21st October 2016

As Friday 21st October comes to a close, there have been numerous security related news items this week. Here's a summary (including excerpts) of some of the more interesting stories we've seen this week:

-----
Title: LockyDump - All Your Configs Are Belong To Us
Date Published: 13/10/16
URL: http://blog.talosintel.com/2016/10/lockydump.html
Author: Warren Mercer and Matthew Molyett
Excerpt: "Locky has continued to evolve since its inception in February 2016. This has made it difficult to track at times due to changes in the way in which it's distributed as well as various characteristics of the malware itself. The actors responsible for Locky have continuously attempted to improve operational security (OPSEC) in regards to the tracking of affiliates making use of the ransomware. This post will discuss a new Locky configuration extractor that Talos is releasing, which we are naming 'LockyDump'. This is the first open source tool which can dump the configuration parameters used by all currently known variants of Locky e.g. .locky, .zepto & .odin based ransomware."


-----
Title: TrickBot Shows Strong Connection to Old Dyre Banking Trojan
Date Published: 16/10/16
URL: http://news.softpedia.com/news/trickbot-shows-strong-connection-to-old-dyre-banking-trojan-509344.shtml
Author: Catalin Cimpanu
Excerpt: "Security researchers from Fidelis Cybersecurity have advanced the theory that a new banking trojan discovered in September 2016 may have a connection to the old Dyre banking trojan."

-----
Title: Audit sees VeraCrypt kill critical password recovery, cipher flaws
Date Published: 18/10/16
URL: http://www.theregister.co.uk/2016/10/18/veracrypt_audit/
Author: Darren Pauli
Excerpt: "Security researchers have found eight critical, three medium, and 15 low -severity vulnerabilities in a one month audit of popular encryption platform VeraCrypt.

The audit is the latest in a series prompted by the shock abandoning of TrueCrypt in May 2014 due to unspecified security concerns claimed by the hitherto trusted platform's mysterious authors."

-----
Title: Magneto Malware Steals Card Data via Steganography
Date Published: 18/10/16
URL: http://www.batblue.com/magneto-malware-steals-card-data-via-steganography/
Author: Watch Desk
Excerpt: "Cyber criminals are targeting Magneto stores to steal customers’ payment card data by hiding the information within JPEG images.

The attackers are extracting stolen payment card data through images to evade detection by the e-commerce platform administrators, according to reports. A researcher recently discovered nearly 6,000 online stores infected with malware in recent months."

-----
Title: Password-Protected Attachment Serves Ransomware
Date Published: 18/10/16
URL: https://blogs.mcafee.com/mcafee-labs/password-protected-attachment-serves-ransomware/
Author: Diwakar Dinkar and Satish Chimakurthi
Excerpt: "Attacks by macro malware carrying ransomware are growing, as we have recently reported. Since early March we have seen macro malware using high-obfuscation algorithms to hide itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection. In addition to these evasion techniques, McAfee Labs researchers have witnessed a new variant of macro malware. This version uses the password given in the email to open the malicious Word document. Password protection makes it harder to extract and scan the attachment for malicious code."

-----

Here are this week's noteworthy security bulletins:
1/ ASB-2016.0095 - [Win][UNIX/Linux] Oracle Products: Multiple vulnerabilities
https://www.auscert.org.au/39750

This week was Oracle's quarterly patch week and with it came fixes for 253 vulnerabilities!

2/ ESB-2016.2437 - [Win][UNIX/Linux][Debian] tor: Denial of service - Remote/unauthenticated
https://www.auscert.org.au/39734

A denial of service bug where Tor treats the contents of some buffer chunks as if they were a NUL-terminated string was solved.

3/ ESB-2016.2449 - [Cisco] Cisco ASA : Multiple vulnerabilities
https://www.auscert.org.au/39786

If you are using Cisco's ASA Software Identity Firewall Feature you should patch it quickly, as a remote code execution vulnerability has been discovered and fixed with Cisco's latest patch (CVE-2016-6432)

4/ ESB-2016.2457 - [Win][UNIX/Linux] BIND: Denial of service - Remote/unauthenticated
https://www.auscert.org.au/39818

A Denial of Service bug affecting older versions (pre May 2013) of BIND has been discovered. If your version of BIND does not contain change #3548, it is advisable to contact your BIND provider to get it updated.

Stay safe, stay patched and have a good weekend!

Ananda