//Week in review - 22 Sep 2017

AusCERT Week in Review for 22nd September 2017

AusCERT Week in Review
22 September 2017


As Friday 22nd of September comes to a close, the big news is:

AusCERT is hiring!

Apply here: https://www.seek.com.au/job/34448215

Here is our weekly summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: CCleaner malware spread via supply chain attack
URL: http://searchsecurity.techtarget.com/news/450426573/CCleaner-malware-spread-via-supply-chain-attack
Date: 19 September 2017
Author: Michael Heller
“CCleaner malware was spread to users via an infected software update for close to one month, highlighting the dangers of supply chain attacks and the need for code signing.

The CCleaner malware gathered information about systems and transmitted it to a command and control (C&C) server; it was reportedly downloaded by users for close to one month from Aug. 15 to Sept. 12, according to Morphisec. However, Avast noted that the CCleaner malware was limited to running on 32-bit systems and would only run if the affected user profile had administrator privileges.”


Title: Apache “Optionsbleed” vulnerability – what you need to know
URL: https://nakedsecurity.sophos.com/2017/09/19/apache-optionsbleed-vulnerability-what-you-need-to-know/
Date: 19 September 2017
Author: Paul Ducklin
“Remember Heartbleed? … Well, something similar has happened again.

This time, the bug isn’t in OpenSSL, but in a program called httpd, probably better known as the Apache Web Server, and officially called the Apache HTTP Server Project.

The vulnerability has been dubbed OptionsBleed, because the bug is triggered by making HTTP OPTIONS requests.”


Title: Here’s What Your Identity Sells For on the Dark Web
URL: https://www.bloomberg.com/news/articles/2017-09-15/equifax-hack-your-social-security-and-identity-are-for-sale
Date: 15 September 2017
Author: Suzanne Woolley
“How much is your personal data worth to you? A lot. (Thanks, Equifax.) And how much is it worth to an identity thief?

You may be surprised, or insulted, or enraged, to find out.”


Title: Internet Providers Possibly Involved in FinFisher Surveillance Operations: Report
URL: http://www.securityweek.com/internet-providers-possibly-involved-finfisher-surveillance-operations-report
Date: 21 September 2017
Author: Ionut Arghire
“New campaigns featuring the infamous FinFisher spyware are using a previously unseen infection vector, strongly suggesting that Internet service providers (ISPs) might be involved in the distribution process, ESET security researchers warn.

Also known as FinSpy, the malware has been around for over half a decade and is being sold exclusively to governments and their agencies worldwide for surveillance purposes. The use of this lawful interception solution has increased, and researchers observed it earlier this month abusing a .NET framework zero-day tracked as CVE-2017-8759 for distribution. “


Title: Government promises $50 million boost to security research
URL: https://www.computerworld.com.au/article/627667/government-promises-50-million-boost-to-security-research/
Date: 22 September 2017
Author: Rohan Pearce
“The government will invest $50 million over seven years to help establish an industry-led Cyber Security Cooperative Research Centre (CRC).

The government said that cash and in-kind contributions of more than $89 million towards the CRC had been pledged by 25 industry, research and government partners.”


And lastly, here are this week’s noteworthy security bulletins (in no particular order):


1. ESB-2017.2369 – ALERT [Win][UNIX/Linux][Ubuntu] apache2-bin: Access privileged data – Remote/unauthenticated

“..the Apache HTTP Server incorrectly handled Limit directives in .htaccess files. In certain configurations, a remote attacker could possibly use this issue to read arbitrary server memory, including sensitive information. This issue is known as Optionsbleed.”


2. ASB-2017.0151 – [Win][UNIX/Linux] WordPress: Multiple vulnerabilities

Two of the big three CMS released major patch updates this week – Joomla! and WordPress. WordPress vulnerabilities include multiple Cross-site scripting, path traversal, open redirect and a potential SQL injection via plugins and themes.


3. ASB-2017.0152.2 – UPDATE [Win][UNIX/Linux] Joomla!: Access privileged data – Remote/unauthenticated

AusCERT recommends members avoid using Joomla! because of its history of serious vulnerabilities including this latest round.


4. ESB-2017.2398 – ALERT [UNIX/Linux][Ubuntu] samba: Multiple vulnerabilities

Vendors and Linux distributions were quick to release patches for the latest samba vulnerabilities.

A man-in-the-middle attack can potentially read and alter documents transferred via a client connection.
Also, a client with write access to a share can cause the server memory contents to be written to a file or printer.


5. ASB-2017.0154 – [Win][Linux][OSX] Google Chrome: Multiple vulnerabilities

Update your Google and Apple Safari browsers before you surf the web this weekend. Both Google Chrome and Apple Safari have addressed vulnerabilities in their latest updates.


Wishing you the best from AusCERT and stay safe,