//Week in review - 27 Oct 2017

AusCERT Week in Review for 27th October 2017

AusCERT Week in Review
27 October 2017


With another named vulnerability and a new chapter in the unfolding Kaspersky saga,
it seems that we are back to business as usual in the world of Information Security.
Even NSA employees are susceptible to malware lurking within illegally-acquired copies of software.
As security moves forward, will you protect your organisation by providing them with Microsoft Office licenses?

Here’s a summary (including excerpts) of some of the more interesting
stories we’ve seen this week:

Title: Is Bad Rabbit the new NotPetya?
URL: https://www.itnews.com.au/news/is-bad-rabbit-the-new-notpetya-476121
Date: 25th October, 2017
Author: Juha Saarinen
Excerpt: “A new strain of ransomware is working its way around the globe
disguised as a fake Adobe Flash player update delivered as a drive-by

Title: Worker who snuck NSA malware home had his PC backdoored, Kaspersky says
URL: https://arstechnica.com/information-technology/2017/10/worker-who-snuck-nsa-secrets-home-had-a-backdoor-on-his-pc-kaspersky-says/
Date: 25th October, 2017
Author: Dan Goodin
Excerpt: “The NSA worker’s computer ran a home version of Kaspersky AV that
had enabled a voluntary service known as Kaspersky Security Network. When
turned on, KSN automatically uploads new and previously unknown malware to
company Kaspersky Lab servers. The setting eventually caused the previously
undetected NSA malware to be uploaded to Kaspersky Lab servers, where it
was then reviewed by a company analyst.”

Title: Attack of the week: DUHK
URL: https://blog.cryptographyengineering.com/2017/10/23/attack-of-the-week-duhk/
Date: 23rd October, 2017
Author: Matthew Green
Excerpt: “This work comes from Nadia Heninger, Shaanan Cohney and myself,
and follows up on some work we’ve been doing to look into the security
of pseudorandom number generation in deployed cryptographic devices.”

Title: APNIC Whois Database Password Hashes Were Available for Download
URL: https://www.bleepingcomputer.com/news/security/apnic-whois-database-password-hashes-were-available-for-download/
Date: 24th October, 2017
Author: Catalin Cimpanu
Excerpt: “The Asia-Pacific Network Information Centre (APNIC), the
organization that manages domain name information for the Asia-Pacific
region, fixed on Monday an error that exposed password hashes needed to
access and edit domain ownership details. The incident came to light on
October 12 this when eBay employee Chris Barcellos spotted password hashes
inside downloadable Whois information. The researcher reached out to APNIC
with the issue, and the company fixed the problem by the second day.”

Title: IoT_reaper: A Rappid Spreading New IoT Botnet
URL: http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/
Date: 20th October, 2017
Author: yegenshen
Excerpt: “On 2017-09-13 at 01:02:13, we caught a new malicious sample
targeting IoT devices. Starting from that time, this new IoT botnet family
continued to update and began to harvest vulnerable iot devices in a rapid
pace. The bot borrowed some code from the famous mirai botnet, but it does
not do any password crack all. Instead, it purely focuses on exploiting
IoT device vulnerabilities. So, we name it IoT_reaper.”

And lastly, here are this week’s noteworthy security bulletins (in no
particular order):

ESB-2017.2679 – [Win][UNIX/Linux][Ubuntu] curl: Execute arbitrary code/commands – Remote/unauthenticated

Brian Carpenter discovered that curl incorrectly handled IMAP FETCH
response lines. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary

ESB-2017.2710 – [Appliance] Rockwell Automation Stratix 5100: Access privileged data – Remote/unauthenticated

A Man-in-the-middle attack on Rockwell Automation wireless bridges could
lead to takeover of industrial hardware.

ESB-2017.2670 – [Appliance] F5 products: Execute arbitrary code/commands – Remote with user interaction
ESB-2017.2671 – [Appliance] F5 BIG-IP products: Root compromise – Existing account
ESB-2017.2672 – [Appliance] F5 products: Access privileged data – Existing account
ESB-2017.2673 – [Appliance] F5 BIG-IP Products: Denial of service – Remote/unauthenticated
ESB-2017.2674 – [Appliance] F5 BIG-IP PEM: Access privileged data – Remote with user interaction
ESB-2017.2675 – [Appliance] F5 BIG-IP products: Unauthorised access – Existing account
ESB-2017.2687 – [Appliance] F5 products: Denial of service – Remote/unauthenticated
ESB-2017.2703 – [Appliance] F5 products: Multiple vulnerabilities
ESB-2017.2707 – [Appliance] F5 products: Denial of service – Remote/unauthenticated
ESB-2017.2715 – [Appliance] F5 BIG-IP products: Denial of service – Remote/unauthenticated
ESB-2017.2716 – [Appliance][Virtual] F5 BIG-IP products: Denial of service – Remote/unauthenticated
ESB-2017.2717 – [Appliance] F5 products: Denial of service – Remote/unauthenticated
ESB-2017.2718 – [Appliance][Virtual] F5 BIG-IP AAM and PEM: Denial of service – Remote/unauthenticated
ESB-2017.2719 – [Appliance][Virtual] F5 BIG-IP products: Execute arbitrary code/commands – Remote/unauthenticated
ESB-2017.2722 – [Appliance][Virtual] F5 BIG-IP products: Denial of service – Remote/unauthenticated



Several important F5 updates have been published this week.

Have a good weekend everyone. Firewalls up!