//Week in review - 15 Dec 2017

AusCERT Week in Review for 15th December 2017


We’ve had a “big” week in a few ways:

  • A huge credential dump aggregating previous dumps has hit the limelight.
  • The defendants in the Mirai case, 2016’s largest botnet, have pleaded guilty.
  • Also, a 19-year-old RSA vulnerability has returned as the ROBOT attack, affecting many notable networking vendors. 


The AusCERT Conference’s Call for Proposals is open.

Important Dates for submission
13 Nov 2017 – (Monday) – Call for Presentations submissions open
19 Jan 2018 – (Friday) – Call for Presentations submission deadline
19 Feb 2018 – (Monday) – Notifications from Program Committee

Conference Date
29 May 2018 – 01 Jun 2018 | AusCERT2018 Conference


As for more news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

How a Dorm Room Minecraft Scam Brought Down the Internet
Date: December 13 2017
Author: Garrett M. Graff

Excerpt: Until then, a large DDoS attack was often considered to be 10 to 20 gigibits per second; vDOS had been overwhelming targets with attacks in the range of 50 Gbps. A follow-on Mirai attack against OVH hit around 901 Gbps.

BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Devices
Date: December 11 2017
Author: Catalin Cimpanu

Excerpt: In an email sent today to Bleeping Computer, The Janit0r announced his sudden retirement and explained why he reached this decision.

I believe that the project has been a technical success, but I am now starting to worry that it is also having a deleterious effect on the public’s perception of the overall IoT threat. Researchers keep issuing high profile warnings about genuinely dangerous new botnets, and a few weeks or even days later they are all but gone. Sooner or later people are going to start questioning the credibility of the research and the seriousness of the situation.

Extended Validation is Broken
Date: December 12 2017
Author: Ian Carroll

Excerpt: One question may be how practical this attack is for a real attacker who desires to phish someone. First, from incorporation to issuance of the EV certificate, I spent less than an hour of my time and about $177. $100 of this was to incorporate the company, and $77 was for the certificate. It took about 48 hours from incorporation to the issuance of the certificate.

Game-changing attack on critical infrastructure site causes outage
Date: December 15 2017
Author: Dan Goodin

Excerpt: The accidental outage was likely the result of the Triconex SIS, or “safety instrumented system.” The SIS shut down operations when it experienced an error that occurred as the hackers were performing reconnaissance on the facility. Although the hackers were likely seeking the ability to cause physical damage inside the facility, the November shutdown was likely not deliberate.

Variation of 19-Year-Old Cryptographic Attack Affects Facebook, PayPal, Others
Date: 12 December 2017
Author: Catalin Cimpanu

Excerpt: The ROBOT research team say that despite this being a variation for a 19-year-old attack, 27 of the Alexa Top 100 websites are vulnerable to the ROBOT attack. Vulnerable sites include Facebook and PayPal. The ROBOT attack scientific paper includes a case study how the research team decrypted Facebook traffic.

1.4 Billion Clear Text Credentials Discovered in a Single Database
Date: December 9 2017
Author: Julio Casal

Excerpt: The 41GB dump was found on 5th December 2017 in an underground community forum. The database was recently updated with the last set of data inserted on 11/29/2017. The total amount of credentials (usernames/clear text password pairs) is 1,400,553,869.


And lastly, here are this week’s most noteworthy security bulletins:

1. ASB-2017.0217 – Remote code execution patched in Palo Alto firewalls

Through the exploitation of a combination of unrelated vulnerabilities, and via the management interface of the device, an attacker could remotely execute code on PAN-OS in the context of the highest privileged user.

2. ESB-2017.3160 – Thunderbird security update

Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service.

3. ESB-2017.3200 – Jenkins patches race conditions during setup

On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases (we estimate less than 20% of new instances) result in failure to initialize the setup wizard on the first startup.

Affected instances need to be configured to restrict access.

4. ESB-2017.3182.2 – TLS vulnerability discovered in Cisco products (ROBOT)

An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions.

[Note that Cisco does not intend to fix this in all affected products, e.g.
the ACE 4710 and ACE30.]


Wishing you all the best from AusCERT and see you next week,