22 Dec 2017

Week in review

AUSCERT Week in Review for 22nd December 2017

Greetings,

As 2017 draws to a close, we hope it’s been good to you and yours.

AUSCERT news:

The Call for Proposals is still open until January 19th for the AUSCERT 2018 conference.

We analysed the 1.4-billion-credential breach compilation this week and notified ~90% of our members of new user credentials appearing online. Didn’t get an email? Congratulations!

AUSCERT will be going into “holiday mode” from today until the 2nd of January. We will continue to operate the 24/7 member incident hotline.
(That number is available to members who log in at https://wordpress-admin.auscert.org.au/contact).

We’ve become a Fairy Penguin sponsor of linux.conf.au 2018.

This week in cybersecurity:

——————————————————————————-
Unsecured Amazon S3 Bucket Exposes Details on 123 Million American Households
https://www.bleepingcomputer.com/news/security/unsecured-amazon-s3-bucket-exposes-details-on-123-million-american-households
Date: December 20 2017
Author: Catalin Cimpanu

Excerpt: More precisely, the database contained over 3.5 billion details for over 123 million American households.

The data included both personally identifiable information such as addresses, home details, contact information, or homeowner ethnicity, but also financial details such as mortgage status, financial histories, and purchase behavior.
——————————————————————————-
Backdoor in Captcha Plugin Affects 300K WordPress Sites
https://www.wordfence.com/blog/2017/12/backdoor-captcha-plugin
Date: December 19 2017
Author: Matt Barry

Excerpt: If you have not read our previous post on Mason Soiza, I’d suggest you read that first, since he has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them.
——————————————————————————-
Fixing Data Breaches Part I: Education
https://www.troyhunt.com/fixing-data-breaches-part-1-education
Date: December 18 2017
Author: Troy Hunt

Excerpt: You know the old “prevention is better than cure” idiom? Nowhere is it truer than with data breaches and it’s the most logical place to start this series. The next 4 parts of “Fixing Data Breaches” are all about dealing with an incident once things go badly wrong, but let’s start by trying to stop that from happening in the first place.
[Troy has published four articles so far of his five-part series, and they are worth reading.]
——————————————————————————-
U.S. declares North Korea carried out massive WannaCry cyberattack
http://wapo.st/2yTFsPk
Date: December 19 2017
Author: Ellen Nakashima & Philip Rucker

Excerpt: The Trump administration on Monday evening publicly acknowledged that North Korea was behind the WannaCry computer worm that affected more than 230,000 computers in more than 150 countries earlier this year.
——————————————————————————-

And lastly, here are this week’s most noteworthy security bulletins:

1. Chromium browser security update
https://portal.auscert.org.au/bulletins/56290

Chromium (and Chrome) 63.0.3239.108 address a flaw allowing a web page containing malicious content to cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim.

2. otrs2 security update
https://portal.auscert.org.au/bulletins/56198

Two vulnerabilities were discovered in the Open Ticket Request System which could result in information disclosure or the execution of arbitrary shell commands by logged-in agents.

3. Security vulnerabilities patched in VMWare products
https://portal.auscert.org.au/bulletins/56322

Successful exploitation of this issue could result in a low privileged user gaining root level privileges over the appliance base OS.
[note: multiple issues exist]

4. Apache vulnerability announced and patched in F5 Networks Products
https://portal.auscert.org.au/bulletins/56386

Apache modules apache_auth_token_mod and mod_auth_f5_auth_token.cpp allow possible unauthenticated bruteforce on the em_server_ip authorization parameter to obtain which SSL client certificates used for mutual authentication between BIG-IQ or Enterprise Manager (EM) and managed BIG-IP devices.

Wishing you a merry Christmas and a happy New Year,
David and the team at AUSCERT