//Week in review - 19 Jan 2018

AusCERT Week in Review for 19th January 2018


Move over Star Wars. The Coin Wars have begun!

As if hijacking other peoples CPUs to mine cryptocurrency wasn’t bad enough, some actors have taken to utilising botnets to steal others hard earned bitcoins by misdirecting them from compromised cryptominers to their own wallets. Bitcoin driven malicious activity will certainly be something to look out for this year! Plus botnets usually in the business of spreading malware are sending spam to pump up interest in Swisscoin to aid its trading prices!

Add to that a side serving of the battery of malware that are keen to take a peek into your private life, or worse, take over your life.

On a happier note, Paper submissions for the AusCERT 2018 conference close today at midnight, so grab those keyboards and get typing!

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: Art of Steal: Satori Variant is Robbing ETH BitCoin by Replacing Wallet Address

Date Published: 17/01/2018
Author: 360 netlab
Excerpt: “Starting from 2018-01-08 10:42:06 GMT+8, we noticed that one Satori’s successor variant (we name it Satori.Coin.Robber) started to reestablish the entire botnet on ports 37215 and 52869.

What really stands out is something we had never seen before, this new variant actually hacks into various mining hosts on the internet (mostly windows devices) via their management port 3333 that runs Claymore Miner software, and replaces the wallet address in the hosts with its own wallet address.”

Skygofree: Following in the footsteps of HackingTeam
Date Published: 16/01/2018
Author: Nikita Buchka and Alexey Firsch
Excerpt: ” At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. “

Downloaders on Google Play spreading malware to steal Facebook login details
Date Published: 18/01/2018
Author: Alena Nohova
Excerpt: “Multiple downloaders, malicious apps that download further malicious apps to infected devices, have made it onto the Google Play Store. The downloaders are capable of downloading further apps that pose as system apps, some of which are capable of stealing Facebook login credentials. To do so, the malicious apps use social engineering tactics to trick victims into giving them up.”

Threat actors are delivering the Zyklon Malware exploiting three Office vulnerabilities
Date Published: 18/01/2018
Author: Perluigi Paganini
Excerpt: “Security experts from FireEye have spotted a new strain of the Zyklon malware that has been delivered by using new vulnerabilities in Microsoft Office.

Researchers at FireEye reported the malware was used in attacks against organizations in the telecommunications, financial, and insurance sectors.”


World’s Largest Spam Botnet Is Pumping and Dumping an Obscure Cryptocurrency
Date Published: 17/01/2018
Author: Catalin Cimpanu
Excerpt: “The cryptocurrency in question is Swisscoin, an altcoin that’s been described as a Multi-Level-Marketing (MLM) ponzi scheme in a report last year, and for which trading was recently suspended.

Trading resumed on January 15, the same day the Necurs spam started spreading. Since the Necurs spam, the cryptocurrency lost 40% of its initial trading price.

It’s unclear what is Necurs’ impact on the Swisscoin trading price, mainly because there was no previous trading to compare the impact against.”

Here are this week’s noteworthy security bulletins:

1) ASB-2018.0034 – [Win][Linux][Virtual] GitLab Community Edition and Enterprise Edition: Multiple vulnerabilities
GitLab Community Edition (CE) and Enterprise Edition (EE) received updates to fix a number of vulnerabilities including two remote code execution vulnerabilities.

2) ESB-2018.0168 – [RedHat] linux-firmware: Access privileged data – Existing account
More reversions for the SPECTRE fixes!

3) ASB-2018.0018 – [Win][UNIX/Linux] Oracle Financial Services Applications: Multiple vulnerabilities
Oracle released its January Critical Patch Update this week, with 238 security fixes across 20 product families, including this one for Oracle Financial Services applications. The most severe vulnerability allows for remote code execution by an authenticated attacker.

4) ESB-2018.0208 – ALERT [Win] Siemens SIMATIC WinCC: Multiple vulnerabilities
ICS-CERT released a security advisory for Siemens SIMATIC WIN CC SCADA system used globally for monitoring automated processes in  critical infrastructure sectors such as chemical, energy, food and agriculture and waste management. The advisory addresses a serious remote code execution vulnerability and denial of service vulnerability that could be leveraged to introduce and execute APTs into automated processes and disable monitoring. An update has been released to fix these issues.

5) ESB-2018.0171 – [Win][UNIX/Linux][Debian] bind9: Denial of service – Remote/unauthenticated
A remotely exploitable denial of service vulnerability in BIND was fixed in updates for Debian and Ubuntu. ISC has provided BIND 9 patches, which can be downloaded from ISC.org.  

Stay safe, stay patched, stay cool and have a good weekend!