//Week in review - 2 Feb 2018

AusCERT Week in Review for 2nd February 2018


In pun-related security news this week, a literal cabinet was named as the source of some highly sensitive cabinet document leaks. Just goes to highlight the golden rule of security – know your assets.

A 0day Flash exploit blamed on the North Koreans has been sighted targeting South Korean users. Adobe plans to have the vulnerability patched by next week, but until then turning it off is an option.

Adaptive phishing kits are beginning to up their mimicry game. A newly discovered kit has been found that will download the favicon from the victim’s email domain and use that to help spoof the page. It’s all in the details.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: Adaptive Phishing Kit
Date Published: 01/02/2018
Author: Xavier Mertens
Excerpt: “Phishing kits are usually mimicking well-known big Internet players (eBay, Paypal, Amazon, Google, Apple, Microsoft…[add your preferred one here]). I found an interesting phishing kit which adapts itself to the victim. Well, more precisely, it adapts to the victim email address.”


Title: The Cabinet Files reveal national security breaches, NBN negotiations, welfare reform plans
Date Published: 31/01/2018
Author: Ashlynne McGhee and Michael McKinnon
Excerpt: “The documents were in two locked filing cabinets sold at an ex-government sale in Canberra. They were sold off cheaply because they were heavy and no-one could find the keys. A nifty person drilled the locks and uncovered the trove of documents inside.”


Title: GoGet alleged ‘hacker’ revealed as infosec researcher Nik Cubrilovic
Date Published: 31/01/2018
Author: Allie Coyne
Excerpt: “According to the Illawarra Mercury, Cubrilovic had informed GoGet of vulnerabilities in its fleet booking system in 2016, for which GoGet rewarded him by waiving money owed on his account.

But police reportedly allege that a year later he hacked into the system when his girlfriend’s account was suspended, creating more than 30 bookings on five different vehicles and each time charging the booking to a stranger’s account.”


Title: North Koreans deploy zero-day Adobe Flash attacks
Date Published: 02/02/2018
Author: Juha Saarinen
Excerpt: “North Korean hackers are believed to be behind a malware campaign targeting Windows users in South Korea, using a new zero-day vulnerability in Adobe’s Flash media player.

The campaign was reported by security researcher Simon Choi, who said the North Koreans have been using the Flash zero-day since the middle of November last year.”


Title: Critical Infrastructure More Vulnerable Than Ever Before
Date Published: 01/02/2018
Author: Tara Seals
Excerpt: “‘Despite numerous incidents, reports and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were 10 years ago,’ said Vladimir Nazarov, head of ICS Security at PT. ‘Today, anyone can go on the internet and find vulnerable building systems, data centers, electrical substations and manufacturing equipment. ICS attacks can mean much more than just blackouts or production delays – lives may be at stake. This is why it’s so important that before even writing the first line of code, developers design-in the security mechanisms necessary to keep ICS components secure. And when these mechanisms eventually become outdated, they need to modernize them in a timely manner.'”

Here are this week’s noteworthy security bulletins:

1) ASB-2018.0039 – [Win][UNIX/Linux] Mozilla Firefox: Execute arbitrary code/commands – Remote with user interaction

Firefox 58.0.1 fixes some unsanitised browser UI output that could lead to an RCE.

2) ASB-2018.0038 – [Win][UNIX/Linux] Mozilla Thunderbird: Multiple vulnerabilities

Thunderbird 52.6 fixes a slew of vulnerabilities, including some potential RCEs.

3) ESB-2018.0326 – [Win][Linux][Mac] Adobe Flash Player: Execute arbitrary code/commands – Remote with user interaction

Shockingly, a 0day has been discovered in Flash. Patch is expected out next week, so stay safe until then!

4) ESB-2018.0317 – [Linux][RedHat] systemd: Denial of service – Existing account

In its rush to init, systemd contains a race condition in automount requests which can cause a DoS for any processes who need them.

Stay safe, stay patched and have a good weekend!