//Week in review - 2 Mar 2018

AusCERT Week in Review for 2nd March 2018


This week saw Trustico revoke more than 20,000 SSL certificates it issued, gaining them the attention of the infosec community, who were quick to offer unsolicited, complimentary penetration testing services for their website.

GitHub has achieved the dubious (but well-handled) honour of being the biggest DDoS recipient, taking the crown from Dyn – dealing with 1.35Tbps of traffic at its peak. This attack was made possible by a memcached UDP amplification attack.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

The UK and Australian Governments Are Now Monitoring Their Gov Domains on Have I Been Pwned
Date Published: 02 March 2018
Author: Troy Hunt
Excerpt: “As of now, all UK government domains are enabled for centralised monitoring by the National Cyber Security Centre (NCSC) and all Australian government domains by the Australian Cyber Security Centre (ACSC).”



23,000 HTTPS certs will be axed in next 24 hours after private keys leak
Date Published: 01 March 2018
Author: John Leyden
Excerpt: “This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are supposed to be secret, and only held by the cert owners, and certainly not to be disclosed in messages. In the wrong hands, they can be used by malicious websites to masquerade as legit operations.”


Financial Cyber Threat Sharing Group Phished
Date Published: 01 March 2018
Author: Brian Krebs
Excerpt: “The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, said today that a successful phishing attack on one of its employees was used to launch additional phishing attacks against FS-ISAC members.”


GitHub hit with largest ever DDoS attack
Date Published: 02 March 2018
Author: Allie Coyne
Excerpt: “Developer platform Github has been hit with the most powerful distributed denial of service attack on record, managing to survive 1.35 Tbps of traffic flooded to its website relatively unscathed.”


Memcrashed – Major amplification attacks from UDP port 11211
Date Published: 27 February 2018
Author: Marek Majkowski
Excerpt: “Amplification attacks are effective, because often the response packets are much larger than the request packets. A carefully prepared technique allows an attacker with limited IP spoofing capacity (such as 1Gbps) to launch very large attacks (reaching 100s Gbps) “amplifying” the attacker’s bandwidth.”


Here are this week’s noteworthy security bulletins:

1) ESB-2018.0571 – ALERT [Win][UNIX/Linux][Apple iOS][Android] SAML libraries: Multiple vulnerabilities
SAML signature generation and parsing libraries did not standardise behaviour, and thus it was possible to use comments to gain valid SAML assertions they were not authorised for.

2) ESB-2018.0538.2 – UPDATE [Win][UNIX/Linux] Drupal Core: Multiple vulnerabilities
A number of vulnerabilities in Drupal’s core modules have been fixed, including XSS vectors.

3) ESB-2018.0603 – [Linux][Debian] freexl: Multiple vulnerabilities
A library for manipulating Excel data is vulnerable to RCE if given a maliciously malformed document.


Stay safe, stay patched and have a good weekend!