29 Mar 2018

Week in review

AUSCERT Week in Review for 29th March 2018

AUSCERT Week in Review
29 March 2018

Greetings,

As Thursday the 29th of March closes, there are a few things on the AUSCERT’s team’s mind.
First and foremost is the two (2) days of AUSCERT Conference at the Gold Coast on Thursday May 30, and Friday June 1st.  Equally important is that the registration for the AUSCERT tutorials that precede the conference is out and remember that tutorials are complimentary for anyone who holds a Full Conference Registration.
You can find further information on each of the tutorials via https://conference.auscert.org.au/conference-program/  
The conference is a big event but there is also another big event at the Gold Coast which may draw unwanted interest from spammers. This is the GC2018 Commonwealth Games.  So making your users aware that spammers may make the most of events and craft emails in ways that entice them to open attachments or follow link, could be worth the while.
And to make a difference, on the first hour of the last day of the week, instead of the last hour of the last day of the week, Drupal Core has a patch available where by they expect the PoC to come out “hours or days” after the disclosure.  So I do hope you got the SMS from AUSCERT’s Bulletin service this morning.  

As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

——-

Title:  Drupal Fixes Drupalgeddon2 Security Flaw That Allows Hackers to Take Over Sites
URL:    https://www.bleepingcomputer.com/news/security/drupal-fixes-drupalgeddon2-security-flaw-that-allows-hackers-to-take-over-sites/
Date:   March 28, 2018
Author: Catalin Cimpanu

Excerpt:
“The Drupal CMS team has fixed a highly critical security flaw that allows hackers to take over a site just by accessing an URL.
Drupal site owners should immediately —and we mean right now— update their sites to Drupal 7.58 or Drupal 8.5.1, depending on the version they’re running.
The Drupal team pre-announced today’s patches last week when it said “exploits might be developed within hours or days” after today’s disclosure”

——-

Title:  Don’t get hacked during the Games  
URL:    https://www.technologydecisions.com.au/content/security/news/don-t-get-hacked-during-the-games-634148475
Date:   March 23, 2018
Author: Technology Decisions

Excerpt:
“It is expected that the Gold Coast Commonwealth Games will attract high levels of cybercrime, with businesses urged to stay alert for the possibility…
Potential attacks to be aware of during the 2018 Commonwealth Games include:
 o hacks through public Wi-Fi hotspots that will be available throughout the Games;
 o email-based spear phishing campaigns that trick people into divulging personal information or clicking on links that release malware into their systems;
 o hacked social media and business websites;
 o point-of-sale attacks that let cybercriminals obtain credit card details;
 o ransomware attacks that prey on the time-sensitive nature of Games-related activities to force victims to pay higher ransoms, fast;
 o fraudulent invoices and payment details.”

——-

Title:  In-Browser Cryptojacking Is Getting Harder to Detect
URL:    https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/
Date:   March 27, 2018
Author: Catalin Cimpanu

Excerpt:
“Cyber-criminals aren’t stupid. If you find a way to block their code, they’re going to find a way to around your block.
That’s how it’s been for decades in the antivirus business, and this is exactly what’s happening right now on the in-browser cryptocurrency mining (cryptojacking) scene…”

——-

Title:  Intel CPUs Vulnerable to New ‘BranchScope’ Attack
URL:    https://www.securityweek.com/intel-cpus-vulnerable-new-branchscope-attack
Date:   March 27, 2018
Author: Eduard Kovacs

Excerpt:
“Researchers have discovered a new side-channel attack method that can be launched against devices with Intel processors, and the patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.
The new attack, dubbed BranchScope, has been identified and demonstrated by a team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University.”

——-

Title:  Crooks infiltrate Google Play with malware in QR reading utilities
URL:    https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities/
Date:   March 23, 2018
Author: Paul Ducklin

Excerpt:
“…First, the apps were, at least on the surface, what they claimed: six were QR code reading apps; one was a so-called “smart compass”.
In other words, if you were just trying out apps for fun, or for a one-off purpose, you’d be inclined to judge them by their own descriptions.
Second, the crooks didn’t fire up the adware part of their apps right away, lurking innocently for a few hours before unleashing a barrage of ads.
Third, the adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app.”

——-

Title:  Thousands of etcd installations are currently leaking 750MB worth of passwords, keys, and sensitive data.
URL:    http://securityaffairs.co/wordpress/70611/hacking/etcd-installs-data-leak.html
Date:   March 25, 2018
Author: Pierluigi Paganini

Excerpt:
“Thousands of servers belonging to private businesses and organizations are leaking credentials and potentially sensitive data.
It is quite easy for hackers to use the credentials to access the servers and steal sensitive data or use the machines to power cyber attacks.
According to the researcher Giovanni Collazo, querying the popular Shodan search engine he found almost 2,300 servers exposed online that were running etcd, which is a distributed key value store that provides a reliable way to store data across a cluster of machines.”

——-

Title:  Facebook Collected Call and SMS Metadata From Some Users’ Smartphones
URL:    https://www.bleepingcomputer.com/news/technology/facebook-collected-call-and-sms-metadata-from-some-users-smartphones/
Date:   March 24, 2018
Author: Catalin Cimpanu

Excerpt:
“Several Facebook users who downloaded an archive of their Facebook data in the wake of the Facebook-Cambridge Analytica scandal discovered this week that the social network’s mobile applications have been recording —in some cases— much more information than most people were expecting.

Logged information includes data on all phone calls made on the phone, the start time o each call, its duration, and the contact’s name. The Facebook app did not log phone calls to and from numbers not saved in the phone’s address book.”

——-

Here are this week’s noteworthy security bulletins (in no particular order):

1.    ESB-2018.0844 – [SUSE] kernel: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/60038

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.120 to receive various security and bugfixes including executing code.

2.    ESB-2018.0863 – [Win][UNIX/Linux][RedHat] slf4j: Execute arbitrary code/commands – Remote/unauthenticated
https://portal.auscert.org.au/bulletins/60114

Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution.

3.    ESB-2018.0883 – [SUSE] LibVNCServer: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/60198

Heap-based buffer overflow in rfbproto.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code.

4.    ASB-2018.0063 – [Win][UNIX/Linux] Mozilla Firefox: Execute arbitrary code/commands – Remote with user interaction
https://portal.auscert.org.au/bulletins/60158

Use-after-free in compositor results in a potentially exploitable crash.

5.    ESB-2018.0888 – [Win][UNIX/Linux][Debian][Apple iOS][Android] mupdf: Multiple vulnerabilities
https://portal.auscert.org.au/bulletins/60218

Two vulnerabilities were discovered in MuPDF, a PDF, XPS, and e-book viewer, which may result in denial of service or remote code execution.


And lastly for an even more up-and-coming event, a long four (4) day weekend looks nice, but beware little emails bearing easter eggs, and please get your Drupal site patched.   
Wishing you the best from AUSCERT and hope to see you safe next week,
Geoffroy