//Week in review - 13 Apr 2018

AusCERT Week in Review for 13th April 2018


Happy Friday the 13th all!

Well, Cisco’s Smart Install protocol vulnerability that potentially leads to Remote denial of service and code execution attacks, now has a publicly available exploit. So get fixing it! AusCERT members exposed to this vulnerability will receive MSINs addressing the issue. 

Microsoft had 5 security updates addressing it’s browsers, Windows OS and Office products. None had known publicly available exploits at the time.

Then, there’s the lighter side of things, like PUBG ransomware (PUBG doesn’t stand for pub games unfortunately). It requires victims to play Player Unknown’s Battleground for 1 hour to decrypt it, but wait, there’s more! Read on.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: Researchers discovered several flaws that expose electrical substations to hack

Date Published: 12/04/2018

Author: Pierluigi Paganini, Security Affairs
Excerpt: “By exploiting these vulnerabilities, an attacker is able to change the configuration of power-system protection relay which can lead to disruption of the power equipment protection function (and potentially to an accident) or customer curtailment.”


The most severe vulnerability (rated high severity), tracked as

CVE-2018-4840 can be exploited by a remote and unauthenticated attacker to modify the device’s configuration and overwrite access passwords.


“The device engineering mechanism allows an unauthenticated remote user to upload a modified device configuration overwriting access authorization passwords. ” reads the security advisory published by Siemens.


The second flaw, tracked as CVE-2018-4839, is a medium severity issue that could be exploited by a local or network attacker to recover the access authorization password by intercepting network traffic or obtaining data from the targeted device. Once the attacker has obtained the password he can use it to gain complete access to a device.”

Title: Health holds crown as the most breached sector in Australia
Date Published: 11/04/2018
Author: Asha McLean, ZDNet
Excerpt: “The Quarterly Statistics Report: January 2018-March 2018 revealed that health service providers accounted for 15 breaches; legal, accounting, and management services suffered 10; finance, including superannuation, reported eight breaches; education suffered six; and charities four.


The NDB scheme requires agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm” as soon as practicable after becoming aware of a breach.


According to the OAIC report [PDF], 73 percent of eligible data breaches reported involved the personal information of less than 100 individuals, with just over half of the notifications involving the personal information of between one and nine individuals.”

Title: Barracuda Threat Spotlight: New URL File Outbreak Could be a Ransomware Attempt

Date Published: 10/04/2018
Author: Jonathan Tanner, Barracuda

Excerpt: “Multiple downloaders, malicious apps that download further malicious apps to infected devices, have made it onto the Google Play Store. The downloaders are capable of downloading further apps that pose as system apps, some of which are capable of stealing Facebook login credentials. To do so, the malicious apps use social engineering tactics to trick victims into giving them up.”

Title: PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown’s Battlegrounds
Date Published: 09/04/2018
Author: Lawrence Abrams, Bleeping Computer
Excerpt: “Once a user plays the game and the process is detected, the ransomware will automatically decrypt the victim’s files.  This ransomware is not too advanced as it only looks for the process name and does not check for other information to confirm that the game is actually being played.

That means you can simply run any executable called TslGame.exe and it will decrypt the files.

This is not the first time a joke ransomware has been created that requires you to play a game before files will be encrypted. In 2017, MalwareHunterTeam also found RensenWare, which required you to play the

TH12 Game and score .2 billion points in order to get recover your files.”

Title: Major uptick in mobile phishing URL click rate
Date Published: 10/04/2018
Author: HelpNet Security
Excerpt: “Phishing attacks are particularly effective on mobile devices because hidden email headers and URLs make it easy to spoof email addresses and websites while new vectors, including SMS and messaging apps, enable attackers to make their campaigns personal.

“It’s critical for enterprises to realize that when it comes to mobile devices, email is not the only phishing attack vector,” said Cockerill.

“Attackers now take advantage of SMS, as well as some of today’s most popular and highly used social media apps and messaging platforms, such as WhatsApp, Facebook Messenger, and Instagram, as a means of phishing.

Security professionals who overlook these new routes of attack put their organizations at risk.””

Here are this week’s noteworthy security bulletins:

1) ESB-2018.1122 – [Cisco] Cisco IOS and IOS XE: Multiple vulnerabilities
Leading the way is this advisory from Cisco addressing multiple vulnerabilities in its Smart Install Client and related protocol that can be exploited to result in Remote code execution or denial of service. An exploit is publicly available. Immediate patching is highly advised.

2) ESB-2018.1080 – [Win][Linux][OSX] Adobe Flash Player: Multiple vulnerabilities
More code execution vulnerabilities fixed in Adobe Flash Player.

3) ASB-2018.0075.2 – UPDATE [Win] Microsoft Windows: Multiple vulnerabilities

This update for Microsoft Windows addressed a number of vulnerabilities including a two-year old privilege escalation vulnerability that affects Windows 10 as well.

Stay safe, stay patched, stay cool and have a good weekend!