//Week in review - 11 May 2018

AusCERT Week in Review for 11th May 2018


Another week, another drink from the firehose of information security. Microsoft’s patch Tuesday was largely uneventful, but Chrome, Firefox and Safari have all received significant security updates. DLA Piper have published some discussion of the major NotPetya ransomware attack they endured.

The AusCERT conference is in three weeks – we look forward to seeing some of you there!

This week in cybersecurity:


DLA Piper paid 15,000 hours of IT overtime after NotPetya attack
Date: May 8 2018
Author: Ry Crozier

Excerpt: Law firm DLA Piper has revealed its IT team put in 15,000 hours of paid overtime to recover from the NotPetya malware infection.

The company was also forced to wipe its entire Windows environment and “start afresh” after the first two weeks showed nothing in the existing environment was “salvageable”.


Misinterpretation of Intel docs is the root cause for the CVE-2018-8897 flaw in Hypervisors and OSs
Date: May 10 2018
Author: Pierluigi Paganini

Excerpt: The CERT/CC published a security advisory to warn of the CVE-2018-8897 flaw that impact the Linux kernel and software developed by major tech firms including Apple, the DragonFly BSD Project, Red Hat, the FreeBSD Project, Microsoft, SUSE Linux, Canonical, VMware, and the Xen Project (CERT/CC published the complete list of companies whose products may be impacted).

Experts explained that in the case of Linux, the flaw can trigger a denial-of-service (DoS) condition or cause the crash of the kernel.

According to Microsoft, an attacker can exploit the security flaw on Windows for privilege escalation.


baseStriker: Office 365 attack

Date: May 8 2018
Author: Yoav Nathaniel

Excerpt: In this example, Office 365 only performs the lookup on the base domain, ignoring the relative URL in the rest of the body. Because only part of the URL is tested, it mistakenly appears to not exist in the malicious URL database and the email is let through. Furthermore, Safelinks does not replace the malicious link, and the user get the original malicious link, can click it to get right to the phishing page. 


Drupal Sites Fall Victims to Cryptojacking Campaigns

Date: May 8 2018
Author: Catalin Cimpanu

Excerpt: Their efforts and expectations were fully rewarded, as the two vulnerabilities —CVE-2018-7600 and CVE-2018-7602— left over one million websites vulnerable to hacks if they didn’t receive immediate updates.

Some webmasters updated their sites, but many didn’t, and those websites quickly fell victims to backdoors and coinminers shortly after the publication of proof-of-concept attack code.


And lastly, here are this week’s most noteworthy security bulletins:


1. Adobe Flash Player update


Another remote code execution vulnerability if users run malicious content.


2. MOV/POP SS crash


A user running unprivileged code can crash the Linux kernel, and probably the Windows kernel, owing to a long-running misunderstanding of how certain CPU instructions work.


3. WebKit RCE from web content


WebKit and its Linux port WebKitGTK+ contained memory corruption bugs which could lead to remote code execution from a web browser.


4. Firefox vulnerabilities


Continuing the theme of RCEs from web browsers, more memory corruption issues were addressed in Firefox and Firefox Extended Support Release.


Stay safe, stay patched and have a good weekend.