//Week in review - 29 Jun 2018

AusCERT Week in Review for 29th June 2018

AusCERT Week in Review
29 June 2018


Business Email Compromise (BEC) has been in the news this week, with a flurry of incidents and investigations. Do you have two-factor authentication enabled on your Outlook accounts? It’s the single easiest way to foil these attacks.

Privacy and consent haven’t been solved yet, but the revelation that the HealthEngine booking system was selling personal health data to ambulance-chasers has made waves this week.

The Drupalgeddon v3 vulnerability is still being exploited by cryptocurrency miners. If you haven’t patched yet, please make it a priority.

Of the data breaches around the world, three caught our eye: Adidas, Exactis (a marketing and aggregation firm) and Ticketmaster. Exactis in particular may have exceeded the infamous Equifax breach in scope.

In the news this week:

MasterChef finalist caught in conveyancing hacker attack
Date:    22 June 2018
Author: Simon Johanson

A former Masterchef contestant and her family are homeless after hackers stole $250,000 from their home sale.

MasterChef finalist Dani Venn woke to a housing nightmare on Monday when it was confirmed $250,000 from the settlement of her semi-rural property on the outskirts of Melbourne was stolen after her conveyancer’s account was hacked.

Two people charged over alleged email scam
Date:    28 June 2018
Author: NSW Police

A man and woman will face court next month after being charged over alleged email scams netting more than $70,000.

Detectives from the State Crime Command’s Cybercrime Squad established Strike Force Cabernet to investigate organised criminal groups committing large scale business email compromises.

Medical appointment booking app HealthEngine sharing clients’ personal information with lawyers
Date:    26 June 2018
Author: ABC News

Health Minister Greg Hunt has ordered an “urgent review” of Australia’s biggest online doctor appointment booking service, HealthEngine.

The ABC earlier reported that the HealthEngine app has funnelled hundreds of users’ private medical information to law firms seeking clients for personal injury claims.

Hackers Exploit Drupal Flaw for Monero Mining
Author: Ionut Arghire
Date:    22 June 2018

Tracked as CVE-2018-7602 and considered a highly critical issue that could result in remote code execution, the vulnerability impacts Drupal’s versions 7 and 8 and was addressed in April this year.

Last month, hackers were observed targeting both security vulnerabilities to deliver a variety of threats, including cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Trend Micro now says they noticed network attacks exploiting CVE-2018-7602 to turn affected systems into Monero-mining bots. As part of the observed incidents, the exploit fetches a shell script that retrieves an Executable and Linkable Format-based (ELF) downloader.

Articles about the most significant data breaches:

Equifax: https://www.cnet.com/news/exactis-340-million-people-may-have-been-exposed-in-bigger-breach-than-equifax/
Adidas: https://www.bloomberg.com/news/articles/2018-06-28/adidas-says-millions-of-u-s-customers-being-alerted-of-breach
Ticketmaster: https://security.ticketmaster.com.au

Here are this week’s noteworthy security bulletins (in no particular order):

1. ASB-2018.0138 – [Win][UNIX/Linux][Mobile] Mozilla Firefox: Multiple vulnerabilities

Memory corruption leading to probable remote code execution, cross-site request forgery, crashes and a sandbox escape.

2. ESB-2018.1854 – [Win][UNIX/Linux] Jenkins plugins: Multiple vulnerabilities

Major plugins for Jenkins were subject to a mixed bag of vulnerabilities: cross-site request forgery, storage of credentials in plaintext, unauthorised config viewing, zip file directory traversal, etc.

3. ESB-2018.1865 – [RedHat] ansible: Access privileged data – Existing account

Credentials were logged in cleartext.

4. ESB-2018.1874 – [RedHat] Red Hat Virtualization Manager: Access confidential data – Existing account

More cleartext credential logging.

5. ESB-2018.1891 – [Appliance] F5 products: Denial of service – Existing account

Linux kernel bug dating back to 2012 allowed authenticated (local) users to deny service.


Stay safe, stay protected and have a good weekend,
David and the team at AusCERT