AusCERT Week in Review for 17th August 2018

AusCERT Week in Review for 17th August 2018

AusCERT Week in Review
17 August 2018

Greetings,
Another week gone by, and this one has not been any thinner in bulletins to process.
Have you ever applied lots of pressure to a wet bar of soap? It may be a worth-while experiment to perform the next time you get access to a soap bar if the physics are not quite understood.
Well, entities are a bit like a bar of wet soap and are keen to avoiding legal problems, whilst maintaining a loyal and satisfied customer base.  After all that is how “quality” is defined, a satisfied customer base.  This may soon become a more complicated juggling act for organisations handling user data either, in transit or at rest, from a service they provide or equipment they manufacture.  Trying to squeeze access to data may result in organisations deciding to relinquish any possibility of access to this user data as legal ramification increase. Adding the risk of time served may alter the way an organisation may provide a service or build a product. Squeezing organisation hard in this manner may diminish, as the chance to get to the data sought slips away. So, should organisations deal with user data, at rest or in transit, from services or equipment manufactured, then perhaps the first news story of this week is worth while to look at and keep an eye if this legislation passes.  For if it does, organisations may have to re-assess their policy, denying themselves access to user-submitted data, lest time be served.     

As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title:  Australians who won’t unlock their phones could face 10 years in jail
URL:    https://nakedsecurity.sophos.com/2018/08/16/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail/
Date:   August 16, 2018
Author: Danny Bradbury    

Excerpt:
“The Australian government wants to force companies to help it get at suspected criminals’ data. If they can’t, it would jail people for up to a decade if they refuse to unlock their phones.”

——-

Title:  Hundreds of Instagram accounts were hijacked in a coordinated attack
URL:    https://securityaffairs.co/wordpress/75377/hacking/instagram-accounts-hacked.html
Date:   August 15, 2018
Author: Pierluigi Paganini    

Excerpt:
“Hundreds of Instagram accounts were hijacked in what appears to be the result of a coordinated attack, all the accounts share common signs of compromise.

Alleged attackers have hijacked Instagram accounts and modified personal information making impossible to restore the accounts.”

——-

Title:  PhishPoint Phishing Attack – A new technique to Bypass Microsoft Office 365 Protections
URL:    https://securityaffairs.co/wordpress/75382/hacking/phishpoint-phishing-attacks.html
Date:   August 15, 2018
Author: Pierluigi Paganini    

Excerpt:
“Security experts from the cloud security firm Avanan have discovered a new technique dubbed PhishPoint, that was used by hackers to bypass Microsoft Office 365 protections.

PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks.

The experts are warning of the new technique that was already used in attacks by scammers and crooks to bypass the Advanced Threat Protection (ATP) mechanism implemented by most popular email services, Microsoft Office 365.”

——-

Title:  Academics Discover New Bypasses for Browser Tracking Protections and Ad Blockers
URL:    https://www.bleepingcomputer.com/news/security/academics-discover-new-bypasses-for-browser-tracking-protections-and-ad-blockers/
Date:   August 16, 2018
Author: Catalin Cimpanu    

Excerpt:
“Security and user privacy protections included in browsers, ad blockers, and anti-tracking extensions are not as secure as everyone believes, a team of three academics from the Catholic University in Leuven, Belgium (KU Leuven) have revealed yesterday.

Their work consisted of analyzing anti-tracking settings that are built into modern browsers, but also the ones provided by some popular extensions (add-ons).”

——-

Title:  Princess Evolution Ransomware is a RaaS With a Slick Payment Site
URL:    https://www.bleepingcomputer.com/news/security/princess-evolution-ransomware-is-a-raas-with-a-slick-payment-site/
Date:   August 15, 2018
Author: Lawrence Abrams    

Excerpt:
“A new variant of the Princess Locker ransomware is being distributed called Princess Evolution. Like its predecessor, Princess Evolution is a Ransomware as a Service, or RaaS, that is being promoted on underground criminal forums.

As this ransomware is being distributed through different affiliates, there are numerous methods that are possibly being used to distribute this ransomware…

..Unfortunately, at this time there is no known way to decrypt files encrypted by Princess Evolution. For those who are interested in discussing this ransomware or receiving support, you can use our dedicated Princess Evolution Support & Help topic.”

——-

And lastly, here are this week’s noteworthy security bulletins (in no particular order):

1)ESB-2018.2401 – [SUSE] kernel: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/66786
…local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID…

2)ESB-2018.2379 – [Cisco] Cisco Web Security Appliance (WSA): Multiple vulnerabilities
https://www.auscert.org.au/bulletins/66698
CVE-2018-0428 …could allow an authenticated, local attacker to elevate privileges to root…

3)ESB-2018.2361 – [Debian] kernel: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/66626
…local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID…

4)ESB-2018.2325 – [SUSE] cups: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/66458
…a local privilege escalation to root and sandbox bypasses…

5)ESB-2018.2403 – [Win] Tridium Niagara: Administrator compromise – Existing account
https://www.auscert.org.au/bulletins/66794
…using a disabled account name and a blank password, granting the attacker administrator access…

Wishing you the best from AusCERT and stay safe as we will need you next week to keep users safe,
Geoffroy