AusCERT Week in Review for 24th August 2018

AusCERT Week in Review for 24th August 2018

AusCERT Week in Review
24 August 2018

Greetings,
“Six of the best”, no more, and no less.  That is indeed the number of new articles gathered for this week. Yet, for those of you who painfully understand the meaning behind “six of the best”, reading the six articles listed may indeed feel like it is a bit of similar reprimand.  Well, the reading is great material and nicely composed, but the stories contained in the news articles are painful to reminiscence to articles you may have read about 15 years ago. Fraudulent online purchases, websites being owned, credentials being stolen and traded – these are all stories could have been dated August 2003. Yet, they are happening today.  

So, please read these articles today, and bear the lessons they inflict.  Then take it upon yourself to do one thing that can possibly avoid this and persist with it for the next fifteen years.  It could be changing default credentials every network attached appliance you touch – with permission from the owners of course – be they from work, yours, or your friends and families. Or perhaps evangelise the “Stop-Think-Connect”[1] mantra to the click addicted. Or, it could be putting yourself in the forefront of reviewing code at work or in a public repository, making that code that little bit more secure. Or, it could be taking on a policy of ensuring you update every system you touch, or at least raise up the need to update every system you touch, be it in the data center or at an internet-cafe.  

It sounds like a huge task, but should it be taken on gradually, and concertedly, perhaps we won’t need to take another six-of-the-best in August 2033.  After all there is plenty of time to achieve this,.. right?.. or… is that the very thing we told ourselves fifteen years ago, that has landed us in the place we are today?  

Enjoy..

[1]https://www.stopthinkconnect.org/

As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title:  Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades
URL:    https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/
Date:   August 22, 2018
Author: Catalin Cimpanu

Excerpt:
“A vulnerability affects all versions of the OpenSSH client released in the past two decades, ever since the application was released in 1999.”

——-

Title:  Australia Battles Fraudulent Online Purchases
URL:    https://www.bankinfosecurity.com/australia-battles-fraudulent-online-purchases-a-11408
Date:   August 22, 2018
Author: Jeremy Kirk

Excerpt:
“There’s bad news in Australia when it comes to payment card fraud: It’s growing.

The biggest source of that fraud is online payments made without the physical card, or card-not-present fraud. That’s due to fraudsters re-using stolen payment card details.

CNP fraud in Australia totaled AU$476.3 million (US$350.6 million) last year, up 13.9 percent from 2016, according to a report released Wednesday by the Australian Payments Network, an industry group that collects payments statistics. The figure has risen annually since 2012, when it was $183.1 million.”

——-

Title:  Legacy System Exposes Contact Info of BlackHat 2018 Attendees
URL:    https://www.bleepingcomputer.com/news/security/legacy-system-exposes-contact-info-of-blackhat-2018-attendees/
Date:   August 22, 2018
Author: Ionut Ilascu

Excerpt:
“Full contact information of everyone attending the BlackHat security conference this year has been exposed in clear text, a researcher has found. The data trove includes name, email, company, and phone number.

The BlackHat 2018 conference badge came embedded with a near-field communication (NFC) tag that stored the contact details of the participant, for identification or for vendors to scan for marketing purposes.”

——-

Title:  Adobe security updates address 2 critical code execution flaws in Photoshop.
URL:    https://securityaffairs.co/wordpress/75539/hacking/adobe-photoshop-flaws.html  
Date:   August 22, 2018
Author: Pierluigi Paganini

Excerpt:
“Adobe released updates to address two critical code executions flaws that affect Photoshop for Windows and macOS versions of Photoshop CC.

The vulnerabilities, tracked as  CVE-2018-12810 and CVE-2018-12811, are memory corruption issues that could be exploited by a remote attacker to execute arbitrary code in the context of the targeted user.”

——-

Title:  Netflix, HBO GO, Hulu passwords found for sale on the Dark Web
URL:    https://nakedsecurity.sophos.com/2018/08/22/netflix-hbo-go-hulu-passwords-found-for-sale-on-the-dark-web/
Date:   22 Aug 2018
Author: Lisa Vaas

Excerpt:
“The report from Irdeto found that thieves are selling hundreds of stolen logins for popular “over-the-top” (OTT) services such as pay TV and video on demand on Dark Web marketplaces.

Besides HBO GO credentials, the company spotted listings for logins to 42 services, including Netflix, DirecTV and Hulu. All told, during the month of April, Irdeto spotted 854 sets of credentials, listed by 69 separate vendors on 15 marketplaces.

On average, an account’s credentials are fetching $8.71 (about £6.60) for one-time use. Some Dark Web sellers are also selling bundles of credentials for several services at higher prices.”

——-

Title:  New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers
URL:    https://thehackernews.com/2018/08/apache-struts-vulnerability.html
Date:   August 22, 2018
Author: Mohit Kumar

Excerpt:
“Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers.

Apache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS.

The vulnerability (CVE-2018-11776) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.”

——-

And lastly, here are this week’s noteworthy security bulletins (in no particular order):

1) ASB-2018.0201 – ALERT [Win][UNIX/Linux] Apache Struts 2: Execute arbitrary code/commands – Remote/unauthenticated
https://www.auscert.org.au/bulletins/67162
It is possible to perform a RCE attack… (CVE-2018-11776)

2) ESB-2018.2515.2 – UPDATE [Ubuntu] Linux kernel: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/67270
…could use this to gain elevated privileges. (CVE-2018-13405)

3) ESB-2018.2427 – [Linux][Mac] F5 BIG-IP APM client: Root compromise – Existing account
https://www.auscert.org.au/bulletins/66898
…can allow an unprivileged user to get ownership of files owned by root on the local client host. (CVE-2018-5546)

4) ESB-2018.2517 – ALERT [Appliance] IBM Security Access Manager Appliance: Execute arbitrary code/commands – Remote/unauthenticated
https://www.auscert.org.au/bulletins/67278
…could allow remote code execution when Advanced Access Control or Federation services are running. (CVE-2018-1722)

5) ESB-2018.2513 – [Appliance] BD Alaris: Unauthorised access – Remote/unauthenticated
https://www.auscert.org.au/bulletins/67258
…may allow a remote attacker to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump … (CVE-2018-14786)

Wishing you the best from AusCERT and stay safe as we will need you next week to keep users safe,
Geoffroy