//Week in review - 31 Aug 2018

AusCERT Week in Review for 31st August 2018


Good news, everyone! More than 50% of the Alexa Top 1 Million sites are now actively redirecting to HTTPS. The internet has now scraped a C for transport security – that’s a pass! Now for the slow grind up to a B grade and higher.

Unfortunately transport security isn’t the be all and end all, and 130 million people who have stayed in some of China’s biggest hotel chains have had their data sold on the darkweb thanks to a development team leaving a production database dump on their GitHub. At least as the black-hatted entrepreneur was downloading the data, no one was able to read it in transit.

And since time is a flat circle, once again Apache Struts is being used to deliver cryptominers onto unsuspecting servers.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Hackers drop crypto mining on vulnerable Struts
Author: Juha Saarinen
Excerpt: “Researchers have recorded the first mass automated attacks against servers running unpatched versions of the open source Apache Struts enterprise web application framework.

The new vulnerability in Apache Struts was made public four days ago and allows for remote code execution.”


Data of 130 Million Chinese Hotel Chain Guests Sold on Dark Web Forum
Author: Catalin Cimpanu
Excerpt: “A hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin ($56,000) on a Chinese Dark Web forum.

The breach was reported today by Chinese media after several cyber-security firms spotted the forum ad.

The seller said he obtained the data from Huazhu Hotels Group Ltd (Huazhu from hereafter), one of China’s largest hotel chains, which operates 13 hotel brands across 5,162 hotels in 1,119 Chinese cities.”


Alexa Top 1 Million Analysis – August 2018
Author: Scott Helme
Excerpt: “Here’s the one we’ve all been waiting for, and this one is a pretty big announcement too. Not only because we’ve seen amazing growth in HTTPS again in this crawl, but because we’ve passed through 50% of the Alexa Top 1 Million sites actively redirecting to HTTPS for the first time!”


Cyber security and digital transformation ministries scrapped
Author: Justin Hendry
Excerpt: “Australia is without a dedicated Cyber Security Minister for the first time in two years after Prime Minister Scott Morrison removed the role from his first ministerial line-up.

Changes to the cabinet unveiled by the newly appointed PM on Sunday afternoon deletes any mention of the cyber security remit from the ministry, effectively demoting its importance after it was heavily pushed by Malcolm Turnbull.”


Here are this week’s noteworthy security bulletins:

1) ESB-2018.2569 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilities

While the Joomla! input filter smartly blacklists PHAR file upload, there were some edge cases that would allow them. If the webserver was configured to execute the files, this would enable webshell upload in the worst case.

2) ESB-2018.2539 – [Win][UNIX/Linux][FreeBSD] Node.js: Multiple vulnerabilities

Node.js has patched several vulnerabilities, including out of bounds memory reading and writing.

3) ASB-2018.0205 – [Win][Linux][Virtual] GitLab: Cross-site request forgery – Remote with user interaction

GitLab has patched some information leaking vulnerabilities, alongside some CSRF/XSS issues.

Stay safe, stay patched and have a good weekend!