//Week in review - 28 Sep 2018

AusCERT Week in Review for 28th September 2018


Another week with a crazy number of AusCERT bulletins! 99! That is an average of 19.8 bulletins per day! The worst thing is when you see CVE numbers like CVE-2011-2767 in a 2018 bulletin, oops forgot to fix that vulnerability didn’t we?

It’s really hard to see the light at the end of the tunnel sometimes…but hopefully with the continual investment in what we now call Cyber Security and better development lifecycles we’ll perhaps see the end of the proliferation of the same vulnerabilities again and again.

However, does it all matter in the end when that user still clicks on that URL in that PDF to a fake OneDrive page and inputs their credentials in to a look-a-like O365 web page?

Repeat after me: Multi-factor authentication is now a REQUIREMENT in 2018. It is no longer optional. Especially if Chrome goes further down the rabbit hole, and kills off all sub-domains resulting in a compromised *.sharepoint.com phishing pages looking 100% legitimate to unsuspecting users?

At AusCERT 2018, we announced a new service, the AusCERT Daily Intelligence Report. ADIR is now in private beta. If you’re a member interested in receiving a daily summary of cybersecurity news, please contact us at auscert@auscert.org.au to subscribe.

In other news the third AusCERT and BDO Security Survey is now open.  

This annual survey identifies and monitors current cyber security trends, issues and threats facing businesses in Australia and New Zealand.
By taking part you will gain direct access to our survey report, which contains valuable data that allows you to compare business’ current cyber security efforts with trends in your industry sector.
Survey respondents have the chance to go in the draw to win one of three Apple Watches. The survey closes at midnight on Friday, 23 November 2018. The survey is anonymous and takes 15 minutes to complete.


Here is a summary (including excerpts) of some of the more interesting stories we have seen this week:

Title: Gone in 15 Minutes: Australia’s Phone Number Theft Problem
Author: BankInfoSecurity
Excerpt: SIM hijacking is not a new attack, but there’s increasing interest in stealing phone numbers. That’s because banks often send two-step verification codes over SMS. Additionally, major services such as Google, LinkedIn, Facebook and Instagram use the mobile channel in some scenarios for password resets.
Over the past two years, fraud involving unauthorized phone ports has increased, mostly due to organized crime, says Detective Chief Inspector Matthew Craft of the New South Wales Police’s Financial Crimes Squad. Craft says because of the mobile industry’s “inability to implement some simple measures to prevent it from occurring,” the problems have continued.

Title: Decryption laws enter parliament
Author: iTnews
Excerpt: The federal government has moved to introduce the legislation underpinning its controversial crackdown on encrypted communications services.
The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill was introduced into parliament by home affairs minister Peter Dutton on Thursday.
It comes less than two weeks after the Department of Home Affairs closed public consultation on the exposure draft of the bill, in which more than 14,000 submissions are said to have been made.


Title: Mass WordPress compromises redirect to tech support scams
Author: Malwarebytes Labs
Excerpt: Thousands of WordPress sites have been injected with the same malicious redirection. We review the infection details and the malicious traffic leading to browser lockers.


Title: Uber to pay $148 million to states for 2016 data breach
Author: CyberScoop
Excerpt:  Ridehailing company Uber will pay $148 million across all 50 [American] states and Washington, D.C., as part of a settlement stemming from a data breach that revealed sensitive information on 57 million of the company’s users.
The breach took place in October 2016 and revealed names, email addresses, phone numbers and U.S. driver’s license numbers. The company paid the hackers $100,000 to stay quiet and delete the data.
Several attorneys general released statements after the settlement was announced, with each state getting a varying amount.

Title: United Nations WordPress Site Exposes Thousands of Resumes
Author: BleepingComputer
Excerpt: Disclosure vulnerabilities in a web app from the United Nations leave open to public access CVs from job applicants and the organization failed to plug the leak despite receiving a private report on the issues.
Security researcher Mohamed Baset of penetration testing company Seekurity found a path disclosure and an information disclosure bug in one of the UN’s WordPress websites, which gives unfettered access to job applications since 2016. He claims that thousands of documents have been uploaded.

Here are this week’s noteworthy security bulletins:

1) ESB-2018.2842 – [UNIX/Linux][Debian] mediawiki: Multiple vulnerabilities

Multiple vulnerabilities have been found in the popular Wiki. These result in incorrectly configured rate limits, information disclosure in Special:Redirect/logid and bypass of an account lock.

2) ESB-2018.2900 – [Win][UNIX/Linux] Apache HTTP Server: Denial of service – Remote/unauthenticated

Apache HTTP Server is vulnerable to a Remote/Unauthenticated Denial of Service; if you value your uptime in the end a minor downtime to patch is recommended.

3) Cisco has released their 2018 Semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication that can be found in the three ESBs below.

ESB-2018.2902 – [Cisco] Cisco IOS XE: Multiple vulnerabilities
ESB-2018.2903 – [Cisco] Cisco IOS Software: Multiple vulnerabilities
ESB-2018.2904 – [Cisco] Cisco IOS and IOS XE: Denial of service – Remote/unauthenticated

Stay safe, stay patched and have a good weekend!