7 Nov 2018

Week in review

AUSCERT Week in Review for 26th October 2018

Greetings,

Yet another week comes to a close.

Between El Nino predictions for the summer and Halloween approaching, there are plenty of reasons to be scared. Not infosec professionals, however, who face hot conditions and scary situations on a daily basis!

Let’s take a look at some of the creepy stuff out there this week…

….Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Hacker Discloses New Windows Zero-Day Exploit On Twitter

Date Published: 23/10/2018
Author: Swati Khandelwal
Excerpt: “A security researcher with Twitter alias SandboxEscaper—who two months ago publicly dropped a zero-day exploit for Microsoft Windows Task Scheduler—has yesterday released another proof-of-concept exploit for a new Windows zero-day vulnerability.

 SandboxEscaper posted a link to a Github page hosting a proof-of-concept

(PoC) exploit for the vulnerability that appears to be a privilege escalation flaw residing in Microsoft Data Sharing (dssvc.dll).

 The Data Sharing Service is a local service that runs as LocalSystem account with extensive privileges and provides data brokering between applications.

 The flaw could allow a low-privileged attacker to elevate their privileges on a target system, though the PoC exploit code

(deletebug.exe) released by the researcher only allows a low privileged user to delete critical system files—that otherwise would only be possible via admin level privileges.”

—–

IF YOUR TOOTHBRUSH CALLS YOU, IT MIGHT NOT BE FOR DENTAL HYGIENE: THE IMPORTANCE OF SECURING THE INTERNET OF THINGS
Date Published: 25/10/2018
Author: Europol

Excerpt: “THE MAIN CONCLUSIONS OF THE CONFERENCE ARE:

security should not be an afterthought when designing systems and IoT systems are no exception;

implementing security does not need to be complicated. As ENISA’s report shows, baseline security recommendations for IoT were made accessible via an interactive online table. This allows for easy access to specific good practices;

law enforcement needs to be in a position to go beyond defence and incident response by being able to investigate and prosecute the criminals abusing connected devices;

there is a need to discuss digital forensics in regard to IoT and the importance of data and privacy protection, considering the amount and different categories of data collected by the IoT;

this joint conference is an excellent example of much-needed multi-disciplinary dialogues. ENISA and Europol are working closely together to inform key stakeholders of the need to be aware of the cybersecurity and criminal aspects associated with deploying and using these devices;

the IoT has great potential and provides tremendous opportunities to improve the way we interact, do business and go about our daily lives.

In 2019 and beyond, holistic, pragmatic, practical and economically viable security solutions need to be promoted and the entire IoT ecosystem needs to be looked into. ENISA will be working on an automotive IoT case study and welcomes the active support of all partners. Cybersecurity is a shared responsibility. Stronger collaborations with industry are planned together with other initiatives to ensure coordinated efforts and explore all possible synergies.”

—–

Is nowhere private? Chinese subway users upset by plans to install facial recognition systems
Date Published: 25/10/2018
Author: Phoebe Zhang

Excerpt: “The technology will be used in just one security channel at each of the four stations in Guangzhou, the capital of Guangdong province, the city’s metro operator said on Weibo, China’s Twitter-like service.

To use the new channels, passengers must first register their details, including a photograph, using the Guangzhou Metro’s official smartphone app.

“The registration process is voluntary,” the company said. “[And] information collected will be used only for security checks and not be passed on to our partner companies.”

Once registered, passengers will be able to use through the dedicated channels and the system will recognise them from the information they registered, it said.”

—–

Advertisers can track users across the Internet via TLS Session Resumption
Date Published: 23/10/2018
Author: Catalin Cimpanu
Excerpt: “The abused TLS mechanism is called TLS Session Resumption (RFC 8447), a mechanism that was created in the mid-2000s to allow TLS servers to remember past user sessions and avoid wasting server resources by re-negotiating a TLS connection with a returning user.

There are currently three different ways that servers can opt to use and support TLS Session Resumption. There’s TLS Session Resumption via session IDs, there’s TLS Session Resumption via session tickets, and there’s TLS Session Resumption via pre-shared keys (PSKs).

The first two are compatible with the older TLS 1.2 protocol, while the third mechanism was developed for the newer and recently-approved TLS

1.3 standard. In all three cases, server owners have the liberty to set the lifespan the server remembers a user session.”

—-

Apps Installed On Millions Of Android Phones Tracked User Behavior To Execute A Multimillion-Dollar Ad Fraud Scheme

Date Published: 23/10/2018
Authors: Craig Silverman
Excerpt: “The Google Play store pages for these apps were soon changed to list four different companies as their developers, with addresses in Bulgaria, Cyprus, and Russia, giving the appearance that the apps now had different owners.

But an investigation by BuzzFeed News reveals that these seemingly separate apps and companies are today part of a massive, sophisticated digital advertising fraud scheme involving more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere.

More than a dozen of the affected apps are targeted at kids or teens, and a person involved in the scheme estimates it has stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of actual humans.”

Magecart hackers change tactic and target vulnerable Magento extensions

Date Published: 24/10/2018

Authors: Pierluigi Paganini

Excerpt: “The new attack was detailed by the researcher Willem de Groot, the hackers are now exploiting zero-day vulnerabilities in popular store extension software in order to inject skimmer scripts.

“Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it turns out, thieves are massively exploiting unpublished security flaws (aka 0days) in popular store extension software.” continues the expert.

“While the extensions differ, the attack method is the same: PHP Object Injection (POI).

Now attackers leverage PHP Object Injection (POI) by abusing PHP’s

unserialize() function in order to compromise websites. With this attack method, they are able to modify the database or any JavaScript file.

According to de Groot, many popular PHP applications continue to use unserialize(), but while Magento has replaced most of the vulnerable functions, many of its extensions are still flawed.

“This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site.” continues the researcher.”

Here are this week’s noteworthy security bulletins:

1) ESB-2018.3290 – [Juniper] Juniper Junos OS: Execute arbitrary code/commands – Remote/unauthenticated

Juniper Network released a security update for the Junos OS, used in its physical and virtual networking and security products.

 The update addressed a vulnerability arising from the mishandling of crafted BGP NOTIFICATION messages. It can cause a denial of service and condition and potentially lead to remote code execution.

2) ASB-2018.0241.2 – UPDATE Palo Alto PAN-OS: Multiple vulnerabilities

Not to be outdone, Palo Alto Networks fixed a few issues affecting the OpenSSL library used in its Pan-OS operating system, which is used in a large number of Juniper’s network appliances.

The worst of these three vulnerabilities could lead to the disclosure of privileged information.

3) ASB-2018.0271 – [Win][UNIX/Linux] Tenable Nessus: Multiple vulnerabilities

Tenable’s Nessus received an update that fixes two vulnerabilities stemming from the OpenSSL library it employs.

The more serious of the two could allow a remote attacker to infer the private key generated by the RSA key generation algorithm via a cache timing side channel attack. This would lead to the decryption of “secure“ communications.

4) ASB-2018.0270.2 – UPDATED ALERT [Win][UNIX/Linux][Android] Mozilla Firefox and Mozilla Firefox ESR: Multiple vulnerabilities

Mozilla released an update that addressed a large number of vulnerabilities in Firefox and Firefox ESR. The worst of these leads to remote code execution.

Stay safe, stay patched, stay cool and have a good weekend!

Nicholas