//Week in review - 7 Nov 2018

AusCERT Week in Review for 2nd November 2018


As another week comes to a close, here’s a collection of articles for you to enjoy.

Been having nightmares lately? May there’s a hacker behind it…

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Hackers attacking your memories: science fiction or future threat?
Date Published: 29/10/2018
Author: Kaspersky Lab
Excerpt: “The hardware and software to underpin this exists too: deep brain stimulation (DBS) is a neurosurgical procedure that involves implanting a medical device called a neurostimulator or implantable pulse generator

(IPG) in the human body to send electrical impulses, through implanted electrodes, to specific targets in the brain for the treatment of movement and neuropsychiatric disorders. It is not a huge leap for these devices to become ‘memory prostheses’ since memories are also created by neurological activity in the brain.


To better understand the potential future threat landscape facing memory implants, researchers from Kaspersky Lab and the University of Oxford Functional Neurosurgery Group have undertaken a practical and theoretical threat review of existing neurostimulators and their supporting infrastructure.


The attached report is the outcome of that research. It should be noted that because much of the work involving neurostimulators is currently handled in medical research laboratories, it’s not easy to practically test the technology and associated software for vulnerabilities.

However, much can be learned from handling the devices and seeing them used in situ, and this research involved both.”


Project Dribble: hacking Wi-Fi with cached JavaScript

Date Published: 29/10/2018
Author: Federico De Meo
Excerpt: “The idea is to steal Wi-Fi passwords by exploiting web browser’s cache.

Since I needed to come up with a name for the project, I first developed it and than named it “Dribble” :-). Dribble creates a fake Wi-Fi access point and waits for clients to connect to it. When clients connect, dribble intercepts every HTTP requests performed to JavaScript pages and injects in the responses a malicious JavaScript code. The headers of the new response are altered too so that the malicious JavaScript code is cached and forced to persist in the browser. When the client disconnects from the fake access point and reconnects back to, say, its home routers, the malicious JavaScript code activates, steals the Wi-Fi password from the router and send it back to the attacker.

Pretty straightforward, right?


In order to achieve this result I had to figure out these three things:

How to create a fake access point

How to force people to connect to it

What should the malicious JavaScript code do to steal passwords from routers”


Apple’s new security chip kills access to microphone
Date Published: 30/10/2018
Author: Greg Otto

Excerpt: “In a security pamphlet released after Apple’s press event on Tuesday, the company revealed that the chip will completely cut off access to the device’s microphone when the MacBook lid is shut.

“This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed,” the pamphlet reads.

The power cut is only limited to the microphone, and not the camera, since the latter would be useless when a computer is shut.

The T2 chips are in the latest line of MacBook Pros, and will be in included in the new MacBook Airs and Mac Minis.”


Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims
Date Published: 31/10/2018
Author: David Bisson

Excerpt: “At this current time, Kraken employs a ransomware-as-a-service (RaaS) business model. The first version of the threat reserved a quarter of the profits generated from attack campaigns for Kraken’s developers. But that percentage dropped to a fifth in the second version, presumably in a bid to attract more affiliates.

According to McAfee, the developers give affiliates an updated version of the ransomware every 15 days to ensure that their creation avoids detection. Affiliates then spread the ransomware with the help of Fallout and other vectors.

Upon successful infection, Kraken quickly encrypts data on the disk and uses SDelete from the Sysinternals suite along with other tools to wipe files and complicate the recovery process for the user. It then drops a ransom note on the infected computer asking victims to send money to one of several wallets operated by the attackers through BitcoinPenguin, an online gambling site.”


Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments

Date Published: 29/10/2018
Author: Trend Micro
Excerpt: ” We recently found a small spam campaign that distributes malicious .ARJ files. Several of these spam emails have email subjects pertaining to statements or purchase orders, such as “STATEMENT OF OUTSTANDING BALANCE AS YOUR REFERENCE,” “New Order-Snam Thai Son Group//PO//Ref 456789,” and “SUBJECT:Advice from Standard Chartered Bank,” to name a few.

After the malicious .ARJ file has been downloaded to a device, it may drop and execute a plain executable file or an executable screensaver file.

Back in 2014, once successfully unpacked in a system, a spam campaign with an .ARJ file attachment will turn an infected computer as part of a botnet that can be used for spam or denial-of-service attacks. This year, the payload is a spyware (detected by Trend Micro as

TROJANSPY.WIN32.GOLROTED.THAOOEAH) that steals system information as well as usernames and passwords from browsers. This malware also attempts to steal stored email credentials from several email service platforms.

Cybercriminals also use .Z files maliciously. .Z file extensions are compressed Unix-based machine files, though it has been outshined by the GNU Gzip compression in terms of popularity among users. Because it appears to have a double file extension (such as .PDF.z), users may be tricked into thinking that they’re opening a PDF instead of a .Z file.”

Here are this week’s noteworthy security bulletins:

1) ESB-2018.3432 – ALERT [Cisco] Cisco Aironet Access Points and Meraki Access Points: Execute arbitrary code/commands – Remote/unauthenticated

Cisco issued firmware updates for its Aironet and Meraki Access Points. The update addresses a critical vulnerability in the vulnerability in the Bluetooth Low Energy (BLE) Stack on Texas Instruments (TI) chips CC2640 and CC2650. Processing malformed BLE frames could lead to a memory corruption condition resulting in Denial of service or Remote code execution. An attacker would need to be network adjacent to exploit the vulnerability.

The implications here are huge, so super urgent patching is highly recommended.

2) ESB-2018.3410 – [Appliance] Cisco Adaptive Security Appliance Software and Cisco Firepower Software: Denial of service – Remote/unauthenticated
Software for Cisco’s Adaptive Security Appliance (ASA) and Firepower platforms received a security update fixing a denial of service vulnerability that could be remotely exploited by flooding an affected device with crafted SIP traffic. Exploits have been sighted in the wild, so fix it ASAP!

3) ASB-2018.0275 – [Win][UNIX/Linux][BSD][Android] Mozilla Thunderbird: Multiple vulnerabilities

Mozilla Thunderbird ESR received an update that fixes multiple vulnerabilities. The most serious of these could result in remote code execution by tricking users into performing certain actions.


4) ESB-2018.3336 – [Win] Cisco Advanced Malware Protection: Execute arbitrary code/commands – Existing account
Cisco released an update for its Advanced Malware Protection solution on Windows platforms. The fixed vulnerability could allow a highly privileged attacker to prevent detection of malicious intrusions in the host.

As we have seen in the past, after gaining privileges in the target system, several malware types attempt to identify and kill security applications running on the infected host.

Stay safe, stay patched, stay cool and have a good weekend!