//Week in review - 14 Dec 2018

AusCERT Week in Review for 14th December 2018


Extortion spammers have stepped up their game, with reports coming in of fake bomb threats. Microsoft have caused some brouhaha with an unauthenticated administrator compromise in their DNS Server product. And ATO scam calls have increased in both prevalence and prominence, making the front page of ABC News today.

The Super Micro story originally broken by Bloomberg has had minimal follow-up, with outright rejections from Apple and IBM. Now, an external security audit of Super Micro has found no evidence.

AusCERT will be closed over the Christmas break. However, for urgent queries and incident assistance, please call the member hotline, which is 24/7/365. The number is available once you’re logged in on the “Contact” page of auscert.org.au – consider including it in your incident response plan!

Without further ado, the news:

Quick-thinking retail worker saves Tasmanian woman from losing thousands in tax scam
Date: 14 December 2018
Author: ABC News
A Tasmanian woman who narrowly escaped falling prey to a scammer pretending to be from the Australian Tax Office (ATO) has a quick-thinking retail employee to thank.

What saved her from going through with the scammer’s demands was Alistair — a customer service employee who noticed she was buying a lot of gift cards, and pointed Ms Carey to a document from the ACCC warning of this very scam.

The store refunded all the cards on the spot and she did not lose any money.

Spammed Bomb Threat Hoax Demands Bitcoin
Date: 13 December 2018
Author: Brian Krebs
A new email extortion scam is making the rounds, threatening that someone has planted bombs within the recipient’s building that will be detonated unless a hefty bitcoin ransom is paid by the end of the business day.

I could see this spam campaign being extremely disruptive in the short run. There is little doubt that some businesses receiving this extortion email will treat it as a credible threat. This is exactly what happened today at one of the banks that forwarded me their copy of this email. Also, KrebsOnSecurity has received reports that numerous school districts across the country have closed schools early today in response to this hoax email threat.

Windows DNS Server Privilege Escalation Vulnerability (CVE-2018-8626)
Date: 14 December 2018
Author: AusCERT
URL: https://www.auscert.org.au/blog/2018-12-14-windows-dns-server-privilege-escalation-vulnerability-cve-2018-8626-leading-remote-code-execution-has-publicly-available-poc-exploit
Excerpt: Although the NVD CVSS3 vector above indicates a proof of concept exploit exists for this vulnerability, AusCERT has not been able to access it or find any threat indicators related to it. We will continue to update this blog as more information becomes available.

Super Micro says external security audit found no evidence of backdoor chips
Date: 11 December 2018
Author: ZDNet
Excerpt: In a letter sent out today to its customers, hardware vendor Super Micro Computer said that a security audit performed by a third-party investigations firm found no evidence that Supermicro server motherboards contained any type of backdoor chip.

The company sent out this letter after earlier this year a Bloomberg report claimed that some Supermicro motherboards contained a malicious chip implant inserted on its Chinese assembly lines by Chinese spies. The US news outlet then claimed that some of these servers made it into the networks of government agencies and private companies, such as Apple and Amazon’s AWS.

ASD chief insists new encryption laws won’t see Aussie tech shunned like Huawei
Date: 12 December 2018
Author: iTnews
Excerpt: The Australian Signals Directorate says the idea that Australian technology will be seen as untrustworthy in the wake of encryption-busting laws and therefore blocked from use “is absurd”.

Director-general Mike Burgess published what he called seven “myths” of the controversial new laws, which the major parties passed in the last hours of parliament last week.

In particular, Burgess targeted the significant doubt that has been swirling in the days since around how Australia’s technology sector will now be treated by foreign buyers.

This week’s noteworthy bulletins:

1. ASB-2018.0303 – [Win] Microsoft Windows: Multiple vulnerabilities

Remote-code-execution vulnerability in Microsoft DNS Server.

2. ASB-2018.0308 – [Win][UNIX/Linux] BIND: Multiple vulnerabilities

Unrelated vulnerabilities in BIND.

3. ASB-2018.0304 – [Win][UNIX/Linux][BSD] Mozilla Firefox: Multiple vulnerabilities

Firefox 64 has been released, with some significant security updates.

4. ESB-2018.3839 – [Win][UNIX/Linux] phpMyAdmin: Multiple vulnerabilities

Security updates for current versions of phpMyAdmin including XSS and authenticated unauthorised file access.

Stay safe, stay patched and have a great weekend,