//Week in review - 21 Dec 2018

AusCERT Week in Review for 21st December 2018


That’s a wrap for this year! Reminder that some of AusCERT’s services will be in hibernation mode from today until they resume on the 2nd of January. For any urgent needs the 24/7 hotlines will continue as always.

In a dramatic end to the year, the US DoJ announced indictments against two Chinese nationals accused of being members of APT10. This was in relation to intellectual property theft, particularly as part of the Cloud Hopper campaign, targeting MSPs (managed service providers).

In additional state-sponsored attack news, Twitter has reported that it was the victim of an attack targeting its support platform. It allowed a user’s phone number and country of origin to be uncovered, fueling speculation it was designed to unmask dissident accounts.

Microsoft has also issued an out of band patch for Internet Explorer, so be sure to get your patching in before the holidays!

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

US charges Chinese citizens for espionage in major hacking campaign targeting navy, NASA, others
21 December
Author: ABC News
Excerpt: “US officials have charged two Chinese citizens they allege carried out an extensive hacking campaign to steal data from military service members, government agencies and private companies in the United States and nearly a dozen other countries.

The US Justice Department said Zhu Hua and Zhang Jianguo, acting on behalf of Beijing’s main intelligence agency, were involved in computer hacking attacks on the US Navy, NASA and the Energy Department as well as companies in numerous sectors.”


Twitter discloses suspected state-sponsored attack
18 December
Author: Catalin Cimpanu
Excerpt: “Social networking site Twitter announced today another data leak that occurred on its platform, which the company said it is investigating as a suspected state-sponsored attack.

In a support page published earlier today, Twitter said that it detected the attack on November 15 when it “observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia.””


On the first day of Christmas, Microsoft gave to me… an emergency out-of-band security patch for IE
19 December
Author: Chris Williams
Excerpt: “Microsoft today emitted an emergency security patch for a flaw in Internet Explorer that hackers are exploiting in the wild to hijack computers.

The vulnerability, CVE-2018-8653, is a remote-code execution hole in the browser’s scripting engine.

Visiting a malicious website abusing this bug with a vulnerable version of IE is enough to be potentially infected by spyware, ransomware or some other software nasty. Thus, check Microsoft Update and install any available patches as soon as you can.”


Save the Children Hit by $1m BEC Scam
17 December
Author: Phil Muncaster
Excerpt: “A leading children’s charity was conned into sending $1m to a fraudster’s bank account this year, in another example of the dangers of Business Email Compromise (BEC).

Save the Children Federation, the US outpost of the world-famous British non-profit, revealed the incident in a recent filing with the IRS, according to the Boston Globe.

The attacker managed to access an employee’s email account and from there sent fake invoices and other documents designed to trick the organization into sending the money.”


Here are this week’s noteworthy security bulletins:

1) ASB-2018.0310 – ALERT [Win] Internet Explorer: Execute arbitrary code/commands – Remote with user interaction

Vulnerability in the scripting engine allowed malicious pages to execute code when viewed in IE.

2) ESB-2018.3702.3 – UPDATE ALERT [Cisco] Cisco Prime License Manager: Execute arbitrary code/commands – Remote/unauthenticated

Cisco has released an update that fixes a regression in the previous patch release.

3) ESB-2018.3880 – [Linux][SUSE] amanda: Root compromise – Existing account

Root compromise in AMANDA, a networked backup service.

Stay safe, stay patched and have a good break (if you’re so lucky)! We’ll see you in the new year!