//Week in review - 22 Feb 2019

AusCERT Week in Review for 22nd February 2019


This week, North Korea decides to poke the bear which handed them nukes and Adobe patches a patch.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Title: North Korean APT Lazarus Targets Russian Entities with KEYMARBLE Backdoor
Date Published: February 19, 2019
Author: Sergiu Gatlan

“Bluenoroff, a subdivision of the North Korean sponsored APT group Lazarus, recently switched its sights to Russian entities as unveiled by a newly discovered campaign which uses malicious Office documents specifically crafted to target Russian organizations.
This is especially interesting considering that Lazarus (also known as HIDDEN COBRA, Guardians of Peace, ZINC, and NICKEL ACADEMY) which became active during 2009 traditionally targeted only entities from countries that oppose the North Korean regime.”

Title: Almost Half A Million Delhi Citizens’ Personal Data Exposed Online
Date Published: February 21 2019
Author: Mohit Kumar

Excerpt: February 21 2019
“A security researcher has identified an unsecured server that was leaking detailed personal details of nearly half a million Indian citizens… thanks to another MongoDB database instance that company left unprotected on the Internet accessible to anyone without password.
In a report shared with The Hacker News, Bob Diachenko disclosed that two days ago he found a 4.1 GB-sized highly sensitive database online, named “GNCTD,” containing information collected on 458, 388 individuals located in Delhi, including their Aadhaar numbers and voter ID numbers.”

Title: Microsoft Edge lets Facebook run Flash code behind users’ backs
Date Published: February 20, 2019
Author: Catalin Cimpanu

“Microsoft’s Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users’ backs.
The whitelist allows Facebook Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand. Prior to February 2019, the secret Flash whitelist contained 58 entries, including domains and subdomains for Microsoft”s main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ, just to name the biggest names on the list.
Microsoft trimmed down the list to two Facebook domains earlier this month after a Google security researcher discovered several security flaws in Edge”s secret Flash whitelist mechanism.”

Title: Adobe Releases Second Patch for Data Leakage Flaw in Reader
Date Published: February 21, 2019
Author:  Eduard Kovacs

“The security hole, identified by Alex Infuhr from Cure53, allows a specially crafted PDF document to send SMB requests to the attacker’s server when the file is opened.
The vulnerability, similar to CVE-2018-4993, allows a remote attacker to steal a user”s NTLM hash included in an SMB request, and it can be leveraged to alert an attacker when their malicious PDF document has been opened by the targeted user. Adobe released a fix for CVE 2019-7089 with its February 2019 Patch Tuesday updates, but Infuhr quickly discovered that it could be bypassed.”

Title: Toyota Australia hit by cyber attack
Date Published: Feb 21 2019
Author: Ry Crozier

“Toyota Australia has suffered an ‘attempted cyber attack’ that has taken out its email and other online systems. The carmaker said in a statement that it is still investigating the source of the attack. “The threat is being managed by our IT department who is working closely with international cyber security experts to get systems up and running again,” the company said.”

Here are this week”s noteworthy security bulletins:

1) ESB-2019.0536 – [Cisco] Cisco Prime Collaboration Assurance: Unauthorised access – Remote/unauthenticated
    Prime Collaboration Assurance (PCA) Software could allow an unauthenticated, remote attacker to access the system as a valid user.

2) ESB-2019.0529 – [Win][UNIX/Linux] Drupal: Execute arbitrary code/commands – Remote with user interaction
   Allows an unauthenticated, remote attacker to arbitrary code as the webservers current user.
3) ESB-2019.0551 – [Win][Mac] Adobe: Multiple vulnerabilities
    Allows a remote attacker to steal a user”s NTLM hash included in an SMB request.
4) ESB-2019.0488.2 – UPDATE [Cisco] Cisco Systems: Root compromise – Existing account
   This vulnerability requires user interaction or an existing account. However successful exploitation could allow the attacker to overwrite the host’s runc binary file with a malicious file, escape the container, and execute arbitrary commands with root privileges on the host system.

Stay safe, stay patched and have a great weekend,

Rameez Agnew