//Week in review - 15 Mar 2019

AusCERT Week in Review for 8th March 2019

AusCERT Week in Review
08 March 2019


This has been an action packed week and with so many variety of events that it is hard to piece this week with one single smooth story on a Friday afternoon.  To name a few of the things that have happened, there are botnets launched and taken down, cryptojacking using vulnerable installation utilities, zero-day on a popular browser, a new analysis tool being released, another “can’t-fix-quick” vulnerability from a popular CPU manufacturer, a SIEM solution that can be potentially crashed from afar, and the list continues to be nothing short of amazing, bewildering and Friday comes as a cliffhanger for the next week’s events.
Have a good rest this weekend as next week could turn out even more exciting.

As for news, here’s a summary (including excerpts) of some of the more
interesting stories we’ve seen this week:

Title:  Serious Chrome zero-day – Google says update “right this minute”
Date:  March 6th 2019
Author: Paul Ducklin
URL: https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/

“Precise information about the Chrome CVE-2019-5786 zero-day is hard to come by at the moment – as Google says:

‘Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.’

According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader
…it looks as though attackers can take much more general control, allowing them to pull off what’s called Remote Code Execution, or RCE.
…Just tricking you into looking at a booby-trapped web page might be enough for crooks to take over your computer remotely.”

Title:  Vulnerable Docker Hosts Actively Abused in Cryptojacking Campaigns
Date:  March 4th, 2019
Author: Sergiu Gatlan
URL: https://www.bleepingcomputer.com/news/security/vulnerable-docker-hosts-actively-abused-in-cryptojacking-campaigns/

“Hundreds of vulnerable and exposed Docker hosts are being abused in cryptojacking campaigns after being compromised with the help of exploits designed to take advantage of the CVE-2019-5736 runc vulnerability discovered last month.

The CVE-2019-5736 runc flaw triggers a container escape and it allows potential attackers to access the host filesystem upon execution of a malicious container, overwrite the runc binary present on the system, and run arbitrary commands on the container’s host system.”

Title:  All Intel chips open to new Spoiler non-Spectre attack: Don’t expect a quick fix
Date:  March 5th 2019
Author: Liam Tung
URL: https://www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/

“Researchers have discovered a new flaw affecting all Intel chips due to the way they carry out speculative execution for CPU performance gains.   
Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets.”

Title:  WordPress Comprises 90% of Hacked Sites: Report
Date:  March 5th 2019
Author: Phil Muncaster
URL: https://www.infosecurity-magazine.com/news/wordpress-comprises-90-of-hacked-1-1/

“The GoDaddy-owned security vendor analyzed 18,302 infected websites and over 4.4m cleaned files to compile its latest Hacked Website Trend report.

It revealed that WordPress accounted for 90% of hacked websites in 2018, up from 83% in 2018. There was a steep drop before Magento (4.6%) and Joomla (4.3%) in second and third. The latter two had dropped from figures of 6.5% and 13.1% respectively in 2017.”

Title:  NSA puts ‘Ghidra,’ its reverse-engineering tool for malware, in the hands of the public
Date:  March 5th 2019
Author: Sean Lyngaas
URL: https://www.cyberscoop.com/ghidra-nsa-tool-public/

“After years lurking in the shadows, the National Security Agency’s tool for reverse-engineering malware is now out in the open. The software framework has moved from classified status into use by military analysts and contractors in sensitive-but-unclassified settings, and now it’s available to anyone with an internet connection.”


Here are this week’s noteworthy security bulletins (in no particular order):

1.    ASB-2019.0066.2 – UPDATED ALERT [Win][Linux][Mac] Google Chrome: Execute arbitrary code/commands – Remote with user interaction
Exploit in the wild has been reported.

2.    ESB-2018.1689.4 – UPDATED ALERT [Cisco] Cisco Adaptive Security Appliance Web Services: Denial of service – Remote/unauthenticated
Attempted exploitation of this vulnerability in the wild.

3.    ESB-2019.0696 – [Linux] IBM QRadar SIEM: Multiple vulnerabilities
..a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

4.    ESB-2019.0739 – [Win][Linux][HP-UX][Solaris][AIX] IBM Db2: Multiple vulnerabilities
could allow an authenticated local attacker to execute arbitrary code on the system as root

5.    ESB-2019.0734 – [Appliance] IBM Lotus Protector for Mail Security: Execute Arbitrary Code/Commands – Remote/Unauthenticated
would allow the attacker to bypass disabled exec functions

Wishing you the best from AusCERT and hope to see you safe next week,