//Week in review - 2 Jul 2019

AusCERT Week in Review for 28th June 2019

AusCERT Week in Review for 28th June 2019


 As the week ending Friday 28th June comes to a close, we take a look at some articles from this week that highlight constant tug-of-war between the bad guys (them!) and the good guys (us!).

From Angler phishing to using RasPis to hack into a national US space agency, the bad guys are constantly trying to break through our defences. On the flip side the Algorithm Vaccination article highlights the defenders’ equal determination to overcome their adversaries.

Don’t give up the fight!

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

What is angler phishing?
Date published: 24/06/2019 
Author: Luke Irwin
Excerpt: “Angler phishing is a specific type of phishing attack that exists on social media. Unlike traditional phishing, which involves emails spoofing legitimate organisations, angler phishing attacks are launched using bogus corporate social media accounts.

This is how it works: cyber criminals are aware that organisations are increasingly using social media to interact with their customers, whether that’s for marketing and promotional purposes or to offer a simple route for customers to ask questions or make complaints.”

Raspberry Pi Used in JPL Breach
Date published: 24/06/2019
Author: Staff, Dark Reading
Excerpt: “Auditors’ reports tend to make for dry reading. But NASA’s Inspector General has delivered a report on “Cybersecurity Management and Oversight at the Jet Propulsion Laboratory” that includes twists and turns — like a hacker using a vulnerable, unapproved Raspberry Pi as a doorway into JPL systems.

That Raspberry Pi was responsible for 500 megabytes of NASA Mars mission data leaving JPL servers. The intrusion resulted in an advanced persistent threat (APT) that was active in JPL’s network for more than a year before being discovered.

This was the most recent breach listed in the report. Other breaches noted date back to 2009 and include exfiltration totaling more than 100 gigabytes of information. Several of the intrusions feature command-and-control servers with IP addresses located in China, though the responsibility for the latest attack was not assigned to any country or actor.”

Microsoft warns of attacks delivering FlawedAmmyy RAT directly in memory
Date published: 25/06/2019
Author: Pierluigi Paganini
Excerpt: ““This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy,” reads a Tweet published by Microsoft Security Intelligence.


One of the samples involved in this campaign, detected on June 22, was digitally signed using a certificate issued by Thawte for Dream Body Limited.”

Researchers develop a technique to vaccinate algorithms against adversarial attacks
Date published: 24/06/2019
Author: Helpnet Security
Excerpt: “Dr Richard Nock, machine learning group leader at CSIRO’s Data61 said that by adding a layer of noise (i.e. an adversary) over an image, attackers can deceive machine learning models into misclassifying the image.

“Adversarial attacks have proven capable of tricking a machine learning model into incorrectly labelling a traffic stop sign as speed sign, which could have disastrous effects in the real world.

“Our new techniques prevent adversarial attacks using a process similar to vaccination,” Dr Nock said.”


Here are this week’s noteworthy security bulletins:

1) F5 BIG-IP Controller for Cloud Foundry: Root compromise – Remote/unauthenticated

F5 released an update for its BIG-IP Controller for Cloud Foundry, which addressed a vulnerability in Alpine Docker Images (version 3.3 and up), which led to systems deployed using those versions to accept a NULL ‘root’ user password. The vulnerability had been introduced in December 2015!

2) Tenable Nessus: Cross-site scripting – Remote with user interaction

Tenable issued an update for its Nessus Vulnerability Assessment solution to fix XSS vulnerability.

3) McAfee Enteprise Security Manager (ESM): Multiple vulnerabilities

McAfee updated its Enteprise Security Manager (ESM) SIEM product to address a number of vulnerabilities.

4) Medtronic MiniMed 508 and Paradigm Series Insulin pumps – Multiple impacts

Yet again, vulnerabilities in medical equipment allow bad people to play with lives by manipulating insulin doses or provided incorrect information to those devices.

Stay safe, stay patched and have a good weekend!