//Week in review - 26 Sep 2019

AusCERT Week in Review for 6th September 2019


Ask yourself this question. “Should I always believe what you see (or hear)?”

As the week comes to a close, here are some articles that may help ease you into the weekend.

Privacy concerns mount over Chinese face-swap app Zao
Date published: 03/09/2019 
Author: Mark Wycislik-Wilson
Excerpt: “Zao — a Chinese face-swapping app with the potential to be used to create deepfakes — went viral over the weekend, shooting to the top of the App Store download charts. But concerns have been raised not only over the potential for the app to be abused, but also over its privacy policies.

Of particular concern are clauses which grant the developers “free, irrevocable, permanent, transferable, and relicense-able” rights over users’ photos. Zao responded by tweaking its privacy policy, but complaints are still flooding in.”

Nemty Ransomware Gets Distribution from RIG Exploit Kit
Date published: 03/09/2019
Author: Ionut Ilascu
Excerpt: “BleepingComputer saw that the post-encryption ransom demand was around

$1,000 in bitcoin. Unfortunately, there is no free decryption tool available at the moment and the malware makes sure to remove the file shadows created by Windows.

Security researcher Mol69 noticed that the file-encrypting malware is now a payload in malvertising campaigns from RIG exploit kit (EK).

The malware used the .nemty extension for the encrypted files but the variant observed by Mol69 adds ‘._NEMTY_Lct5F3C_’ at the end of the processed files.”

Scammer Successfully Deepfaked CEO’s Voice To Fool Underling Into Transferring $243,000
Date published: 03/09/2019
Author: Jennings Brown
Excerpt: “The CEO of an energy firm based in the UK thought he was following his boss’s urgent orders in March when he transferred funds to a third-party. But the request actually came from the AI-assisted voice of a fraudster.”

Threat Actor behind Astaroth is now using Cloudflare Workers to bypass your Security Solutions.
Date published: 01/09/2019
Author: Marcel Afrahim
Excerpt: “You might have seen the recently published report about a widespread fileless campaign called Astaroth by Microsoft Research Team that completely “lived off the land”: it only ran system tools throughout a complex attack chain. If you haven’t, you SHOULD definitely read the details of the research article done by the Microsoft team here.

Following the report, the group behind the Astaroth attack campaign changed tactics and they ran a similar campaign again earlier in august with few changes, notably use of Cloudflare Workers. In this article I will try to show highlight the changes and show a clear chain of attack from the delivery till infection, something Microsoft research article failed to do.”


Here are this week’s noteworthy-ish security bulletins:

1) Firefox and Firefox ESR: Multiple vulnerabilities

Mozilla released updates for Firefox and Firefox ESR that addressed a large number of vulnerabilties, the most severe being a remote code execution vulnerability stemming from poor sanitization of logging related command line parameters. Luckily, this issue only affects Windows and not many people use that!

2) Cisco Small Business RV160, 260, and 340 Series VPN Routers: Root compromise – Existing account


A number of Cisco small business VPN routers have been identified as being affected by a number of vulnerabilities. The most important of these deal with hardcoded password hashes stored for the root user stored in the firmware and the ability to view undocumented user accounts, which includes the “root” account!

If you own any of these, please read the bulletin and update!

3) Cisco Identity Services Engine: Cross-site scripting – Remote with user interaction


More from Cisco! Cisco fixed a reflected XSS vulnerability in web-based management interface of its ISE product.

4) Cisco Content Security Management Appliance – Access confidential data –Existing account

Just one more Cisco bulletin. Cisco released a fix for an information disclosure vulnerability in its CCSM appliance, which originates from a role permissions implementation error allowing unauthorised access to other users spam folders, for example.

Stay safe, stay patched, keep your eyes peeled and have a great weekend free of paranoia!