//Week in review - 26 Sep 2019

AusCERT Week in Review for 13th September 2019


This week has been a busy one with Microsoft patch Tuesday, a serious Exim vulnerability being actively exploited and other potentially life threatening medical equipment vulnerabilities being exposed. All in all, just another day at the office!

As the week comes to a close, here are some articles that may help ease you into the weekend.

ThreatList: Amidst Data Breaches, Account Creation Fraud Soars in 2019
Date published: 10/09/2019 
Author: Tara Seals
Excerpt: “The first half of 2019 saw a 13 percent increase in fraudulent activity compared to the previous six months, with a spike in June representing the highest-volume bot attack that’s been recorded since 2016, according to an analysis from LexisNexis.

The firm’s report, with data gleaned from 277 million human-initiated attacks across its Digital Identity Network, shows that bot attacks focused on new account creations are on the rise, bent on building fake online identities across diverse sectors. This type of attack is the only criminal “use case” that saw growth in the study period.

The June attack targeted a virtual gift-card provider, with a bot trying to set up accounts using different email addresses. LexisNexis found that the attack originated in the U.S., but the browser language was set to Russian.”

Weakness in Intel chips lets researchers steal encrypted SSH keystrokes
Date published: 11/09/2019
Author: Dan Goodin
Excerpt: “The researchers have named their attack NetCAT, short for Network Cache ATtack. Their research is prompting an advisory for Intel that effectively recommends turning off either DDIO or RDMA in untrusted networks. The researchers say future attacks may be able to steal other types of data, possibly even when RDMA isn’t enabled. They are also advising hardware makers do a better job of securing microarchitectural enhancements before putting them into billions of real-world servers.

“While NetCAT is powerful even with only minimal assumptions, we believe that we have merely scratched the surface of possibilities for network-based cache attacks, and we expect similar attacks based on NetCAT in the future,” the researchers, from the Vrije Universiteit Amsterdam and ETH Zurich, wrote in a paper published on Tuesday. “We hope that our efforts caution processor vendors against exposing microarchitectural elements to peripherals without a thorough security design to prevent abuse.””

Fake PayPal Site Spreads Nemty Ransomware
Date published: 08/09/2019
Author: Ionut Ilascu
Excerpt: “The automated analysis showed that it took about seven minutes for the ransomware to encrypt the files on the victim host. However, this may differ from one system to another.

Fortunately, the malicious executable is detected by most popular antivirus products on the market. A scan on VirusTotal shows that it is detected by 36 out of 68 antivirus engine.”

Threats to macOS users
Date published: 11/09/2019
Authors: Mikhail Kuzin, Tatyana Shcherbakova, Tatyana Sidorina, Vitaly Kamluk
Excerpt: “The belief that there are no threats for the macOS operating system (or at least no serious threats) has been bandied about for decades. The owners of MacBooks and iMacs are only rivaled by Linux users in terms of the level of confidence in their own security, and we must admit that they are right to a certain degree: compared to Windows-based systems, there are far fewer threats that target macOS. However, the main reason for this is the number of potential victims: there are many more computers running Windows than those running macOS. However, the situation is changing, since the popularity of the latter platform is growing. Due to this and despite all the efforts that have been taken by the company, the threat landscape for Apple devices is changing, and the amount of malicious and unwanted software is growing.

For the purposes of this report we used the statistics from Kaspersky Security Network cloud infrastructure. It stores information about all of the malicious programs and other threats that our macOS product users agreed to anonymously share with us. In fact, all these threats at some point attacked the computers of Kaspersky security solution users, but these attacks were successfully repelled.”

COBALT DICKENS Goes Back to School…Again
Date published: 11/09/2019
Authors: Secureworks Counter Threat Unit Research Team
Excerpt: “For this campaign, the threat actors registered at least 20 new domains targeting over 60 universities in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland. These domains were registered using the Freenom domain provider, which administers the following free top-level domains (TLDs) unless the domain is considered “special”:







Many of these domains use valid SSL certificates, likely to make the spoofed pages appear authentic. The overwhelming majority of the certificates observed in 2019 were issued by Let’s Encrypt, a nonprofit organization that programmatically issues free certificates. However, past campaigns used certificates issued by the Comodo certificate authority.”


Here are this week’s noteworthy-ish security bulletins:

1) Microsoft Windows: Multiple vulnerabilities

Microsoft Patch Tuesday (or Wednesday in this part of the world) saw the release of security updates for multiple Microsoft products. These included Edge, Internet Explorer (surprise, surprise), Exchange server, Office, Skype, etc. The update for Windows had a rather small 49 vulnerabilities addressed within it, including multiple remote code execution vulnerabilities and privilege escalation vulnerabilities.

2) UPDATED ALERT exim4: Root compromise – Remote/unauthenticated


This was published, and then, republished as an alert when a malware campaign involving the installation of LILOCKED ransomware in Linux servers by gaining root access on those servers. Chatter from a Russian-language blog indicated exim as a potential vector employed by the malware authors gain root privileges within the target servers.

If you want to to learn more, see https://twitter.com/threatbear_co/status/1170876973436022785?s=20

3) Becton, Dickinson and Company Pyxis: Unauthorised access – Existing account


The weekly roundup just wouldn’t be complete without a medical industry related vulnerability. This particular session fixation vulnerability could allow an attacker who has gained prior access to a lower privileged account within the Pyxis medication management platform, to re-use a higher privileged users Active Directory credentials, thereby increasing his privileges within the platform.

At that point, the attacker could view patient data and medication details and potentially alter medication records within the platform.

4) Adobe Flash Player: Execute arbitrary code/commands – Remote with user interaction


Adobe got a bit of security love from Microsoft as part of its updates. Just two “critical” remote code execution vulnerabilities being addressed this time around.

Adobe also released an update fixing a remote code execution vulnerability in its Application Manager software.

5) curl: Multiple vulnerabilities


Last but not least, everyone’s favourite url retrieval tool, curl, got an update for two remote code execution vulnerabilities which stem from it incorrectly handling memory when performing transfer of TFTP or when using Kerberos over FTP.

..and with that, have a great weekend all!