//Week in review - 1 Nov 2019

AusCERT Week in Review for 1st November 2019


As the week comes to a close, here are some articles that may help ease you into the weekend.

xHelper Trojan Variant Reinstalls Itself After Removal, Infects 45K
Date published: 29/10/2019
Author: Sergiu Gatlan
Excerpt: “While the infection vector used by the threat actor behind the new xHelper variant is not yet known, Symantec’s research team suspects that the app component that bundles the xHelper payloads is downloaded by a malicious system app that might come pre-installed on some smartphone brands.

The fact that “numerous users have been complaining on forums about the persistent presence of this malware on their devices, despite performing factory resets and manually uninstalling it,” seems to further consolidate their hypothesis. — xHelper reports can be found on Reddit and Google Play’s Help forums.

The number of devices infected with the xHelper Android malware grows each day, since “in the past month alone, there was an average of 131 devices infected each day, and an average of 2,400 devices persistently infected throughout the month,” as Symantec’s research team adds.”

Facebook Sues Israeli NSO Spyware Firm For Hacking WhatsApp Users
Date published: 29/10/2019
Author: Swati Khandelwal
Excerpt: “Developed by NSO Group, Pegasus allows access to an incredible amount of data from victims’ smartphones remotely, including their text messages, emails, WhatsApp chats, contact details, calls records, location, microphone, and camera.

Pegasus is NSO’s signature product that has previously been used against several human rights activists and journalists, from Mexico to the United Arab Emirates two years ago, and Amnesty International staffers in Saudi Arabia and another Saudi human rights defender based abroad earlier last year.

Though NSO Group always claims it legally sells its spyware only to governments with no direct involvement, WhatsApp head Will Cathcart says the company has evidence of NSO Group’s direct involvement in the recent attacks against WhatsApp users.”

Industrial equipment to come under fire at the world’s largest hacking contest
Date published: 28/10/2019
Author: Catalin Cimpanu
Excerpt: “Industrial equipment will be the primary focus of the next edition of Pwn2Own, the world’s largest and most well-known hacking contest.

This is the first time that security researchers will be allowed to hack ICS (industrial control systems) software and protocols at Pwn2Own.

For most of its 12-year history, the contest has featured browsers and operating systems as the primary targets for white-hat hackers looking to make a name for themselves and earn huge cash rewards.

In recent years, contest organizers have been diversifying the target portfolio with virtual machines, Tesla cars, and even Facebook Portal devices.

Now, the organizers, Trend Micro’s Zero-Day Initiative (ZDI) project, say the next Pwn2Own contest will be solely focused on ICS devices and their respective software.”

Johannesburg Authorities Refuse to Pay Hackers’ Bitcoin Ransom
Date published: 30/10/2019
Authors: Marie Huillet
Excerpt: “Authorities in Johannesburg are holding firm in their refusal to pay a ransom of 4 Bitcoin to hackers who targeted municipal systems last week.

In a statement posted to its official Twitter handle on Oct. 28, the Johannesburg city council confirmed the attack had affected services that included billing, property valuation and land information systems, as well as its eHealth and Libraries services.

The breach, which occurred on Oct. 24, was accompanied by a ransom demand of 4 Bitcoin (BTC) — worth close to $37,000 to press time — payable by Oct. 28.”

New Adwind Variant Targets Windows, Chromium Credentials
Date published: 29/10/2019
Authors: Lindsey O’Donnell
Excerpt: “Once delivered, this new Adwind variant obfuscates the initial JAR file, blocking against any signature-based detection methods.

“Malware that takes advantage of common Java functionality is notoriously difficult to detect or detonate in a sandbox for the simple fact that Java is so common on the web,” researchers with Menlo Security said in a Tuesday post. “In fact, any effort to block or limit Java would result in much of the internet breaking down — a non-starter for users who increasingly rely on rich web apps or SaaS platforms for their day-to-day responsibilities.”

The JAR file then decrypts and loads a loader, which then loads an initial set of modules and sends out a request that is responsible for initializing the RAT with the command-and-control (C2) server.”

Here are this week’s noteworthy security bulletins:

1) ALERT php5: Execute arbitrary code/commands – Remote/unauthenticated

Debian released an update to address a buffer underflow vulnerability in its php5-fpm implementation. The vulnerability, CVE-2019-11043, is being actively exploited in the wild to perform remote code execution.

PHP 5.6 reached End Of Life on 1st January 2019.

Updates to address the same vulnerability followed for php7.0, php7.3 on Debian, Ubuntu and SUSE.

2) Fortiguard FortiClient: Root compromise – Existing account


Forticlient end point protection solution for Mac OS received a fix to address a local security check bypass. This could result in local command execution with root privileges.

The vulnerability arose due to improper sanitisation of special elements in a command.

3) Apple MacOS: Multiple vulnerabilities


Apple released a bunch of security fixes for its products; MacOS, iOS, iPadOS, TV, Watch and Safari.

Needless to say, the fixed vulnerabilities ranged from UI spoofing to remote code execution.

4) sudo: Root compromise – Existing account


Red Hat released an update to fix a privilege escalation vulnerability which allowed a local attacker to execute privileged commands by leveraging the “Runas” specification, effectively bypassing the need to authenticate as root.

Red Hat has stated:

“This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example:

someuser myhost = (ALL, !root) /usr/bin/somecommand”

..and with that, have a great weekend all!