//Week in review - 7 Nov 2019

AusCERT Week in Review for 8th November 2019


As the week comes to a close, here are some articles that may help ease you into the weekend.

BlueKeep attacks are happening, but it’s not a worm
Date published: 03/11/2019
Author: Catalin Cimpanu
Excerpt: “This BlueKeep campaign has been happening at scale for almost two weeks, but it’s been only spotted today by cybersecurity expert Kevin Beaumont.

The British security expert said he found the exploits in logs recorded by honeypots he set up months before and forgot about. First attacks date back to October 23, Beaumont told ZDNet.

Beaumont’s discovery was confirmed by Marcus “MalwareTech” Hutchins, the security researcher who stopped the WannaCry ransomware outbreak, and who’s a recognized expert in the BlueKeep exploit.”

QSnatch malware already infected thousands of QNAP NAS devices
Date published: 04/11/2019
Author: Pierluigi Paganini
Excerpt: “A couple of weeks ago, the experts at the National Cyber Security Centre of Finland (NCSC-FI), published a report on the QSnatch malware.

The experts were alerted about the malware in October and immediately launched an investigation.

“NCSC-FI received reports via the Autoreporter service during mid October of infected devices attempting to communicate to specific command and control (C2) servers.” reads the report. “The original infection method remains unknown, but during that phase malicious code is injected to the firmware of the target system, and the code is then run as part of normal operations within the device. After this the device has been compromised. The malware uses domain generation algorithms to retrieve more malicious code from C2 servers.”

Trend Micro reveals that customer data was illegally sold following inside-job ‘security incident’
Date published: 06/11/2019
Author: Mark Wyci?lik-Wilson
Excerpt: “Security firm Trend Micro has revealed details of an inside scam which led to personal details of its customers being exposed.

The security incident dates back to August this year, and the company says that it was made aware of customers being contacted by fake Trend Micro support staff. Following an investigation lasting until the end of October, it was determined that it was a member of staff that had fraudulently gained access to a customer database and sold personal data to a third party.”

Buran Ransomware; the Evolution of VegaLocker
Date published: 05/11/2019
Authors: Alexandre Mundo and Marc Rivero Lopez
Excerpt: “This ransomware was announced in a well-known Russian forum with the following message:

“Buran is a stable offline cryptoclocker, with flexible functionality and support 24/7.


Reliable cryptographic algorithm using global and session keys + random file keys; Scan all local drives and all available network paths; High speed: a separate stream works for each disk and network path; Skipping Windows system directories and browser directories; Decryptor generation based on an encrypted file; Correct work on all OSs from Windows XP, Server 2003 to the latest; The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;”

The announcement says that Buran is compatible with all versions of the Windows OS’s (but during our analysis we found how, in old systems like Windows XP, the analyzed version did not work) and Windows Server and, also, that they will not infect any region inside the CIS segment.”

Critical Remote Code Execution Flaw Found in Open Source rConfig Utility
Date published: 04/11/2019
Authors: Tom Spring
Excerpt: “Two bugs in the network configuration utility rConfig have been identified, both allowing remote code execution on affected systems.

Worse, one is rated critical and allows for a user to attack a system remotely – sans authentication.

RConfig is a free open-source configuration management utility used by over 7,000 network engineers to take snapshots of over 7 million network devices, according the project’s website.

The vulnerabilities (CVE-2019-16663, CVE-2019-16662) are both tied to rConfig version 3.9.2. The more serious of the two vulnerabilities

(CVE-2019-16662) allows an attacker to execute system commands on affected devices via GET requests, which can lead to command instructions.”

Here are this week’s noteworthy security bulletins:

1) Tenable.sc: Multiple vulnerabilities

Tenable Security Center received stand-alone patches that address multiple vulnerabilities affecting PHP. The most severe of these could lead to a remote denial of service attack and Cross-Site Scripting attacks.

2) Android: Multiple vulnerabilities


Android received its monthly update that addresses 38 vulnerabilities. These include a remote code execution and privilege escalation vulnerabilities.

3) Cisco Web Security Appliance: Cross-site scripting – Remote with user interaction


Cisco Web Security Appliance received fixes for a couple of vulnerabilities. This particular bulletin addresses an update for fixing a reflected XSS vulnerability.

4) IBM QRadar SIEM: Multiple vulnerabilities


Last, but most certainly not least, IBM’s QRadar SIEM received fixes for over 39 vulnerabilities, including local arbitrary code execution, remote Denial of Service, and remote information disclosure.

..and with that, have a great weekend all!