//Week in review - 14 Jan 2020

AusCERT Week in Review for 6th December 2019


The Christmas season is fast approaching. Do you hang up stockings or keyboards and mice?

AusCERT will be shutting down for a week between December 25th and January 1st inclusive. This means mailboxes will not be monitored. However, we will still provide the 24/7 Member Hotline. Feel free to give us a call during the break if you need assistance.

We’ve also sent out links for the 2019 AusCERT Member Survey. Please do check it out and give us your feedback – we’re keen to know where to put our efforts.

Microsoft Patches Vulnerability Leading to Azure Account Takeover
Date: 2019-12-03
Author: SecurityWeek

Microsoft recently addressed an OAuth 2.0 vulnerability that could allow an attacker to take over Azure accounts.

The issue impacts specific Microsoft OAuth 2.0 applications and allows an attacker to create tokens with the victim’s permissions, CyberArk’s security researchers have discovered.

The root cause of the security flaw, which CyberArk calls BlackDirect, is that anyone can register domains and sub-domains that OAuth applications trust.

Moreover, because the apps are approved by default and can ask for an access_token, an attacker could gain access to Azure resources, AD resources and more.

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter
Date: 2019-12-05
Author: The Register

Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM’s Aspera software.

Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack.

As Ormandy explained, “you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you’e talking to a trusted local service and not an attacker.”

Two malicious Python libraries caught stealing SSH and GPG keys
Date: 2019-12-04
Author: ZDNet

The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers.

The two libraries were created by the same developer and mimicked other more popular libraries — using a technique called typosquatting to register similarly-looking names.

Federal cops spring domestic violence RAT trap
Date: 2019-12-02
Author: iTnews

An Australian Federal Police operation in conjunction with peer international agencies and Europol has shuttered commercial access to the Imminent Monitor Remote Access Trojan (IM-RAT), with the malware allegedly being commonly used to stalk domestic violence victims, authorities say.

Sales records accessed in the swoop showed there may more than 14,500 buyers with the Trojan advertised via a website dedicated to hacking and the use of criminal malware with a licence costing as little as $US25, the AFP said.

Noteworthy bulletins this week:

ESB-2019.4548 – patch: remote code execution

It’s not often in 2019 that you see vulnerabilities featuring ed, “the standard editor” which spawned emacs and vim.

ESB-2019.4556 – Oniguruma: Multiple vulnerabilities

A host of issues in the widely-used regex library Oniguruma.

ESB-2019.4554 – WireShark: CMS dissector crash

WireShark’s dedication to filing CVEs any time their program can be made to crash is an inspiration to us all.

ESB-2019.4520 – [ALERT] TightVNC: Unauthenticated RCE

No proof of concept is available but an unauthenticated RCE is suspected in a program often used to contact unfamiliar hosts.

Stay safe, stay patched and have a good weekend!



“Coral” header image by Evan Yes on Unsplash.