AusCERT Week in Review for 28th September 2012

Date: 28 September 2012 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=16399 Greetings, As Friday winds to an end, here's a rundown of a few interesting items from this week. First up, AusCERT received a number of reports this week relating to a ransomware attacks. In each case organisations' data had been encrypted with an accompanying message entitled "Anti-Child porn Spam Protection". These messages also stated that the victims had accessed illegal website and that for the sum of $3,000 they would receive a code to decrypt their data. It appears that the same ransomware attacks have been occurring for sometime overseas, but the criminals have now moved on to target Australian organisations. For more information please read our blog "Ransomware lands on Australian shores". Next, continuing in the trend of high profile data breaches, it appears that 100 gigabytes of log files containing clear-text usernames and passwords, IP addresses and HTTP requests for the IEEE.org FTP site were discovered on September 18th. These log files were kept in plaintext, and according to Radu Dragusin, the member of the IEEE who discovered them, found to be publicly available on the FTP server for at least one month before being found. Contained within these credentials were users from organisations such as Apple, Google, IBM, Oracle, Samsung, NASA, and more. More details can be found on Dragusin's blog. Brian Krebs reported this week on security breaches to energy company Telvent, affecting their operations in the USA, Canada and Spain. It has been said that digital fingerprints left behind the attackers indicate that a Chinese hacking group who have been involved in numerous "cyber-espionage campaigns" on the West is responsible. Telvent said that attackers had managed to install malicious software and steal project data from a product known as OASys SCADA, which is used to allow energy firms to integrate older IT assets with "smart grid" technologies. And finally, here are my picks for the week's top 5 bulletins (in no particular order): 1) ESB-2012.0908 - ALERT [Win] Internet Explorer: Execute arbitrary code/commands - Remote with user interaction Microsoft were relatively quick to push out a patch for last week's zero-day vulnerability in all currently supported versions of Internet Explorer. 2) ESB-2012.0911 - [Apple iOS] Apple TV: Multiple vulnerabilities Following up on last week's updates for OS X, iOS and Safari, Apple this week released an update for its Apple TV correcting 21 vulnerabilities in the device, the impacts of which could cause code execution, information leakage and denial of service. 3) ESB-2012.0918 - [Win][UNIX/Linux] phpMyAdmin: Execute arbitrary code/commands - Remote/unauthenticated It appears that a sourceforge mirror was being used to distribute a compromised version of phpMyAdmin which contains a backdoor allowing for code execution. 4) ESB-2012.0924 - [Cisco] Cisco IOS and IOS XE: Denial of service - Remote/unauthenticated Cisco released a bunch of bulletins relating to denial of service vulnerabilities in devices using IOS and IOS XE. 5) ASB-2012.0132 - [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities Google pushed out a new stable version of Chrome correcting 24 vulnerabilities allowing for code execution, confidential data access, cross-site scripting and more. Have a great weekend! Jonathan