AusCERT Week in Review for 30th November 2012

Date: 30 November 2012 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=16639 Greetings, It seems that ransomware is getting a lot of press lately, and it appears that cybercriminals are finding some interesting ways to distribute and infect unsuspecting users. Earlier this week Go Daddy, the world's largest domain name registrar, suffered an attack where websites had their DNS records modified to include malicious sub-domains with corresponding DNS entries referencing malicious IPs which would then serve up ransomware to the websites' visitors. There have been numerous cases reported in Australia over the past couple of months, and in each case the ransomware has encrypted all of the users' data and criminals have demanded a cash payment for an unencryption key. Back in September AusCERT published a blog entitled 'Ransomware lands on Australian shores' which provided some best practices to follow to avoid being a victim of ransomware. With cases of ransomware infections on the increase, the mass media has started to report on the issue as well. Most recently Nine News published an article entitled "Criminals hold Aussie computer files hostage", which includes some additional suggestions, care of AusCERT's own Marco Ostini, on what to do to protect yourself and what to do if your machines become infected. The Australian Defence Signals Directorate recently updated their "35 Strategies to Mitigate Targeted Cyber Intrusions". In response to the updated DSD document, AusCERT has published a blog this week which provides some advice on how to apply appropriate security controls from a non-technical perspective. This is definitely worth a read! Something else we've been seeing on the increase over the past few months is a large amount of phishing emails using Woolworths surveys as a hook. Scams using Woolworths as a hook, in particular Woolworths' vouchers, have also been doing the rounds via Facebook. Troy Hunt has disected the Woolworths Facebook scam over at his blog. As mentioned last week, AusCERT is currently looking for a new Information Security Analyst to join the Co-ordination Centre team and the deadline for applications is approaching quickly! If you would like to join a a dynamic team in an exciting industry, make sure to get your application in before 5th December! In other news, AusCERT reached over 1500 followers on Twitter! If you'd like to follow us, please check out https://twitter.com/AusCERT and if you're one of those folks who uses Facebook, please like our page at https://www.facebook.com/AusCERT This week's top five bulletins: 1) ESB-2012.1113 - ALERT [Appliance] Sinapsi eSolar devices: Multiple vulnerabilities First up is a bulletin released by ICS-CERT regarding a number of vulnerabilities in a range of SCADA products, Sinapsi eSolar, which are deployed within the Energy Sector, and according to the vendor also used for building automation. According to ICS-CERT, publicly available exploits exist for these vulnerabilities, which could allow for an administrator compromise of these devices. 2) ESB-2012.1118 - ALERT [Printer] Samsung and Dell Printers: Administrator compromise - Remote/unauthenticated This particular issue has been getting a lot of media attention - a range of Samsung printers (some of which are also rebadged as Dell) contain a hardcoded account that could allow an attacker to take full control of these devices. There is not currently a patch to correct the issue, although Samsung and Dell have stated that a patch tool will be released later in the year. 3) ASB-2012.0164 - [Win][Linux][OSX] Google Chrome: Multiple vulnerabilities This week's obligatory web browser bulletin mention goes out to Google Chrome! A new version of Chrome has been released which corrects seven vulnerabilities which could allow code execution and denial of service. 4) ESB-2012.1117 - [UNIX/Linux][Debian] rssh: Execute arbitrary code/commands - Remote/unauthenticated Two vulnerabilities were patched in rssh, which was not correctly filtering command line options. These vulnerabilities were inadvertently allowing for code execution. 5) ESB-2012.1121 - [Apple iOS] Apple TV: Multiple vulnerabilities And finally, Apple released a bulletin regarding two vulnerabilities in its Apple TV product, which could allow for code execution and an information disclosure. Have a great weekend! Jonathan