Australia's Leading Computer Emergency Response Team

AusCERT Week in Review for 10th May 2013
Date: 10 May 2013
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=17522

Greetings,

The US Department of Labor’s website was compromised and made to serve malicious content to Internet Explorer users. The target of this watering-hole attack is unknown at the moment but it has been suggested that it was most likely US Defence contractors due to the nature of the website. The malicious code would install a remote administration tool called Poison Ivy which has a very low detection rate by anti-virus solutions. Initially, security researchers from Sophos and other security companies presumed that the exploit being used was the previously patched CVE-2012-4792 vulnerability (also known as MS13-008). It was later found that the malware authors were using a previously unknown Internet Explorer 8 vulnerability. As a consequence, Microsoft released a security advisory concerning IE8 and rolled out a one-click fix-it patch on Thursday. If it hasn’t already been done, this vulnerability needs to be addressed as soon as possible. Details of possible workarounds and the fix-it patch can be found in our External Security Bulletin which was published out on Monday and updated Thursday.

We have previously mentioned the “ Darkleech” web backdoor which infected 20,000 Apache websites. A new web server backdoor variant called “Linux/Cdorked.A” related to “Darkleech” has been detected and, according to ESET, this malware does not only affect Apache webservers but also lighthttpd and nginx. The web sites infected will selectively redirect users that follow certain criteria to other compromised webservers that host the Blackhole exploit kit. For example, people who have configured their browsers in the following languages: Japanese, Finnish, Russian, Ukrainian, Belarusian and Kazakh will not be redirected. Apparently an extensive blacklist of IP addresses is also included in the configuration files of the backdoor; these IP addresses would almost certainly contain IP addresses of well-known Information Security Researchers and Vendors. The initial infection vector was believed to be CPanel but it was discovered that many of the machines infected did not have CPanel installed. There has been some difficulty in determining the initial infection vector as there doesn’t seem to be a common factor between the compromised webservers. According to ESET more than 400 web servers have been infected and 50 of those are in Alexa’s top 100,000 most popular websites. If you are worried that your server may be infected with this backdoor, the following python script developed by ESET may help you determine whether or not your server is compromised.

Here’s this week’s list of security bulletins that the CC Team felt important to highlight:

1/ ESB-2013.0645 - [SUSE] kernel: Multiple vulnerabilities

The latest security update for SUSE fixes 22 kernel vulnerabilities concerning the various SLES 11 releases. Vulnerabilities have impacts ranging from root compromise with user interaction to unauthorised access of data by local users.

2/ ESB-2013.0631 - [Appliance] D-Link IP Cameras: Multiple vulnerabilities

Five vulnerabilities were found and patched in D-link IP cameras, including the ability to remotely access a live video ASCII stream.

3/ ESB-2013.0655 - ALERT [Win] [UNIX] [OSX] Adobe ColdFusion: Access confidential data - Remote/unauthenticated

A vulnerability that enables a remote unauthenticated user to retrieve files from a server in Adobe ColdFusion has been discovered. This vulnerability is currently being actively exploited in the wild. Although there is currently no patch for this at the moment, Adobe has provided a mitigation to the problem. Adobe has stated that they are currently finalising a fix for the vulnerability and that it will most likely be pushed out on the 14th of May.

Lastly - please be advised that the outage to the ARM (AusCERT Remote Monitoring) service has been cancelled and will NOT occur on Saturday 11/05/2013, between 9am to 5pm (GMT+10). This outage will be rescheduled to a future date.

We apologise for the inconvenience.

This ends our week in review.

Stay safe, stay patched and have a good weekend!

Ananda.