http://www.auscert.org.au/ The AusCERT web log is where our staff have the opportunity to informally discuss current activity and interesting developments in the area information security. http://www.auscert.org.au/render.html?it=17522 The last week's worth of bulletins, advisories and news. compromised and made to serve malicious content to Internet Explorer users. The target of this watering-hole attack is unknown at the moment but it has been suggested that it was most likely US Defence contractors due to the nature of the website. The malicious code would install a remote administration tool called Poison Ivy which has a very low detection rate by anti-virus solutions. Initially, security researchers from Sophos and other security companies presumed that the exploit being used was the previously patched CVE-2012-4792 vulnerability (also known as MS13-008). It was later found that the malware authors were using a previously unknown Internet Explorer 8 vulnerability. As a consequence, Microsoft released a security advisory concerning IE8 and rolled out a one-click fix-it patch on Thursday. If it hasn’t already been done, this vulnerability needs to be addressed as soon as possible. Details of possible workarounds and the fix-it patch can be found in our External Security Bulletin which was published out on Monday and updated Thursday. We have previously mentioned the “ Darkleech” web backdoor which infected 20,000 Apache websites. A new web server backdoor variant called “Linux/Cdorked.A” related to “Darkleech” has been detected and, according to ESET, this malware does not only affect Apache webservers but also lighthttpd and nginx. The web sites infected will selectively redirect users that follow certain criteria to other compromised webservers that host the Blackhole exploit kit. For example, people who have configured their browsers in the following languages: Japanese, Finnish, Russian, Ukrainian, Belarusian and Kazakh will not be redirected. Apparently an extensive blacklist of IP addresses is also included in the configuration files of the backdoor; these IP addresses would almost certainly contain IP addresses of well-known Information Security Researchers and Vendors. The initial infection vector was believed to be CPanel but it was discovered that many of the machines infected did not have CPanel installed. There has been some difficulty in determining the initial infection vector as there doesn’t seem to be a common factor between the compromised webservers. According to ESET more than 400 web servers have been infected and 50 of those are in Alexa’s top 100,000 most popular websites. If you are worried that your server may be infected with this backdoor, the following python script developed by ESET may help you determine whether or not your server is compromised. Here’s this week’s list of security bulletins that the CC Team felt important to highlight: 1/ ESB-2013.0645 - [SUSE] kernel: Multiple vulnerabilities The latest security update for SUSE fixes 22 kernel vulnerabilities concerning the various SLES 11 releases. Vulnerabilities have impacts ranging from root compromise with user interaction to unauthorised access of data by local users. 2/ ESB-2013.0631 - [Appliance] D-Link IP Cameras: Multiple vulnerabilities Five vulnerabilities were found and patched in D-link IP cameras, including the ability to remotely access a live video ASCII stream. 3/ ESB-2013.0655 - ALERT [Win] [UNIX] [OSX] Adobe ColdFusion: Access confidential data - Remote/unauthenticated A vulnerability that enables a remote unauthenticated user to retrieve files from a server in Adobe ColdFusion has been discovered. This vulnerability is currently being actively exploited in the wild. Although there is currently no patch for this at the moment, Adobe has provided a mitigation to the problem. Adobe has stated that they are currently finalising a fix for the vulnerability and that it will most likely be pushed out on the 14th of May. Lastly - please be advised that the outage to the ARM (AusCERT Remote Monitoring) service has been cancelled and will NOT occur on Saturday 11/05/2013, between 9am to 5pm (GMT+10). This outage will be rescheduled to a future date. We apologise for the inconvenience. This ends our week in review. Stay safe, stay patched and have a good weekend! Ananda. ]]> http://www.auscert.org.au/render.html?it=17486 The last week's worth of bulletins, advisories and news. Greetings, First up, after receiving a Google Glass device through a Google run competition on Twitter, security researcher Jay Freeman posted a lengthy blog on Tuesday detailing how he was able to gain root access on the device by using a security exploit in Android 4.0 that was disclosed last September. Freeman stated in his blog, "Sadly, due to the way Glass is currently designed, it is particularly susceptible to the kinds of security issues that tend to plague Android devices." Somewhat disturbing are the implications of an attacker being able to gain root access to Google Glass described by Freeman as having "...much more power than if they had access to your phone or even your computer: they have control over a camera and a microphone that are attached to your head. A bugged Glass doesn't just watch your every move: it watches everything you are looking at (intentionally or furtively) and hears everything you do." For more details, be sure to read his blog! In other news, the Dutch government yesterday presented a draft bill which aims to give law enforcement wide reaching powers to hack into computer systems, not just at home, but also in foreign countries, for the purposes of researching, gathering and copying evidence or to block access to certain types of information. The draft bill was quick to draw criticism, for example Simone Halink of the Dutch digital rights organisation, 'Bits of Freedom' responded to the draft bill the same day stating that the "proposal is rushed" and that rather than increasing digital investigation powers, the Dutch government should increase police manpower. Additionally she stated that the legislation could potentially spark an escalating arms race between hacking governments. In a report authored by Citizen Lab this week, researchers stated that they have detected command and control servers for the FinFisher spyware suite in eleven new countries - Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria and Austria. According to the researchers this brings the total number of countries with FinFisher C&C servers to thirty-six. The spyware suite, distributed by UK based Gamma International has been touted as being an "IT intrusion and remote monitoring solution" which is explicitly offered only to "law enforcement and intelligence agencies", however the researchers say that evidence of these C&C servers is not "necessarily indicative that the surveillance technology is being used by the government or authorities in those countries." [3] This week's collection of particularly interesting/urgent bulletins (in no particular order): 1) ESB-2013.0599 - ALERT [FreeBSD] nfsserver: Root compromise - Remote/unauthenticated Early this week, FreeBSD released an advisory regarding a serious root compromise vulnerability in NFS affecting all supported versions of FreeBSD. This advisory should be acted on as soon as possible. 2) ASB-2013.0062 - ALERT [Win][Virtual] McAfee ePolicy Orchestrator: Administrator compromise - Remote/unauthenticated Two vulnerabilities were disclosed in McAfee ePolicy Orchestrator, one of which could potentially allow a remote attacker to execute code with SYSTEM privileges by registering a rogue Agent to the ePO server and sending a crafted request to it. 3) ESB-2013.0620 - [Appliance] BIG-IP: Denial of service - Remote/unauthenticated F5 released a bulletin regarding a BIND denial of service vulnerability in its range of BIG-IP products and have released upgrades to correct this issue. And finally, a little housekeeping - Please be advised that on Saturday 11/05/2013, between 9am to 5pm (GMT+10) there will be a scheduled outage of the AusCERT Remote Monitoring service. The following service will be affected: * ARM will not be accessible via this page: https://arm.auscert.org.au/ * ARM will cease to monitor any systems you have configured in ARM and will not be able to send notification alarms to you for the duration of the outage. All other services will remain available, including access to the AusCERT web site http://auscert.org.au/ We apologise for the inconvenience. Have a great weekend! Jonathan

]]> http://www.auscert.org.au/render.html?it=17437 The last week's worth of bulletins, advisories and news. May you live in interesting times" has been referred to as a Chinese curse. It can also be understood as "May you experience much disorder and trouble in your life". It would be fair to say that information security is living in very interesting times at the moment. In our experience, it is an unfortunate reality that many WordPress users struggle to patch their installations. Well know vulnerabilities are then exploited often on mass via scripting and then what was an innocent WordPress site becomes a host for bank phishing, to deliver malware or perform other forms of online nastiness. Due to their large number and varying quality, AusCERT don't publish bulletins for WordPress plug-ins, but this week we saw the very popular WP Super Cache and W3 Total Cache plug-ins have a very serious vulnerability highlighted: the remote xecution of PHP code. Updates are available for both plug-ins. If you use them, stop reading this review now and apply the updates! In the wider view, if you run a content management system like WordPress, Joomla or Drupal, be mindful not just of keeping the core CMS patched, but also the plug-ins. In many cases the plug-ins can do just as much evil via a vulnerability as the core system itself, and in many cases it may not be written or maintained as well as the core code. Take care in the selection of the CMS plug-ins you choose, and if you don't really need them, uninstall them. Matthew Flannery, a 24 year old Point Clare man who is alleged to be the leader of the well known hacking group lulzsec has been arrested by the Australian Federal Police charged with two offences against the Criminal Code Act. He is a support technician at IT security provider Content Security, which was contracted to provide support for global security firm Tenable Network Security. Flannery would keep his position within the company until investigations advance further. With Distributed Denial of Service attacks increasing in strength and frequency, the publication of "How to Report a DDoS Attack" by the ICANN Security Team is very timely. If you manage any Information Technology infrastructure that you care about, then take the time to read this blog post as it covers many of the key important points. What to do and whom to call when under attack, where to turn for help and tips on providing good information related to the attack are covered. Best of all mitigation guidance is provided in a collection of linked documents. This is the kind of reading that any good Sysadmin will benefit from. We're happy to announce to AusCERT members, that the Quarterly Trend Report for March 2013 is available for your viewing pleasure. So if you've not already attended to them, here are my top 5 patches/actions for the week: 1) ESB-2013.0582.2 - UPDATE [Cisco] Cisco NX-OS: Multiple vulnerabilities Having your switches and routers vulnerable to unauthenticated remote code execution and denial of service is never nice. Patch now! 2) ESB-2013.0507.2 - UPDATE [Win] Microsoft Windows: Multiple vulnerabilities This is the patch to fix the patch for Windows 7 and Server 2008. Kaspersky anti-virus and other software that didn't play nice with the previous revision should be happier with this one. 3) ESB-2013.0575 - [Cisco] Cisco ASA and FWSM: Unauthorised access - Remote/unauthenticated Having and unauthenticated remote attacker to bypass access lists is not good. Especially when the device in question is a firewall or security appliance. 4) ESB-2013.0572 - [RedHat] kernel: Multiple vulnerabilities While an existing account is needed to exploit these vulnerabilities, don't take chances with the kernel - patch it. 5) ESB-2013.0581 - [Win][Cisco] Cisco Device Manager: Execute arbitrary code/commands - Remote/unauthenticated Remote code execution, especially when unauthenticated is not nice. Patch to avoid it being exploited. Stay safe, Marco ]]> http://www.auscert.org.au/render.html?it=17407 This week's bulletins and information security news. Greetings, Welcome to the Week in Review for the week ending Friday 19th of April 2013. As usual, it has been an interesting week in IT Security. The three main news items of the week that will be covered in this post are: 1) Boston marathon bombing related cyber attacks 2) Google prohibits ads on Google Glass 3) Microsoft introduces two-factor authentication across all its online products At the end of this post the most notable security bulletins of the week will also be covered in brief. This week's tragic events of the Boston marathon bombings have been turned into a phishing/spam attack by opportunists. Emails pretending to contain links to news articles and exclusive camera footage instead redirect users to fake websites that contain malware. This in turn infects their machine, possibly with a bot agent from Zeus or Kelihos. The bots could then easily harvest financial and personal information from the user or use the compromised machine to send further spam. AusCERT has been playing its role in preventing this from affecting the security of networks in Australia by actively keeping a track of known bad URLs and providing this as a feed to our members as usual. You can access the latest feed and information related to the feed by visiting: https://www.auscert.org.au/9123. In our research AusCERT has found that there were at least 22 unique IP addresses used in the hosting of the fake websites. All the URLs AusCERT inspected were of one of these forms: http://_ip_address_/news.html http://_ip_address_/texas.html http://_ip_address_/boston.html AusCERT will continue to keep an eye on this but we would suggest that organisations take necessary steps to ensure the safety of their organisation's devices from this phishing attack. In an interesting twist for a company that makes its primary revenues from advertisement (around 95% of revenue), Google has prohibited Google Glass developers from displaying ads or even charging for the software. It seems that Google may be trying a different tactic here and might just be focusing on making money from the hardware itself or waiting to see how it evolves before opening up the platform to software based revenue. Google has made public statements in the past explicitly making it clear that the Glass platform must be clean and clear of ads whatsoever as the technology is designed to facilitate internet browsing and other related activities. Microsoft has finally joined the small list of companies that support two factor authentication on their online products. Google was the first to introduce the concept en-mass back in 2010. Dropbox and Apple have followed suite. Microsoft joins this list this week. Finally, here are this week's top security bulletins: 1) ASB-2013.0056 - ALERT [UNIX/Linux] Parallels Plesk Panel: Root compromise - Existing account Two vulnerabilities in Parallels Plesk Panel allow for privilege escalation. This can allow an attacker to run arbitrary code as the root user! 2) ASB-2013.0058 - ALERT [Win][UNIX/Linux] Oracle Java: Multiple vulnerabilities Even more Java vulnerabilities patched this week by Oracle! The most severe Impact/Access for this was Execute Arbitrary Code/Commands -- Remote/Unauthenticated. 3) ASB-2013.0057 - ALERT [Win][UNIX/Linux] Oracle Products: Multiple vulnerabilities 26 Oracle products (not including Java) got patches delivered this week with Oracle not providing too much information on the vulnerabilities. 4) ESB-2013.0538 - [RedHat] kernel: Multiple vulnerabilities A couple of vulnerabilities in the Red Hat 6 kernel creates conditions which may allow an existing unprivileged user to escalate their privileges. That ends our week in review. Stay patched and have a great weekend. Regards, Parth Shukla Information Security Analyst
]]> http://www.auscert.org.au/render.html?it=17369 This week's bulletins and information security news. one-year countdown until Windows XP SP3 becomes unsupported. This implies that from the 8th of April 2014, Microsoft will not be publicly releasing any new security updates for Windows XP SP3. Any person still running this operating system will be susceptible to any of the new flaws found by security researchers, malware developers and exploit developers. Windows XP will still be targeted by these people as long as this operating system is still used by a percentage of consumers. We would encourage people to upgrade to a newer version of Microsoft Windows, or to try out a supported version of Linux, BSD, Mac OS operating system to avoid being at a heightened risk of infection or compromise when Windows XP becomes unsupported. Speaking of Microsoft, this Tuesday was the second Tuesday of the month equating to Microsoft’s patch Tuesday, which brought us nine security bulletins fixing 14 vulnerabilities. Three of which are critical vulnerabilities; two concerning Internet Explorer and the last one affecting Microsoft’s remote desktop protocol. Please note that there have been reports of issues after installing KB2823324, which is part of MS13-036. Microsoft have stated “Microsoft is investigating behaviour wherein systems may fail to recover from a reboot or applications fails to load after security update 2823324 is applied. Microsoft recommends that customers uninstall this update.” The Cutwail botnet, a botnet that has been spreading the banking Trojan Zeus, has added to its malware repertoire a new Android Trojan called Stels. According to Brett Stone-Gross, Stels has many purposes, such as: stealing the contacts list, harvesting information pertaining to the device it is running on, making phone calls, sending SMS messages, monitoring SMS messages and adding/removing or executing applications or files. This malware is spread through emails (mostly pretending to be a national taxation office) which link to a compromised website hosting an instance of the Blackhole exploit kit. It will then check the user-id agent that is sent from the device to the webpage to determine which operating system is running on the machine requesting access to the web page. If it is an Android device, it will display a warning page saying that Adobe Flash needs to be updated with a link to the infected application. The user must accept to download the package and install it. The malware is now detected by 19 of the 46 anti-virus engines available through Virus-total. Removing it is as simple as just uninstalling it from the uninstall menu, however other backdoors may have been added to the device since it has the ability to install other applications. My little tip of the week: Wordpress.com have added “two-step” authentication for account holders at their website. This can be done either by using the Google Authenticator application or by giving your phone number to receive the code by SMS. Just be sure that your mobile device is not currently infected by something like the Stels Trojan or the added security may be ineffective. Here’s this week’s list of security bulletins that the CC Team felt important to highlight: 1/ ESB-2013.0508 - [Win][Linux][Apple iOS][Android][OSX] Adobe Flash Player & AIR: Multiple vulnerabilities This is Adobe’s monthly flash update, which patches four vulnerabilities that may be used to execute arbitrary code. 2/ ESB-2013.0499 - [Win] Internet Explorer: Execute arbitrary code/commands - Remote with user interaction Two use after free vulnerabilities have been patched in Internet Explorer which may result in the execution of arbitrary commands if the logged in user accesses a specially crafted web page. 3/ ESB-2013.0500 - [Win] Remote Desktop Client: Execute arbitrary code/commands - Remote with user interaction A remote code execution vulnerability with user interaction exists in Window’s Remote Desktop client. This definitely should be patched, especially if you have a need to use this over the internet. 4/ ASB-2013.0051 - [VMware ESX][Linux][FreeBSD][Solaris] Nvidia GPU Driver: Root compromise - Remote/unauthenticated If you are running X servers that accept connections from external hosts and that are operating in “NoScanout” mode, this one has to be patched immediately. If not you may be vulnerable to a root compromise attack. 5/ ESB-2013.0528 - [Win][UNIX/Linux] IBM Sterling B2B Integrator: Administrator compromise - Remote/unauthenticated A vulnerability exists that can be used to run any UNIX/Windows command has been fixed. If you are running one of the products affected, this should be patched as soon as possible. This ends our week in review. Stay safe, stay patched and have a good weekend! Ananda.

]]>