AusCERT Week in Review for 10th November 2017 10 Nov 2017


AusCERT Week in Review
10 November 2017

Greetings,

As Friday 10th of November closes, DDE, a twenty four (24) year old feature in the Office suite, has taken the limelight in the method of executing code on victim's computers.  Although this method requires heavy user interaction, it was finally addressed for mitigation, published by the vendor and pushed out to members in an AusCERT bulletin. So, applying the mitigation and applying an other round of user education notices may do well to protect your organisation.  Another set of people that may need to be educated on the dangers of opening up fresh and untrusted code on the internet could be script kiddies, this being the lead to our top new story this week.
 
As for more news, here's a summary (including excerpts) of some of the more interesting stories we've seen this week:

Title:  Script Kiddie Nightmare: IoT Attack Code Embedded with Backdoor
URL:    https://blog.newskysecurity.com/script-kiddie-nightmare-iot-attack-code-embedded-with-backdoor-39ebcb92a4bb
Date:   November 8, 2017
Author: NewSky Security    

Excerpt:
"The IoT threat landscape is proving to be the fastest to evolve, with attacks shifting from basic password guessing, to using a variety of exploits as seen recently in the IoTroop/Reaper botnet. Enter the script kiddie?—?amateurish hackers that copy/paste code for quick results. "

-------

Title:  Windows Movie Maker Scam spreads massively due to high Google ranking
URL:    https://www.welivesecurity.com/2017/11/09/eset-detected-windows-movie-maker-scam-2017/
Date:   November 9, 2017
Author: Peter Stancik    

Excerpt:
"Scammers have been surprisingly successful at distributing a modified version of Windows Movie Maker that aims to collect money from unaware users. The spread of the scam (which itself is far from new) has been boosted by search engine optimization of the crooks’ website, as well as continuing demand for Windows Movie Maker, Microsoft’s free video editing software, discontinued since January 2017."

-------

Title:  Google Adds New Features in Chrome to Fight Malvertising
URL:    https://www.bleepingcomputer.com/news/security/google-adds-new-features-in-chrome-to-fight-malvertising/
Date:   November 9, 2017
Author: Catalin Cimpanu    

Excerpt:
"Google announced plans today for three new Chrome security features that will block websites from sneakily redirecting users to new URLs without the user or website owner's consent.

While all three additions are welcomed, one of these features has the potential to stop a few malvertising campaigns dead in their tracks, and could potentially disrupt the malware scene in the next few months."

-------

Title:  Chinese Keyboard Developer Spies on User Through Built-in Keylogger
URL:    https://www.hackread.com/chinese-keyboard-developer-spies-on-user-through-built-in-keylogger/
Date:   November 8, 2017
Author: Waqas     

Excerpt:
"A Chinese mechanical keyboard manufacturer MantisTek has been caught in the middle of a controversy in which it’s being blamed for spying on users through built-in keylogger in its GK2 model and sending the data to a server apparently hosted on Alibaba Cloud server."

-------

Title:  Locky Ransomware Used to Target Hospitals Evolves
URL:    http://www.zdnet.com/article/locky-ransomware-used-to-target-hospitals-evolves/
Date:   November 7, 2017
Author: Charlie Osborne    

Excerpt:
"According to new research released by Cylance, a relatively new Locky variant, dubbed Diablo6, includes a few tweaks which are making detection of the ransomware more difficult for traditional antivirus solutions as well as end users.
In a blog post, the team said Diablo6 performs an attack in two stages. The first is a typical attack vector for ransomware -- a spear phishing email which contains a .zip archive, but something new for the Locky variant.
While masquerading as a legitimate email and attachment, the file actually contains a VBS file which, when decompressed and opened, attempts to connect to Locky's command-and-control (C&C) server for instructions."

-------


And lastly, here are this week's noteworthy security bulletins (in no particular order):

1.    ASB-2017.0192 - [Win] Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields
https://www.auscert.org.au/bulletins/54686

An attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email.

2.    ESB-2017.2807 - [SUSE] kernel: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/54466

CVE-2015-9004: kernel/events/core.c in the Linux kernel mishandled counter grouping, which allowed local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions

3.    ESB-2017.2867 - [Appliance] IBM Security SiteProtector System: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/54726

CVE-2017-10116: An unspecified vulnerability related to the Java SE Security component could allow an unauthenticated attacker to take control of the system.

4.    ESB-2017.2865 - [Win] Schnedier Electric InduSoft Web Studio and Schneider Electric InTouch Machine Edition : Execute arbitrary code/commands - Remote/unauthenticated
https://www.auscert.org.au/bulletins/54718

CVE-2017-14024: The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution with high privileges.

5.    ESB-2017.2855 - [BlackBerry] BlackBerry: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/54670

CVE-2017-0862: Elevation of Privilege in Kernel                             

---

Wishing you the best from AusCERT and hope to see you next week,
Geoffroy


« Back to all blog entries