AusCERT Week in Review for 12th October 2018

AusCERT Week in Review for 12th October 2018

AusCERT Week in Review
12 October 2018

Greetings,
“Thar’s money in them thar breaches!”. [1]
Well, it turns out that when playing a probability’s game, the more time you play at it, the more chances of hitting the Jackpot. This time it was 500K users on Google+, which the business risk model seems to have ridden on the acceptance of closing up shop if the numbers come up. It would be interesting to see if there will be any persistent repercussions from Europe and its GDPR [2].  The question of whether it a “less severe breach” or “more severe breach” [3] may be pivotal as this may impact yearly earnings and in turn stock prices [4]. The ripple effect can be seen to go well beyond the data centers and endpoints we are tasked to secure. There’s money to be made in breaches, for sure, but not as may be expected.  GDPR vs Google, may pan out to be an event that two continents will have to smooth out.

[1] http://dlg.galileo.usg.edu/dahlonega/history.php
[2] https://www.gdpreu.org/compliance/fines-and-penalties/
[3] https://www.nibusinessinfo.co.uk/content/gdpr-penalties-and-enforcement
[4] https://www.marketwatch.com/investing/stock/goog

As for the news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:
 
——-

Title:  PoC Code Available For Microsoft Edge Remote Code Execution Bug
URL:    https://www.bleepingcomputer.com/news/security/poc-code-available-for-microsoft-edge-remote-code-execution-bug/
Date:   October, 11 2018
Author: Ionut Ilascu

Excerpt:
“The flurry of security bugs Microsoft addressed with this month’s rollout of updates includes a remote code execution vulnerability in Edge web browser. The glitch relies on abusing URI schemes and scripts in Windows that can run with user-defined parameters.
Now tracked as CVE-2018-8495, the bug was discovered by security researcher Abdulrahman Al-Qabandi.
His investigation started from the simple response to the ‘mailto’ URI scheme in Microsoft Edge when he noticed that Outlook would launch with a parameter customized for the scenario at hand.”

——-

Title:  World’s largest CCTV maker leaves at least 9 million cameras open to public viewing
URL:    https://www.theregister.co.uk/2018/10/09/xiongmai_cctv_fail
Date:   October, 9 2018
Author: Shaun Nichols

Excerpt:
“This time, it’s Chinese surveillance camera maker Xiongmai named and shamed this week by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed to were exposed default credentials and unsigned firmware updates that could be delivered via the service.
As a result, SEC Consult warns, the cameras could be compromised to do everything from spy on their owners, to carry out botnet instructions and even to serve as an entry point for larger network intrusions.
“Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether,” SEC Consult recommended.”

——-

Title:  It’s a cert: Hundreds of big sites still unprepared for starring role in that Chrome 70’s show
URL:    https://www.theregister.co.uk/2018/10/09/chrome_70_symantec_cert_disavowal/
Date:   October, 9 2018
Author: John Leyden

Excerpt:
“Hundreds of high-profile websites are still unprepared for the total disavowal of legacy Symantec-issued digital certificates that will kick in with the release of Chrome 70 next week.
Chrome 70, out on 16 October, will no longer recognise Symantec-issued certificates including legacy-branded Equifax, GeoTrust, RapidSSL, Thawte and VeriSign.”

——-

Title:  Google+ is Shutting Down After a Vulnerability Exposed 500,000 Users’ Data
URL:    https://thehackernews.com/2018/10/google-plus-shutdown.html
Date:   October, 8 2018
Author: Swati Khandelwal

Excerpt:
“Google is going to shut down its social media network Google+ after the company suffered a massive data breach that exposed the private data of hundreds of thousands of Google Plus users to third-party developers.
According to the tech giant, a security vulnerability in one of Google+’s People APIs allowed third-party developers to access data for more than 500,000 users, including their usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.”

——-

Title:  Fake Flash Updaters Push Cryptocurrency Miners
URL:   https://researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/
Date:   October, 11 2018
Author: Brad Duncan

Excerpt:
“In most cases, fake Flash updates pushing malware are not very stealthy. In recent years, such imposters have often been poorly-disguised malware executables or script-based downloaders designed to install cryptocurrency miners, information stealers, or ransomware. If a victim runs such poorly-disguised malware on a vulnerable Windows host, no visible activity happens, unless the fake updater is pushing ransomware.

However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer. These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”

——-

And lastly, here are this week’s noteworthy security bulletins (in no particular order):

1) ESB-2018.3099 – [SUSE] linux kerenel: Root compromise – Existing account
https://www.auscert.org.au/bulletins/69754
Gaining priviledges in kernel. (CVE-2018-17182)

2) ESB-2018.3084 – [Juniper] Junos Space Network Management Platform: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/69690
Leveraging on an OpenSSH vulnerability (CVE-2016-10010)

3) ESB-2018.3070 – [Appliance] Siemens ROX II: Root compromise – Existing account
https://www.auscert.org.au/bulletins/69626
…gain root privileges. (CVE-2018-13801)

4) ASB-2018.0238 – [Appliance] Intel Server Boards: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/69662
…may allow an unauthenticated attacker to potentially execute arbitrary code resulting…(CVE-2018-12173)

5) EESB-2018.3096 – [RedHat] Red Hat Process Automation Manager: Execute arbitrary code/commands – Remote/unauthenticated
https://www.auscert.org.au/bulletins/69742
…Yaml unmarshalling vulnerable to RCE (CVE-2016-9606)

Wishing you the best from AusCERT and stay safe as we will need you next week to keep users safe,
Geoffroy