AusCERT Week in Review for 23rd November 2018 23 Nov 2018


Greetings,

This week, back to basics. We've selected some articles about the fundamentals of cybersecurity, for wins you can get without going to a vendor and buying more SIEMs to cram into your network.

Patching! Security updates are important, but if you don't install them, they're worthless. In fact, if everyone else is patched and you're not, it just makes you a bigger target.

Users! User behaviour is key, and encouraging secure practices will close a lot of holes.

Finally, it's the season for Cyber Monday sales. Some password managers are offering discounts - if your loved ones aren't already using a password manager, it might be worth having a browse...!

Into the articles:


Active XSS Attacks Targeting AMP for WP WordPress Plugin
Date: 20 November 2018
Author: BleepingComputer
https://www.bleepingcomputer.com/news/security/active-xss-attacks-targeting-amp-for-wp-wordpress-plugin/

Vulnerabilities were recently discovered in the popular AMP for WP plugin that allows any registered user to perform administrative actions on a WordPress site. It has now been discovered that an active XSS attack is underway that targets these same vulnerabilities to install backdoors and create rogue admin accounts on a vulnerable WordPress site.

Unfortunately, as many users may not know about the security vulnerabilities or have not updated their software, this still remains a good vector for attacks.


Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web servers
Date: 19 November 2018
Author: ZDNet
https://www.zdnet.com/article/hackers-use-drupalgeddon-2-and-dirty-cow-exploits-to-take-over-web-servers/

Through these recent attacks, hackers aim to gain a foothold on servers, elevate their access to a root account, and then install a legitimate SSH client so they can log into the hijacked servers at later dates.

Taking into account that this attack relies on exploiting two very well-known vulnerabilities for which patches have been made available a long time ago, website and server owners can easily make sure they're immune to such attacks by updating Drupal and their Linux servers.


Employees' cybersecurity habits worsen, survey finds
Date: 15 November 2018
Author: We Live Security
https://www.welivesecurity.com/2018/11/15/employees-cybersecurity-habits-worsen/

The prevalence of cybersecurity incidents and the concomitant growing concerns about any organization’s cybersecurity posture haven’t done much to discourage many employees from engaging in poor security habits, a survey has found.

In some respects, employees’ cyber-hygiene is actually getting worse, according to the 2018 Market Pulse Survey by identity governance provider SailPoint, which gathered opinions from 1,600 employees at organizations with at least 1,000 employees in Australia, France, Germany, Italy, Spain, the United Kingdom, and the United States.

Three in every four respondents admitted to reusing passwords across accounts. In the survey’s 2014 edition, the same was true for “only” 56% of the employees.


Beyond Passwords: 2FA, U2F and Google Advanced Protection
Date: 15 November 2018
Author: Troy Hunt
https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. A few people took some of the points I made in those posts as being contentious, although on reflection I suspect it was more a case of lamenting that we shouldn't be in a position where we're still dependent on passwords and people needing to understand good password management practices in order for them to work properly.

This week, I wanted to focus on going beyond passwords and talk about 2FA. Per the title, not just any old 2FA but U2F and in particular, Google's Advanced Protection Program. This post will be partly about 2FA in general, but also specifically about Google's program because of the masses of people dependent on them for Gmail. Your email address is the skeleton key to your life (not just "online" life) so protecting that is absolutely paramount.


Adobe issues fix for Flash bug allowing remote code execution
Date: 21 November 2018
Author: CyberScoop
https://www.cyberscoop.com/adobe-flash-patch-bug-remote-code-execution/

Adobe has issued a patch for its Flash Player software, fixing a critical bug that would have allowed attackers to remotely execute malicious code.

The company labels it as a “type confusion” vulnerability. That means that Flash Player could run a piece of code without verifying what type it is. If an unpatched version of Flash is running, an attacker could trick users into visiting a website hosting malicious code that could then run on the user’s Flash Player, as explained in a security advisory issued by Microso


Here are this week's noteworthy security bulletins:

ESB-2018.3611 - ALERT [Win][UNIX/Linux] Flash Player: Execute arbitrary code/commands - Remote with user interaction
https://www.auscert.org.au/bulletins/72014

Adobe has released security updates for Adobe Flash Player for Windows, macOS,
Linux and Chrome OS. These updates address a critical vulnerability in Adobe
Flash Player 31.0.0.148 and earlier versions. Successful exploitation could
lead to arbitrary code execution in the context of the current user.


ASB-2018.0241.3 - UPDATE Palo Alto PAN-OS: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/69798

Palo Alto Networks has addressed vulnerabilities from OpenSSL.


ESB-2018.3609 - [Win][Linux] moodle: Cross-site request forgery - Remote with user interaction
https://www.auscert.org.au/bulletins/72006

A cross-site-request-forgery vulnerability in a login form.


ESB-2018.3627 - [Win][UNIX/Linux] GitLab: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/72078

Versions 11.5.0-rc12, 11.4.6, and 11.3.10 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been released.


ASB-2018.0292 - [Win][UNIX/Linux] Google Chrome: Execute arbitrary code/commands - Remote with user interaction
https://www.auscert.org.au/bulletins/72086

The Chrome team has released an update which includes a security fix for CVE-2018-17479, a high-severity issue causing a use-after-free in GPU code.


Stay safe, stay patched, and have a good weekend!
David, Charelle and the team at AusCERT


« Back to all blog entries