//Blogs - 01 March 2019

AusCERT Week in Review for 1st March 2019

AusCERT Week in Review
01 March 2019

Greetings,
This week was marked by solution providers running-for-the-hills with runc as more can be done with the call than what was documented.  The vulnerability is being patched and the solutions are being rolled out. Also the final days of Coin-Hive are able to be counted on two hands. The reason for the shutdown is that the business model "isn't economically viable anymore.".  Somehow a permutation of it, with a different currency-algorithm pair, coupled with the fact that new APIs in browsers may continue to trudge on through even after the browser is closed, a new service is bound to emerge. This type of service, may be taking a break, but mining on other's computers is bound to come back. After all, that's where the money is these days.
    
As for news, here's a summary (including excerpts) of some of the more
interesting stories we've seen this week:

-------

Title:  Cisco Fixes Critical RCE Vulnerability in RV110W, RV130W, and RV215W Routers
URL: https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-rce-vulnerability-in-rv110w-rv130w-and-rv215w-routers/
Date:  28th February 2019
Author: Sergiu Gatlan

Excerpt:
"Cisco fixed a critical remote code execution vulnerability present in the web-based management interface of the RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router devices.

Cisco's security advisory rates the vulnerability currently tracked under CVE-2019-1663 as critical and assigns it a 9.8 base score based on the Common Vulnerability Scoring System (CVSS) 3.0 given that it could allow potential unauthenticated attackers to remotely execute arbitrary code on any of the three vulnerable routers."

-------

Title:  Coinhive to Mine Its Last Monero in March  
URL: https://threatpost.com/coinhive-monero-shutdown/142290/
Date:   28th February 2019
Author: Tara Seals

Excerpt:
"It seems like a good model on the surface, but in the notice on its website, posted on Tuesday, Coinhive management said that a 50 percent drop in the hash rate after the latest Monero fork "hit us hard." The hash rate refers to the speed at which a mining operation is completed – i.e., how long it takes to uncover one block of currency."

-------

Title: Drupal RCE Flaw Exploited in Attacks Days After Patch
URL: https://www.securityweek.com/drupal-rce-flaw-exploited-attacks-days-after-patch
Date:  26th February 2019
Author: Eduard Kovac

Excerpt:
"A vulnerability patched recently in the Drupal content management system (CMS) has been exploited in the wild to deliver cryptocurrency miners and other payloads. The attacks started just three days after a fix was released.
...
The patches released on February 20 were quickly analyzed and technical details and proof-of-concept (PoC) code were released roughly two days later."

-------

Title: Malspam Exploits WinRAR ACE Vulnerability to Install a Backdoor  
URL: https://www.bleepingcomputer.com/news/security/malspam-exploits-winrar-ace-vulnerability-to-install-a-backdoor/
Date:  25th February 2019
Author: Lawrence Abrams

Excerpt:
"Researchers have discovered a malspam campaign that is distributing a a malicious RAR archive that may be the first one to exploit the newly discovered WinRAR ACE vulnerability to install malware on a computer.

Last week, Checkpoint disclosed a 19 year old vulnerability in the WinRAR UNACEV2.DLL library that allows a specially crafted ACE archive to extract a file to the Window Startup folder when it is extracted. This allows the executable to gain persistence and launch automatically when the user next logs in to Windows."

-------

Title: New browser attack lets hackers run bad code even after users leave a web page
URL: https://www.zdnet.com/article/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page/
Date:  25th February 2019
Author:  Catalin Cimpanu

Excerpt:
"Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users' browsers even after users have closed or navigated away from the web page on which they got infected.
...
This is possible because modern web browsers now support a new API called Service Workers. This mechanism allows a website to isolate operations that rendering a page's user interface from operations that handle intense computational tasks so that the web page UI doesn't freeze when processing large quantities of data.
"

-------

Here are this week's noteworthy security bulletins (in no particular order):

1.    ESB-2019.0621 - [Win] Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools: Administrator compromise - Existing account
https://www.auscert.org.au/bulletins/76234
"An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges."

2.    ESB-2019.0625 - [RedHat] Red Hat Ansible Engine: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/76258
"path traversal vulnerability which allows copying and overwriting files..."

3.    ESB-2019.0622 - [Appliance] Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router: Execute arbitrary code/commands - Remote/unauthenticated
https://www.auscert.org.au/bulletins/76242
"could allow an unauthenticated, remote attacker to execute arbitrary code..."

4.    ESB-2019.0597 - [Appliance] Moxa IKS and Moxa EDS: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/76138
"The devices use plaintext transmission of sensitive data, which may allow an attacker to capture sensitive data such as an administrative password."

5.    ESB-2019.0559 - [SUSE] kernel-firmware: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/75986
"..in Bluetooth where the elliptic curve parameters were not sufficiently validated during Diffie-Hellman key exchange."

Wishing you the best from AusCERT and hope to see you safe next week,
Geoffroy