//Blogs - 15 March 2019

AusCERT Week in Review for 15th March 2019

AusCERT Week in Review
15 March 2019

Greetings,
Well this week has been interesting.  
Watch out which games you play as they could be backdoored from way up the supply chain. Exaggerating a bit on the controls over USBs, you could start either tethering them to your personnel or consider thermite upon their removal of circulation. But things does not stop there. At work, this patch-cycle-week, plenty of systems had to be updated to avoid being abused.  Also, Monero mining was thought to slow down but with the incorporation in to malicious code with worm-like behaviour, mining will move into a new gear. Had enough and have the thought of applying for a job else where? Bad luck, as databases overseas also get compromised.
So we all need you to rest for the weekend, recuperate, cause it will have to be all-hands-on-deck next week.

As for news, here's a summary (including excerpts) of some of the more
interesting stories we've seen this week:

-------
 
Title: Game Development Companies Backdoored in Supply-Chain Attacks
URL: https://www.bleepingcomputer.com/news/security/game-development-companies-backdoored-in-supply-chain-attacks/
Author : Sergiu Gatlan
Date: 11th March 2019

Excerpt:
"Two popular games and a gaming platform developed by Asian companies were compromised following a series of successful supply-chain attacks which allowed the attackers to include a malicious payload designed to provide them with a backdoor.

The malware used in the supply chain attacks is designed to check the region of the compromised machines before dropping the payload and, if it's a Chinese or a Russian computer, it will automatically stop the infection process hinting at the fact that the cybercriminals behind this supply chain attack have a very specific list of victims they need to target."

-------
 
Title: CVE-2019-0797 Windows Zero-Day exploited by FruityArmor and SandCat APT Groups
URL: https://securityaffairs.co/wordpress/82345/apt/cve-2019-0797-fruitarmor-sandcat.html
Author : Pierluigi Paganini
Date: 13th March 2019

Excerpt:
"One of the flaws, tracked as CVE-2019-0808, was disclosed by Google’s Threat Analysis Group after it has observed targeted attacks exploiting the issue alongside a recently addressed flaw in Chrome flaw (CVE-2019-5786).

The second zero-day, tracked as CVE-2019-0797, was reported to Microsoft by experts at Kaspersky Lab, which states the issue has been exploited by several threat actors, including FruityArmor and SandCat APT groups."

-------
 
Title: What do sexy selfies, search warrants, tax files have in common? They've all been found on resold USB sticks
URL: https://www.theregister.co.uk/2019/03/14/usb_recoverable_data/
Author : Thomas Claburn
Date: 14th March 2019

Excerpt:
"You do know just dragging stuff to the delete folder doesn't wipe stuff, right? Apparently not.
About two-thirds of USB memory sticks bought secondhand in the US and UK have recoverable and sometimes sensitive data, and in one-fifth of the devices studied, the past owner could be identified."

-------
 
Title: Unsecured Database Exposed 33 Million Job Profiles in China
URL: https://www.bleepingcomputer.com/news/security/unsecured-database-exposed-33-million-job-profiles-in-china/
Author : Lawrence Abrams
Date: 14th March 2019

Excerpt:
"A large database with approximately 33 million profiles for people seeking jobs in China has been fully accessible and unprotected online. This information included sensitive information that could have been used for scammers and identity theft.

The database was discovered by Sanyam Jain, a security researcher and member of GDI.Foundation, who found the database using the Shodan search engine."

-------
 
Title: Malware Spreads As a Worm, Uses Cryptojacking Module to Mine for Monero
URL: https://www.bleepingcomputer.com/news/security/malware-spreads-as-a-worm-uses-cryptojacking-module-to-mine-for-monero/
Author : Sergiu Gatlan
Date: 12th March 2019

Excerpt:
"A modular malware with worm capabilities exploits known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from one server to another and mine for Monero cryptocurrency.

Systemctl.exe, the worm module of the malware named PsMiner by the 360 Total Security researchers, is a Windows binary written in the Go language which bundles all the exploit modules used to hack into vulnerable servers it can find on the Internet."

-------

Here are this week's noteworthy security bulletins (in no particular order):

1.    ESB-2019.0834 - [Appliance] Power 9 Systems: Root compromise - Existing account
https://www.auscert.org.au/bulletins/77154
"...could allow the host full access to BMC memory and flash...

2.    ESB-2019.0782 - [Linux][HP-UX][Solaris][AIX] IBM MQ: Execute arbitrary code/commands - Existing account
https://www.auscert.org.au/bulletins/76906
"..a local user to inject code that could be executed with root privileges.."

3.    ESB-2019.0806 - [Win][Linux][HP-UX][Solaris][AIX] IBM Db2: Increased privileges - Existing account
https://www.auscert.org.au/bulletins/77042
"...potentially giving low privilege user full access to root..."

4.     ASB-2019.0077 - [Win] Microsoft Windows: Multiple vulnerabilities
https://www.auscert.org.au/bulletins/76950
"CVE-2019-0797   Elevation of Privilege   Important"

Wishing you the best from AusCERT and hope to see you safe next week,
Geoffroy