//Blogs - 23 August 2019

AusCERT Week in Review for 23rd August 2019


Greetings,
"Buy the rumor, sell the news".  Looks like media has gotten hold on to the fact that phisher's are trying the best they can to add legitimacy of their phish sites any way they can. This instance is by using services that, when conducting a WHOIS, returns signs that the site "belongs" to the service being phished, trying to reduce the likelyhood of it being detected. Well, we have seen various versions of this tactic, for a while now, landing in AusCERT triage.  It did provide for a change, but they get processed none-the-less. Although phishers are changing tactics, one thing does not change, users need to be aware when clicking links in emails.  

As for news, here's a summary (including excerpts) of some of the more
interesting stories we've seen this week:

-------
 
Phishing Attacks Scrape Branded Microsoft 365 Login Pages
Author: Sergiu Gatlan
Date: August 21st, 2019

Excerpt:

"An unusual new phishing campaign is probing email inboxes via attacks using the targets' company-branded Microsoft 365 tenant login pages to add more legitimacy to the scam.  The attackers are also using Microsoft's Azure Blob Storage and Microsoft Azure Web Sites cloud storage solutions to host their phishing landing pages, a common tactic used by phishers to trick their targets into thinking that they're seeing an official Microsoft login page.  Using Azure Blob Storage object storage solution to host their phishing pages allows them to take advantage of the fact that they will automatically get signed with an SSL certificate from Microsoft."

-------
 
npm Pulls Malicious Package that Stole Login Passwords
Author: Ionut Ilascu
Date: August 21st, 2019

Excerpt:

"A malicious package was removed today from the npm repository after it was discovered that it stole login information from the computers it was installed on.  The npm repository is a popular online database for open-source packages that are often used as dependencies in Node.js projects. Critical severity. Earlier today, npm pulled the package 'bb-builder' from the repository, marking it as malicious and having critical severity."

-------

Identifying Evasive Threats Hiding Inside the Network
Author: Matt Lock
Date: August 22nd, 2019

Excerpt:
"There is no greater security risk to an organization than a threat actor that knows how to operate under the radar.  Malicious insiders and external cybercriminals are getting savvier. They are better at blending in without tripping any alerts. They skip over tools and techniques that trigger standard security systems. How can a company tell them apart from the noise created by legitimate logins to the network that day?  The answer lies in context. It is not enough to monitor and log activity throughout the network – organizations need to be able to combine multiple sources of data to spot the subtle signs of a stealthy attacker at work."

-------
 
The Cost of Dealing With a Cybersecurity Attack in These 4 Industries
Author: Pierluigi Paganini
Date: August 21st, 2019

Excerpt:
"A cybersecurity issue can cause unexpected costs in several different areas. In addition to the monetary costs associated with things like lost productivity and improving network security to reduce the likelihood of future incidents, affected companies have to deal with the costs tied to reduced customer trust and damaged reputations.  It’s not always easy or straightforward to pinpoint the overall costs of recovering from a cyberattack. The totals also vary by industry. However, here’s some research that illuminates the various financial impacts for these four sectors. 1. Health Care, 2. Retail, 3. Manufacturing, 4. Finance."

-------
 
Update Now! Microsoft Patches Its Android RDP App to Fix Flaw
Author: John E Dunn
Date: August 22nd, 2019

Excerpt:

"Microsoft has added its Android Remote Desktop Protocol (RDP) app to the list of client software that needs updating to fix a security flaw first made public as part of July’s Patch Tuesday.  The flaw, tracked as CVE-2019-1108, was described as an information disclosure issue that could allow an attacker “to connect remotely to an affected system and run a specially crafted application.”  Although the rating made it sound less urgent, attackers are known to be very interested in RDP weaknesses, hence Microsoft’s caution that that exploitation was “more likely.” The fix? To apply the relevant patch for the Windows version in question (KB4507453 in the case of Windows 10 64-bit version 1903)."

-------

Here are this week's noteworthy security bulletins (in no particular order):

1. ESB-2019.3212 - [Cisco] Cisco Systems & Cisco UCS Direct: Multiple vulnerabilities
"CVE-2019-1936 ...authenticated, remote attacker to execute arbitrary commands on the underlying Linux shell as the root user"

2. ESB-2019.3208 - [Appliance] IBM Netezza Host Management: Multiple vulnerabilities
"CVE-2019-10161 ...obtain arbitrary file information, cause a denial of service or execute arbitrary programs with
root privileges."

3. ESB-2019.3210 - [Win][Linux][AIX] IBM InfoSphere Optim High Performance Unload: Root Compromise - Existing Account
"CVE-2019-4447 ...low privilege user full access to root..."

4. ESB-2019.3190 - [UNIX/Linux][Ubuntu] Zstandard: Multiple vulnerabilities
"CVE-2019-11922 ...execute arbitrary code if it received specially crafted input..."

5. ESB-2019.3189 - [Ubuntu] OpenJPEG: Multiple vulnerabilities
"CVE-2017-17480 Certain PGX files could possibly cause a denial of service or possibly remote code execution."

Wishing you the best from AusCERT and hope to see you safe next week,
Geoffroy