//Blogs - 15 November 2019

AusCERT Week in Review for 15th November 2019

Greetings,

Emotet is up officially by 730%. It feels better when things are officially reported by researchers. By the time the report is out most of the front line people would have already felt and dealt with the effects of this campaign. Criminals are going where the money is, no not the banks, but server of all flavour for their processing power. Also this week Bash got bashed and Intel says we can't tell about their intel until they say so but what they say may have been fixed six months ago, a story that did not sell well with some Dutch security boffins. Feels like things are going fast, well I'll play the researcher and tell you post-priori they certainly are and that security automation and response is the future. Oh hang on you also knew that too. Fact is that when you are at the front lines you get front row seat to the details as they happen. That's why keeping communication lines open to AusCERT, either push by report, or pull from feeds such as Malicious URL, MSIN, and MISP feeds provides you the intelligence the moment it happens.

As for news, here's a summary (including excerpts) of some of the more
interesting stories we've seen this week:

-------

Title: PureLocker Ransomware Can Lock Files on Windows, Linux, and macOS
Author: Ionut Ilascu
Date Published: November 13th, 2019

Excerpt:
"Cybercriminals have developed ransomware that can be ported to all major operating systems and is currently used in targeted attacks against production servers. The new name is PureLocker. Malware researchers analyzed samples for Windows but a Linux variant is also being used in attacks. Built to dodge detection. The malware is carefully designed to evade detection, hiding malicious or dubious behavior in sandbox environments, posing as the Crypto++ cryptographic library, and using functions normally seen in libraries for music playback."

Title: Lateral Phishing Makes for Dangerous Waters, Here's How You Can Avoid Getting Caught in the Net
Author: Anurag Kahol
Date: November 13th, 2019

Excerpt:
"Like regular phishing, a lateral phishing attack has the goal of gaining access to private information and begins with a user receiving an email that is attempting to extract login credentials or PII. However, the main differentiator between the two attack methods is that lateral phishing is conducted from a compromised email address within an organization. Once a hacker gains access to a legitimate email account, whether it belongs to a CEO or an intern, the hacker can then use it to target individuals within the company. Lateral phishing techniques are highly effective. When hackers impersonate someone that the recipient knows and trusts, said recipient tends to lower her or his guard, making it more likely that sensitive information will be surrendered."

Title: Researchers Discover Massive Increase in Emotet Activity 
Author : Helpnet Security
Date: November 13th, 2019

Excerpt:
"Emotet had a 730% increase in activity in September after being in a near dormant state, Nuspire discovered. Emotet, a modular banking Trojan, has added additional features to steal contents of victim's inboxes and steal credentials for sending outbound emails. Those credentials are sent to the other bots in its botnet which are used to then transmit Emotet attack messages. When Emotet returned in September, it appeared with TrickBot and Ryuk ransomware to cause the most damage to a network."

Title: Microsoft Patch Tuesday Updates Fix CVE-2019-1429 Flaw Exploited in the Wild
Author: Pierluigi Paganini
Date: November 13th, 2019

Excerpt:
"Microsoft's Patch Tuesday updates for November 2019 address 74 flaws, including an Internet Explorer vulnerability, tracked as CVE-2019-1429, that has been exploited in the wild. Microsoft doesn't provide any information on the nature of the active attacks, it only pointed out that they are likely limited at this time. The CVE-2019-1429 zero-day is a scripting engine memory corruption vulnerability that affects Internet Explorer 9, 10 and 11. Microsoft. "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same use rights as the current user." read the security advisory published by Microsoft. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Title: Intel launches security blog, pushes security patches
Author: Doug Olenick
Date: November 13th, 2019

"Intel has joined the Patch Tuesday crowd with a platform update that covered 77 vulnerabilities, two of which were rated critical.
The chip maker noted the security updates in a new blog the company said it will use to disseminate security updates, bug bounty topics, new security research, and engagement activities within the security research community.
Intel is dividing its updates by advisory with each covering a single or set of products."

Title: Intel Fixes a Security Flaw It Said Was Repaired 6 Months Ago
Author : Kim Zetter
Date : November 12th, 2019

Excerpt:
"Last May, when Intel released a patch for a group of security vulnerabilities researchers had found in the company's computer processors, Intel implied that all the problems were solved.

But that wasn't entirely true, according to Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018. The software patch meant to fix the processor problem addressed only some of the issues the researchers had found."

 

Here are this week's noteworthy security bulletins (in no particular order):

1. ESB-2019.4311 - [Appliance] Phillips IntelliBridge EC40 and Phillips IntelliBridge EC80: Access privileged data - Remote/unauthenticated
"...to execute software, modify system configuration, or view/update files, including unidentifiable patient data."

2. ESB-2019.4300 - [Cisco] Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD): Root compromise - Existing account
".. to execute arbitrary code with root privileges on the underlying Linux operating system."

3. ASB-2019.0337 - [Win] McAfee Data Loss Prevention ePO: Access confidential data - Existing account
"...remote attackers with access to the network to collect login details to the LDAP server.."

4. ESB-2019.4289 - [Virtual] microcode: Access privileged data - Existing account
"..speculative execution may be able to infer the value of data in the microarchitectural structures.."

Wishing you the best from AusCERT and hope to see you safe next week,
Geoffroy