Rampant Cybersecurity Bulletin

June 2018

Latest Cybersecurity News

The latest cybersecurity news so that you can stay on top of what is going on in the cybersecurity world. Click titles below for more details.

WPA-3 WiFi Standard Released

Reported: June 26, 2018
Details: The WPA-3 WiFi standard was officially released. WPA3 was created in response to the release of the KRACK attack on WPA2, which was disclosed in 2017. WPA3 implements multiple new security controls, including resistance to brute force or dictionary attacks. The new standard is optional on all newly produced devices and will become the standard in coming years, although no date has yet been set.
References:

17 Backdoored Docker Images Removed from Docker Hub

Reported: June 13, 2018
Details: The Docker team pulled numerous malicious images from DockerHub after it came to their attention that backdoors were intentionally built into the images. The malicious images were present on DockerHub for over a year before they were taken down because there is no verification process to upload images to the registry. The images were found because of user reports that there was suspicious activity occurring on their machines which were running Docker and Kubernetes. For a list of all affected docker images, refer to the linked reference.
References:

Trik Spam Botnet Leaks 43 Million Email Addresses

Reported: June 12, 2018
Details: The email addresses were leaked from the Command and Control Server of a spam botnet. The CnC server was based at a Russian IP address that was misconfigured so that anyone could access the content on the server directly without authentication. The campaign used an old Trik Trojan to infect computers and assemble them into a botnet, which the operators were using to send out spam to the 43 email addresses disclosed in the breach.
References:

Data from 92 million accounts stolen from DNA testing site MyHeritage

Reported: June 5, 2018
Details: A file containing the email addresses and hashed passwords of 92 million users who had registered with MyHeritage was found publicly exposed on the internet. The company has addressed the issue, releasing a statement declaring that there “is no reason to believe” that the DNA data of the users were compromised. MyHeritage is now offering two-factor authentication as an option for users.
References:

Kaspersky Lawsuits Against the US Were Dismissed, Leaving Ban In Place

Reported: May 30, 2018
Details: The US government’s ban on Kaspersky products will stand after two lawsuits were dismissed by a federal judge. The judge dismissed Kaspersky’s claims that the ban is unconstitutional on the grounds that the ban is a defensive action in pursuit of national security.
References:

China-based Campaign Breached Satellite and Defense Companies

Reported: June 19, 2018
Details: Symantec released a report that suggests a campaign which originated from servers in China was successful in breaching both satellite and defense contractors in the United States and Southeast Asia. Symantec alleged that the hackers were able to infect the computers controlling the satellites, potentially changing the positioning of the satellites in orbit and disrupting numerous lines of communication.
References:

Apple is Testing a Feature for IOS 12 Which Could Make It Difficult For Law Enforcement to Unlock iPhones

Reported: June 4, 2018
Details: Apple has rumored to release a USB restricted mode, where users are forced to unlock the iPhone with a passcode every time they connect to a USB device and have not unlocked the phone for 1 hour. This includes the software which law enforcement regularly uses to unlock iPhones of suspects, such as Cellebrite or GrayShift.
References:

Microsoft Forces Multi-Factor Authentication on Azure AD Admin Accounts

Reported: June 25, 2018
Details: Microsoft will begin to force two-factor authentication on Azure Admin accounts in order to improve the baseline security of its service. However, Azure AD tenants can opt out of the service if they choose.
References:

Previous Cybersecurity Bulletins

Not sure if you are vulnerable?  Rampant specializes in vulnerability assessments and penetration testing for small & mid-size businesses!

New High Risk Vulnerabilities

You should be aware of the following vulnerabilities, and we recommend patching them immediately if they apply to your systems.  Click titles below for more details.

QNAP QTS LDAP Server command execution

Reported: June 19, 2018
Affected Products:
QNAP QTS 4.2.6 build 20171208
QNAP QTS 4.3.3 build 20180402
QNAP QTS 4.3.4 build 20180413

Details: QNAP QTS could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw in the LDAP Server. An attacker could exploit this vulnerability to execute arbitrary commands on the system.

Solution: Refer to QNAP Security ID: NAS-201806-19 for patch, upgrade or suggested workaround information. See References.
Reference:

Micro Focus Solutions Business Manager code execution

Reported: June 20, 2018
Affected Products:
Micro Focus Solutions Business Manager 11.3.1
Details: A remote attacker could execute arbitrary code on the system, caused by the failure to validate the contents of user avatar images. An attacker could exploit this vulnerability to execute arbitrary code on the system.
Solution: Refer to Micro Focus Web site for patch, upgrade or suggested workaround information. See References.
References:

HPE VAN SDN Controller privilege escalation

Reported: June 25, 2018
Affected Products:

HPE VAN SDN Controller 2.7.18.0503

Details: HPE VAN SDN Controller default could allow a remote attacker to gain elevated privileges on the system, caused by an error in the built-in functionality. An attacker could exploit this vulnerability using a hardcoded service token to bypass the authentication process and gain root privileges on the system.
Solution:Upgrade to the latest version of the HPE SDN controller.
Reference:
http://seclists.org/bugtraq/2018/Jun/58

VMware AirWatch Agent for Android and VMware AirWatch Agent for Windows Mobile code execution

Reported: June 11, 2018
Affected Products:
VMware AirWatch Agent for Android 8.1
VMware AirWatch Agent for Windows Mobile 6.5.1
Details: VMware AirWatch Agent for Android and VMware AirWatch Agent for Windows Mobile could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the real time File Manager capabilities. An attacker could exploit this vulnerability to create files in the Agent sandbox and other publicly accessible directories and execute arbitrary code on the system.
Recommendation: Refer to VMware Security Advisory VMSA-2018-0015 for patch.
References:

Microsoft Publisher privilege escalation

Reported: June 12, 2018
Affected Products:
Microsoft Publisher 2010 SP2 x32
Microsoft Publisher 2010 SP2 x64
Details: Microsoft Publisher could allow a remote authenticated attacker to gain elevated privileges on the system, caused by failing to utilize features. By sending a specially-crafted Publisher document, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
Solution: Use Microsoft Update to upgrade to the latest version.
References:

Microsoft Outlook privilege escalation

Reported: June 12, 2018
Affected Products:
Microsoft Outlook 2010 SP2 x32
Microsoft Outlook 2010 SP2 x64
Microsoft Outlook 2016 x32
Microsoft Outlook 2016 x64
Microsoft Outlook 2013 SP1 x32
Microsoft Outlook 2013 SP1 x64
Microsoft Outlook 2013 SP1 RT
Microsoft Office 2016 Click-to-Run x32
Microsoft Office 2016 Click-to-Run x64
Details: Microsoft Outlook could allow a remote attacker to gain elevated privileges on the system, caused by improper validation of attachment headers. By persuading a victim to open a specially-crafted email, an authenticated attacker could exploit this vulnerability to execute arbitrary code with higher privileges..
Solution: Apply latest patch from Microsoft Update.
Reference:

Cisco IOS XE AAA code execution

Reported: June 6, 2018
Affected Products:
Cisco IOS XE Software Release Fuji 16.7.1
Cisco IOS XE Software Release Fuji 16.8.1
Details: Cisco IOS XE could allow a remote attacker to execute arbitrary code on the system, caused by incorrect memory operations in the authentication, authorization, and accounting (AAA) security services. By attempting to authenticate to an affected device, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause the device to reload.
Solution: Refer to linked Cisco Security Advisory for patch.
References:

Cisco Prime Collaboration Provisioning unauthorized access

Reported: June 6, 2018
Affected Products:
Cisco Prime Collaboration Provisioning 11.6
Details: Cisco Prime Collaboration Provisioning (PCP) could allow a remote attacker to gain unauthorized access to the system, caused by an open port in the Network Interface and Configuration Engine (NICE) service. By accessing the open RMI system on an affected PCP instance, an attacker could exploit this vulnerability to gain to access to the Java Remote Method Invocation (RMI) system.
Solution: Refer to linked Cisco Security Bulletin for patch.
References:

New Threat Advisories

You should be aware of the following threats and implement the recommended mitigations to ensure your systems are not impacted.  Click titles below for more details.

Kardon Loader Being Sold

Date: June 28 2018
Description: Researchers at ASERT have released information on a malware known as Kardon Loader, which has been sold as a beta version since mid-April. The purpose of the malware is to infiltrate systems and subsequently download 2nd stage malware to create botnets, ransomware etc. The malware uses HTTP-based command and control communication which are base64 encoded, and includes a fully featured admin panel for configuration and tracking of infected hosts.
Recommendations:
Block all URL and IP-based IOCs at the firewall, IDS, gateways, or other perimeter devices
Update your antivirus to the latest version
Search for existing IOCs on your network
Resources:

APT15 is Repurposing Old Tools

Reported:  June 8, 2018
Details: An APT known as APT15 has updated an old tool by the name of Mirage, which has been used by Chinese-affiliated groups in the past. The new version has been named MirageFox and was compiled on June 8, 2018. Once installed, the malware sends back information to a CnC server, such as username, CPU information, and architecture.
References:

Olympic Destroyer Still Being Actively Used

Reported: June 26, 2018
Details: The Olympic Destroyer malware is having its functionality expanded, as well as the targets which it is attempting to infiltrate. Olympic Destroyer is a network worm that was initially used to attempt to sabotage suppliers working with the Olympic Games in South Korea. There are new spearphishing campaigns being sent out by the actors behind the Olympic Destroyer malware which contains a malicious word document and communicates with CnC servers on legitimate compromised websites.
 References:

VPNFilter Exploiting New Devices

Reported: June 5, 2018
Details: Talos researchers reported on new findings regarding VPNFilter. Not only is it targeting more devices than originally reported, but the researchers now say it can deliver exploit code to endpoints. VPNFilter was thought to only target small and home office routers, switches, and NAS (network-attached storage) devices. Vendors added to VPNFilter’s list of targets include ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. VPNFilter is a three stage attack, with the first stage gaining and keeping a foothold on the device, even through a reboot. Stage two gathered information about the infected device and sent it back to the command and control. Stage two was found to be able to overwrite the infected device’s firmware and reboot, thus rendering the device useless. In Talos’ initial blog regarding VPNFilter, only two versions of stage three had been discovered. One was a packet sniffer that looked for login credentials while the other allowed stage two to be able to communicate with the command and control servers over the TOR network. Two new third stage modules have been found. The first performs a man-in-the-middle attack to inject malicious code into incoming network traffic. The second new module provides a backup means of “destroying” the device should the stage two module not have that capability.
For recommendations, refer to the links below, but the first step is to reboot your routers which may have been affected by the malware.
References: