Rampant Cybersecurity Bulletin
May 2018
Latest Cybersecurity News
The latest cybersecurity news so that you can stay on top of what is going on in the cybersecurity world. Click titles below for more details.
GPON Routers Attacked With Zero-Day
Reported: May 21, 2018
Details: GPON home routers have been hit with a new zero day vulnerability, which is being used to add the GPON routers to a botnet known as TheMoon and the hacked number of GPON routers numbers around 240,000 at the time of writing.
References:
New Speculative Execution Vulnerabilities Affect AMD, ARM, and Intel
Reported: May 22, 2018
Details: A new vulnerability of the same type of attack as Spectre and Meltdown earlier in 2018 has been found to affect Intel, AMD, and ARM. Research into Speculative attacks has risen due to the uproar over the Spectre attacks, and they have found a new variant called Speculative Store Bypass based on that research.
References:
VPNFilter Malware Targeting 500 Thousand Networking Devices Across the World
Reported: May 23, 2018
Details: A new malware, which is likely to be state-sponsored, called VPNFilter is actively targeting hosts in the Ukraine. However, the scope of the attack is much broader, with at least 500,000 devices in 54 countries infected by the malware. As of right now, the vendors affected by this vulnerability are as follows: Linksys, MikroTik, NETGEAR, TP-Linkm and QNAP NAS devices. The types of devices affected by this malware can be difficult to defend as they are the perimeter of the network and are not generally protected by an IDS or IPS.
References:
Group Behind Trisis Malware Targeting US Industrial Firms
Reported: May 24, 2018
Details: The group which is known for infiltrating a Saudi chemical plant has pivoted to start attacking US industrial firms. The new variant of the attacks launched by this group affects a variety of safety control systems. The group behind Trisis has yet to be attributed, but they have experience attacking industrial systems and have now changed their focus towards US companies.
References:
Researchers Find Way to Launch Rowhammer Attacks via Network Packets
Reported: May 11, 2018
Details: Researchers have determined a way to launch RowHammer attacks via network packets and a network card. Previous versions of RowHammer attacks require malware to be installed on a victim’s computer. This attack is technically remote because an attacker needs only to overload the victim computer’s network card with packets in order to induce this attack. However, only network cards which are RDMA-enabled are potentially vulnerable.
References:
10,000 Companies Still Using Outdated Apache Struts that Affected Equifax
Reported: May 7, 2018
Details: Over half of the Fortune 100 companies are suspected to still be using the same version of Apache Struts which Equifax was using when they were breached. Since the Equifax breach, 10,000 companies have downloaded the exact version of the software which was exploited.
References:
New Remote Code Execution Vulnerability Affects Electron Framework
Reported: May 14, 2018
Details: A new remote code execution vulnerability has been found in the Electron framework. Electron has already issued a patch but they recommend that developers implement it as soon as possible.
References:
Previous Cybersecurity Bulletins
Not sure if you are vulnerable? Rampant specializes in vulnerability assessments and penetration testing for small & mid-size businesses!
New High Risk Vulnerabilities
You should be aware of the following vulnerabilities, and we recommend patching them immediately if they apply to your systems. Click titles below for more details.
Dell EMC RecoverPoint Command Execution
Reported: May 22, 2018
Affected Products:
EMC RecoverPoint 5.1.0.0
EMC RecoverPoint 5.0.1.2
EMC RecoverPoint for Virtual Machines 5.1.0
Details: A remote attacker can execute arbitrary code on the system due to a command injection vulnerability.
Solution: Patch to the latest version of the software.
Reference:
Microsoft Exchange Code Execution
Reported: May 8, 2018
Affected Products:
Microsoft Exchange Server 2013 SP1
Microsoft Exchange Server 2013 CU19
Microsoft Exchange Server 2016 CU8
Microsoft Exchange Server 2016 CU9
Microsoft Exchange Server 2010 SP3 UR21
Microsoft Exchange Server 2013 CU20
Details: A remote attacker could conduct a denial of service attack due to improper handling of objects in memory.
Solution:Use Microsoft Automatic Update to apply the appropriate patch for your system.
References:
Microsoft SharePoint Server Privilege Escalation
Reported: May 8, 2018
Affected Products:
Microsoft Project Server 2010 SP2
Microsoft Project Server 2013 SP1
Microsoft SharePoint Enterprise Server 2016
Details: An authenticated attacker could gain elevated privileges on the system caused by improper handling of web requests, which could allow for content injection attacks.
Reference:
Cisco Digital Network Architecture Center Default Account
Reported: April 18, 2018
Affected Products:
Cisco igital Network Architecture (DNA) Center 1.1
Details: Cisco Digital Network Architecture (DNA) Center contains undocumented, static user credentials for the default administrative account. By using the account, a remote attacker could exploit this vulnerability to execute arbitrary commands on the system with root privileges.
Recommendation: Refer to linked Cisco advisory for patch.
References:
NetApp OnCommand Unified Manager for Linux Code Execution
Reported: May 23, 2018
Affected Products:
NetApp OnCommand Unified Manager for Linux 7.2
Details: An unspecified error in NetApp OnCommand Unified Manager for Linux that ship with the Java Management Extension Remote Method Invocation (JMX RMI) service could allow a remote attacker to execute arbitrary code on the system.
Solution: Refer to linked NetApp website for patch.
References:
Linux Kernel KVM Hypervisor Privilege Escalation
Reported: May 8, 2018
Affected Products:
Linux Kernel
Details: Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by the improper handling of exceptions delivered after a stack switch operation using the MOV to SS and POP SS instructions by the KVM hypervisor. An attacker could exploit this vulnerability gain elevated privileges or cause the guest to crash.
Solution: Apply latest patch from the Linux GIT repository.
Reference:
IBM DB2 buffer overflow
Reported: May 22, 2018
Affected Products:
IBM DB2 for Linux, UNIX and Windows 10.5
IBM DB2 for Linux, UNIX and Windows 11.1
Details: IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root.
Solution: Refer to linked IBM Security Bulletin for patch.
References:
Apple Safari WebKit code execution
Reported: May 22, 2018
Affected Products:
Apple Mac OS X El Capitan 10.11.6
Apple macOS Sierra 10.12.6
Apple macOS High Sierra 10.13.4
Apple Safari 11.1
Details: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by a race condition in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.
Solution: Refer to linked Apple Security Bulletin for patch.
References:
New Threat Advisories
You should be aware of the following threats and implement the recommended mitigations to ensure your systems are not impacted. Click titles below for more details.
SynAck Ransomware Targeting US Companies
Date: May 2018
Description: There is a malware package called SynAck which was first discovered in September 2017. It is a ransomware which is difficult to detect and attempts to evade sandbox analysis. No method for decrypting data which has been encrypted via this malware has been discovered. It is actively targeting companies in the US via RDP brute force attacks.
Resources:
Fancy Bear Using New Malware called Zebrocy
Reported: December 2017
Details: An APT known as Fancy Bear is using a new malware called Zebrocy to infect machines via a backdoor which is delivered via email attachment. The malware is deployed in stages as the group determines the infected machine is a machine of interest.
References:
Global Data Harvest with Operation GhostSecret
Reported: March 22, 2018
Details: A global reconnaissance campaign has been discovered by McAfee which is gathering data on the critical infrastructure, healthcare, finance, entertainment, and telecommunications industries in various countries, including the United States.
References:
Unpatched Microsoft Vulnerability Leads to Remcos RAT Variant
Reported: April 07, 2018
Details: A vulnerability which was patched by Microsoft in November 2017 is being exploited via malware that is spread via Microsoft Word documents that cause a buffer overflow on Microsoft Word, which in turn executes a script contained in the malicious document, which installs the Remcos RAT. The RAT mainly functions as a keylogger to harvest user credentials, and clears all session cookies from the browser in order to gather more credentials.
References: