Rampant Cybersecurity Bulletin

April 2018

Latest Cybersecurity News

The latest cybersecurity news so that you can stay on top of what is going on in the cybersecurity world. Click titles below for more details.

Oracle WebLogic Flaw Still Exists After Recent Patch

Reported: April 30, 2018
Details: Oracle patched a critical Java deserialization remote code execution vulnerability in the WebLogic component of its Fusion Middleware. However, researchers have found a way to bypass the patch and exploit the same vulnerability again. The vulnerability has now been public since November 2017.
References:

Drupalgeddon3 Soon After Drupalgeddon2 was Patched

Reported: April 26, 2018
Details: Hours after the team from Drupal released a patch to fix the vulnerability which allowed for the attack dubbed “Drupalgeddon2”, a remote code execution vulnerability which resulted in numerous servers in the wild being exploited, researchers have found a new remote code execution bug which is being actively exploited in the wild. The latest patch from Drupal does not cover this newest flaw, which is similar to Drupalgeddon2 with a slight variation on the payload.
References:

SEC FInes Yahoo $35 Milion Parent Company for Not Disclosing Data Breach

Reported: April 24, 2018
Details: The company Altbab, which was formerly known as Yahoo, has agreed to pay the SEC a fine of $35 million for failing to disclose a data breach to investors for 2 years. This is indicative of how the US government views how companies should handle data breaches and is the beginning of establishing new industry norms for how data breaches are disclosed.
References:

Intel to Allow AV Engines to Use Integrated GPU’s for Malware Scanning

Reported: April 17, 2018
Details: Intel has announced that it will allow security products offload virus scanning operations to integrated graphics processors embedded with some Intel CPU’s. The intent is to save battery life and free up the CPU to conduct other tasks during the scanning of the computer. Intel also announced two other features, Intel Advanced Platform Telemetry, and Security Essentials which is a collection of root-of-trust hardware security capabilities that will be deployed with future processors.
References:

Thousands of Malicious Apps Allegedly Misusing Facebook API’s

Reported: May 1, 2018
Details: After the Cambridge Analytica scandal, researchers began searching to find other apps which may be misusing Facebook API’s. According to Trustlook, around 25,000 apps are potentially malicious which are still currently using the Facebook API’s to harvest data for malicious purposes.
References:

Amazon and Google Block Domain Fronting

Reported: April 30, 2018
Details: Both Amazon and Google have announced changes to their infrastructure which are designed to stop domain-fronting. They have characterized this change as an effort to stop malware, but some speculate that these changes have taken place due to the recent controversy over the messaging app Telegram in Russia, which uses domain-fronting to get around state firewalls, where Russia had begun blocking Google IP addresses in the country.
References:

The US and UK Governments Accuse Russia of Hacking Enterprise Routers and ISP’s

Reported: April 16, 2018
Details: The governments of th US and UK have issued a joint statement declaring that Russian-sponsored hackers are targeting home and enterprise routers, as well as Internet Service Providers, in order order to conduct Man In The Middle Attacks to gather information. Hacking routers has become a common target for APT groups, and the governments recommend evaluating your routers for indicators of compromise.
References:

Previous Cybersecurity Bulletins

Not sure if you are vulnerable?  Rampant specializes in vulnerability assessments and penetration testing for small & mid-size businesses!

New High Risk Vulnerabilities

You should be aware of the following vulnerabilities, and we recommend patching them immediately if they apply to your systems.  Click titles below for more details.

Kaspersky KSN for Linux Code Execution

Reported: April 24, 2018
Affected Products:
Kaspersky KSN for Linux 5.2
Details: A remote attacker can execute arbitrary code on the system due to a memory corruption error.
Solution: Patch to the latest version of the software when it becomes available.
Reference:

Microsoft Windows Denial of Service

Reported: April 10, 2018
Affected Products:
Microsoft Windows Server 2008 SP2 x32
Microsoft Windows Server 2008 SP2 x64
Microsoft Windows Server 2008 SP2 Itanium
Microsoft Windows 7 SP1 x32
Details: A remote attacker could conduct a denial of service attack due to improper handling of objects in memory, which forces the host system to stop responding under small load.
References:

Cisco Unified Computing System Director Information Disclosure

Reported: April 18, 2018
Affected Products:
Cisco UCS Director 6.0.0.0
Cisco UCS Director 6.5
Details: A remote attacker can obtain sensitive information due to improper user authentication checks in the role-based resource checking functionality. An attacker could obtain information about all virtual machines in the UCS Director end-user portal without a valid username.
Solution: Refer to linked Cisco security advisory for patch.
Reference:

Cisco WebEx Business Suite Clients Code Execution

Reported: April 18, 2018
Affected Products:
Cisco WebEx Meetings Server 2.8
Cisco WebEx Business Suite (WBS30) client T30
Cisco WebEx Business Suite (WBS31) client T31
Cisco WebEx Business Suite (WBS32) client T32
Details: A remote authenticated attacker to execute arbitrary code on the system due to improper validation of user input.
Recommendation: Refer to linked Cisco advisory for patch.
References:

Oracle WebLogic Server Deserialization Code Execution

Reported: April 17, 2018
Affected Products:
Oracle WebLogic Server 10.3.6.0
Oracle WebLogic Server 12.1.3.0
Oracle WebLogic Server 12.2.1.2
Oracle WebLogic Server 12.2.1.3
Details: A remote attacker could execute arbitrary code on the system due to insecure deserialization of user-supplied content, resulting in the attacker gaiing complete control of the server.
Solution: Refer to linked Oracle advisory for patch.
References:

Oracle Fusion Middleware Access Manager Web Server Plugin Unspecified

Reported: April 17, 2018
Affected Products:
Oracle Fusion Middleware COREid Access 10.1.4.3.0
Oracle Fusion Middleware Access Manager 11.1.2.3.0
Oracle Fusion Middleware Access Manager 10.1.4.3.0
Oracle Fusion Middleware COREid Access 11.1.2.3.0
Details: The web Server plugin component of Access Manager Web Server could allow an unauthenticated attacker to cause high impact to the system with an unspecified vulnerability.
Solution: Refer to linked Oracle advisory for suggested patch.
Reference:

Apple iOS Crash Reporter Privilege Escalation

Reported: April 24, 2018
Affected Products:
Apple iOS 11.13
Apple macOS High Sierra 10.13.4
Details: A local attacker could gain elevated privileges on the system due to a memory corruption in the Crash Reporter component.
Solution: Refer to linked Apple Security Advisory for patch.
References:

New Threat Advisories

You should be aware of the following threats and implement the recommended mitigations to ensure your systems are not impacted.  Click titles below for more details.

Banking Trojan IcedID Paired With Dreambot Conducting Sophisticated Spearphishing

Date: April 12, 2018
Description: There has been an increase in infections via the banking trojan IcedID. The malware has recently been paired up with Dreambot, so is a new attack vector from previous attacks. Additionally, sophisticated spearphishing with IcedID has been noted, including the following situation regarding a city employee in Arkansas:
The email was sent to an employee of a city in Arkansas
The email subject referenced a recent meeting relevant to city business
The email body referenced and discussed the meeting, as well as containing names of other city employees
The name of the document attached to the email included the name of a civil engineering company local to Arkansas
 Recommendations: 
Be wary of suspicious emails
Resources:

Threat Group Orangeworm Targeting US Healthcare

Reported: April 23, 2018
Details: A group called Orangeworm is targeting the healthcare industry in the United States by installing a backdoor Trojan called “Kwampirs”. Medical devices targeted include X-rays, MRI’s, and machines to complete patient consent forms. The attacks start collecting information about the system once it infects a machine, and picks out targets which are determined to be high value.
References:

Muhstick Botnet Actively Exploiting Recent Drupal Vulnerability

Reported: April 20, 2018
Details: A botnet is actively exploiting CVE-2018-7600, a recently disclosed Drupal vulnerability. It is call Muhstick because of the name in its binary file and active IRC channels. It is a variant of the Tsunami botnet and has the following features:
Worm Propogation
Persistence
Xmrig to mine XMR cryptocurrency
Cgminer to mine BTC
Vulnerability scanner to search for 7 exploits with which to spread muhstick to other vulnerable servers
 References:

Lazarus Group Targeting Financial Institutions

Reported: April 18, 2018
Details: Lazarus Group has recently launched a campaign aimed at the financial sector with new targets and tactics. This campaign is similar to Blockbuster, a targeted phishing campaign in which 4 different strains of malware were used, except that it utilizes upgraded malware. The phishing templates for emails masquerade as an email from a lawyer’s office, and upon downloading the attachment, an RAT is installed on the victim computer.
References: