Rampant Cybersecurity Bulletin

March 2018

Latest Cybersecurity News

The latest cybersecurity news so that you can stay on top of what is going on in the cybersecurity world. Click titles below for more details.

Let’s Encrypt Releases Free Wildcard Certificates

Reported: March 13, 2018
Details: Let’s Encrypt has released their long-awaited wildcard certificate program. They allow anyone to secure HTTP connections for entire domains. Additionally, Let’s Encrypt released a new version of the ACME protocol to automate certificate requests.
Hackers can use Let’s Encrypt to make very realistic lookalike sites that appear to be secure, so users should be wary of websites arrived at via hyperlink, such as in an email message.

34,200 Ethereum Smart Contracts Found to Be Vulnerable

Reported: March 4, 2018
Details: Researchers from the National University of Singapore created a tool called Maian intended to scan for bugs in smart contracts based on the Ethereum blockchain. Of the almost a million contracts analyzed, 3.5% are affected by a major vulnerability which could allow attackers to steal ethereum or freeze the ether inside of users’ wallets.

23,000 HTTPS Certificates Reiussed After Private Keys Sent in Plaintext Email and Reseller Compromised

Reported: March 1, 2018
Details: The CEO for certificate reseller Trustico sent 23,000 private keys for TLS certificates in an unencrypted email. 24 hours after the revelation, the Trustico website was taken offline due to being compromised by attackers running arbitrary code as root on the Trustico servers. The critical vulnerability was disclosed on Twitter allegedly as a response to Trustico’s unsafe handling of the certificates within their control.

CCleaner Attackers Intended to Deploy Keyloggers

Reported: March 12, 2018
Details: Avast, which acquired the CCleaner program in July 2017, has been investigating the backdoor which was planted in the CCleaner utility in September of that same year. Their investigation has revealed that the attackers intended to install ShadowPad malware in the utility but the operation was discovered before they could do so. Kaspersky and Avast have attributed the attack to the cyber espionage group Axiom, which is allegedly associated with China.

AMD Acknowledges CPU Vulnerabilities and Plans to Roll Out Patches in the Near Future

Reported: March 20, 2018
Details: AMD has acknowledged vulnerabilities in its Ryzen and EPYC chips, which contained 13 separate critical vulnerabilities including backdoors. AMD has issued a statement declaring that the vulnerabilities will be fixed in an upcoming BIOS update. The vulnerabilities in question are difficult to exploit due to the attacker needing administrative access to the system already in order to conduct the attacks.

880,000 Payment Cards Stolen from Orbitz

Reported: March 21, 2018
Details: Orbitz may have been breached via both its consumer and partner platforms which would have exposed information pertaining to 880,000 payment cards. Compromised data may have included card information, names, phone numbers, email, and billing addresses. Other PII, such as passport information, has not been confirmed stolen.

uTorrent Allows for Remote Code Execution

Reported: February 21, 2018
Details: Patches released by BitTorrent seem to not work at fixing multiple critical remote code execution bugs present in the uTorrent software. Users are cautioned in using this service until verified patches have been released.

Previous Cybersecurity Bulletins

Not sure if you are vulnerable?  Rampant specializes in vulnerability assessments and penetration testing for small & mid-size businesses!

New High Risk Vulnerabilities

You should be aware of the following vulnerabilities, and we recommend patching them immediately if they apply to your systems.  Click titles below for more details.

Node.js resolve-path module Directory Traversal

Reported: March 8, 2018
Affected Products:
Node.js resolve-path 1.3.0
Details: A remote attacker can traverse directories on the system due to path file sanitization errors for windows based paths.
Solution: Patch to the latest version of the software (1.4.0 or later).

Linux Kernel ncp_read_kernel Function Code Execution

Reported: March 19, 2018
Affected Products:
Linux Kernel 4.15.11
Linux Kernel 4.16-rc6
Details: A remote attacker could execute arbitrary code on the system due to an incorrect buffer length handling issue in the ncp_red_kernel function.
Solution: Patch to the latest version of the software to mitigate this vulnerability.

Google Android video_fmt_mp4r_process_atom_avc1() buffer overflow

Reported: March 5, 2018
Affected Products:

Google Android

Details: Android is susceptible to a buffer overflow due to improper input validation.
Solution: Upgrade to the latest version of Android (released March 5, 2018) available from the Google Web Site.

Mozilla Firefox Code Execution

Reported: March 13, 2018
Affected Products:
Mozilla Firefox 58.0
Details: A remote attacker could execute arbitrary code on the system by tricking a user to visit a malicious website with specially crafted content.
Recommendation: Refer to Mozilla Foundation Security Advisory for Patch.

Cisco Secure Access Control System command execution

Reported: March 7, 2018
Affected Products: Cisco Secure Access Control Server 5.8
Details: A remote attacker could execute arbitrary code on the system due to insecure deserialization of user-supplied content.
Solution: Refer to linked Cisco security advisory for patch.

util-linux package for Debian code execution

Reported: March 7, 2018
Affected Products: Debian util-linux package for Debian 2.29.2-1
Details: util-linux package could allow a local attacker to gain elevated privileges on the system due to embedding shell commands in a mountpoint name.
Solution: Refer to linked util-linux GIT repository for patch.

Cisco Web Security Appliance security bypass

Reported: March 7, 2018
Affected Products: Cisco Web Security Appliance
Details: A remote attacker could bypass security restrictions due to incorrect FTP user credential validation. The attacker could log into the FTP server without a valid password.
Solution: Refer to linked Cisco Security Advisory for patch.

New Threat Advisories

You should be aware of the following threats and implement the recommended mitigations to ensure your systems are not impacted.  Click titles below for more details.

Necurs Botnet - World’s Largest Spam Botnet made up 97% of spam traffic in Q4 of 2017

Date: March 21, 2018
Description: The Necurs Botnet made up 97% of global spam traffic in Q4 of 2017. Necurs is the world’s largest botnet, and is available for rent to threat-actors, so is responsible for spreading multiple campaigns. In Q4 of 2017, the botnet was used to spread numerous types of malware, including:
The ransomware Locky
Scarab Ransomware
GlobeImposter Ransomware
Dridex Banking Trojan
Users were sent a phishing email in which they were convinced to allow Microsoft Dynamic Data Exchange to update, which would install the malware on the victim computer. The danger of this specific spam network is its ability to get emails past spam filters.
Beware of suspicious emails
Implement two factor authentication for account logins, especially email accounts

Dark Cloud Botnet Distributed Gozi ISFB

Reported: March 12, 2018
Details: A botnet is sending out targeted spearphishing attacks with attached malware which was able to determine if it is running in a sandbox environment. The specific spam campaign contained attacks which appeared to include threads from previous email conversations, adding to their potential for a user to click on an embedded link. Of more than 100 malicious attachments analyzed, all appeared to be different, causing detection of this specific malware to be more difficult. It is based on the Gozi ISFB malware family, but executes as a .HTA payload.

Russian Government Cyber Activity Targeting Critical Infrastructure Sectors

Reported: March 15, 2018
Details: US-CERT has identified that since May 2016 advanced attackers that could be associated with the Russian government have been conducting sophisticated attacks on critical infrastructure sectors within the United States. The attackers used, and continue to use, a variety of attack methods including:
watering-hole domains
credential gathering
host-based exploitation.
This campaign is noticeable in that the first targets attacked are not the intended victims. Third party suppliers are being used as pivot points to gain access to their final victims.

Dorkbot Used to Deliver Malware and Steal Online Payment Information

Reported: February 15, 2018
Details: A Bitcoin theft campaign is being conducted through google adwords. By purchasing ads with the term “blockchain” or “bitcoin wallet”, attackers are able to host malicious sites that gather credentials of users whom navigate to them. The malicious sites show up on Google as a featured site, and often utilize valid SSL certificates through Let’s Encrypt, so appear legitimate. The harvested credentials are used to steal Bitcoins from users’ Bitcoin wallets.
Systems Affected:
Microsoft Windows