Rampant Cybersecurity Bulletin

February 2018

Latest Cybersecurity News

The latest cybersecurity news so that you can stay on top of what is going on in the cybersecurity world. Click titles below for more details.

HaveIBeenPwned Releases Unrestricted API for Password Checking

Reported: January 8, 2018
Details: A vulnerability affecting a large percentage of CPU chips have been discovered due to speculative execution and caching properties of the chips. The vulnerability could cause information leakage of critical information, such as encryption keys, to potential local attacker.

Released NSA Exploits Ported to Windows

Reported: February 5, 2018
Details: Three exploits released in April 2017 by the APT the Shadow Brokers which were stolen from the NSA have been modified to work on all Windows versions released since Windows 2000. The three modified exploits, EternalChampion, EternalRomance, and EternalSynergy have been added to the Metasploit Framework, so are now accessible open source.

US LEgislators Introduce Bills to Ban US Government from Using Chinese Equipment

Reported: February 9, 2018
Details: Chinese manufacturers named in the bills include Huawei, ZTE, Datang, and Zhongxing. The reasoning behind the bills is fear of chinese espionage, and US legislators recommend not utilizing chinese manufacturers as much as possible to decrease risks of cybersecurity breaches.

More Private Data Discovered to Be Compromised in Equifax Hack

Reported: February 12, 2018
Details: An investigation into the Equifax breach concluded that more information was stolen than originally thought, to include an additional 2.4 million users’ data, and to include additional types of information including Tax Identifiaction Numbers, email addresses, and Drivers License information, which was not originally disclosed by the company.

Github Hit With the Largest DDoS Attack in History Using New Technique

Reported: March 1, 2018
Details: Github was hit with a DDoS attack that peaked at 1.4Tbs, a new record up from 1.1Tbs. Utilizing a new technique, hackers were able to amplify traffic through UDP-based memcached traffic. However, only 50,000 systems worldwide are susceptible to being used in this reflected DDoS attack.

Hard-Coded Password Allows Hackers to Bypass Lenovo’s Fingerprint Scanner

Reported: January 30, 2018
Details: A wide range of Lenovoe Model laptops had a vulnerability which affected the fingerprint scanner. A weak encryption algorithm made it possible for someone with non-admin privileges to read logon credentials and fingerprint data.

uTorrent Allows for Remote Code Execution

Reported: February 21, 2018
Details: Patches released by BitTorrent seem to not work at fixing multiple critical remote code execution bugs present in the uTorrent software. Users are cautioned in using this service until verified patches have been released.

Previous Cybersecurity Bulletins

Not sure if you are vulnerable?  Rampant specializes in vulnerability assessments and penetration testing for small & mid-size businesses!

New High Risk Vulnerabilities

You should be aware of the following vulnerabilities, and we recommend patching them immediately if they apply to your systems.  Click titles below for more details.

Apache Geode TcpServer Code Execution

Reported: February 23, 2018
Affected Products:
  • Apache Geode 1.1.0
  • Apache Geode 1.0.0
  • Apache Geode 1.2.0
  • Apache Geode 1.2.1
Details: A remote attacker can execute arbitrary code on the system caused by unsafe deserialization in the TCPServer.
Solution: Patch to the latest version of the software (1.4.0 or later).

Microsoft Identity Manager Privilege Escalation

Reported: February 15, 2018
Affected Products: Microsoft Identity Manager 2016 SP1
Details: Microsoft IDentity Manager could allow a remote attacker to gain elevated privileges on the system due to invalid sanitization of attribute values being displayed to the user.
Solution: Patch to the latest version of the software to mitigate this vulnerability.

Cisco RV132W Router Code Execution

Reported: February 7, 2018
Affected Products:

Cisco RV132W ADSL2+ Wireless-N VPN Router

Cisco RV132W VDSL2 Wireless-AC APN Router

Details: The affected routers could allow a remote attacker to execute arbitrary code on the system due to incomplete input validation on user-controlled HTTP input.
Solution: Refer to Cisco Security Advisory for Patch.

Cisco Elastic Services Controller Software Security Bypass

Reported: February 21, 2018
Affected Products:
Cisco Elastic Services Controller 3.0.0
Details: A remote attacker could bypass security restrictions due to an error in the authentication function. Entering an empty password gives an attacker administrative access to the system.
Recommendation: Refer to Cisco Security Advisory for Patch.

Cisco Unified Communication Domain Manager Code Execution

Reported: February 21, 2018
Affected Products: Cisco Unified Communications Domain Manager
Details: A remote attacker could execute arbitrary code on the system due to insecure key generation during configuration of the application.
Solution: Refer to linked Cisco security advisory for patch.

Linux Kernel show_floppy function Security Bypass

Reported: January 3, 2018
Affected Products: Linux Kernel 4.14.11
Details: Linux Kernel could allow a remote attacker to bypass security restrictions due to invalid use of printk calls within the show_floppy function.

Trend Micro Smart Protection Server Privilege Escalation

Reported:February 28, 2018
Affected Products: Trend Micro Smart Protection Server 3.3
Details: A remote attacker could gain elevated privileges on the system due to improper handling of credentials during login.
Solution: Refer to linked Trend Micro Security Bulletin for patch.

Microsoft Sharepoint Server Privilege Escalation

Reported:February 13, 2018
Affected Products: Microsoft Sharepoint Enterprise Server 2016
Details: A remote attacker could execute cross site scripting attacks and execute arbitrary scripts which would grant them elevated privileges on the system.
Solution: Update the affected system via Microsoft automatic updates.

New Threat Advisories

You should be aware of the following threats and implement the recommended mitigations to ensure your systems are not impacted.  Click titles below for more details.

Active Business Email Campaign Compromise Campaign Targeting Fortune 500 Companies

Date: February 21, 2018
Description: IRIS has found groups of Nigerian origin are harvesting credentials and phishing Fortune 500 companies with the harvested credentials in an attempt to steal financial assets. The most common attack is attempted wire fraud. The attackers has successfully used business emails (via spoofing of addresses in a victim’s contact book, or inserting themselves into current email conversations) to convince accounts payable personnel at Fortune 500 companies to initiate wire transfers into attacker-controlled accounts. Millions have already been stolen in the current campaign.
The current campaign is especially dangerous due to the sophisticated nature of the social engineering tactics. By disguising themselves as users known to the victim and inserting themselves into current conversations they are able to convince even wary employees of their validity.
Beware of suspicious emails
Implement two factor authentication for account logins, especially email accounts
Block auto-forwarding of emails outside of the network. This forces the attacker to log into the email account directly, increasing their chances of being detected
Train users to recognize social engineering attacks and to verify vendors asking for different than usual wire transfers via a different medium than was used to contact about the wire transfer

Fear the Reaper - North Korean Group APT37 Using Zero-Days

Reported: February 21, 2018
Details: A group, dubbed Reaper, allegedly based out of North Korea are using a recently disclosed Adobe vulnerability, which had been a zero-day up to that point. They have been targeting companies in all industries, though most recently financial companies with a phishing email that contains a Microsoft Word attachment. The attachment installs malware which allows Reaper to collect information, such as taking screenshots of the infected system. Reaper is known to use targeted spearphishing attacks, making their phishing emails more effective and realistic than generic templates, often being able to bypass spam filters.

Apache CouchDB Being Targeted for Cryptomining

Reported: February 15, 2018
Details: Trend Micro has reported a series of attacks involving exploiting CouchDB database management system for unpatched vulnerabilities. Attackers install monero miners in order to mine the cryptocurrency for the attacker.

Bitcoin Theft Campaign Through Google Adwords

Reported: February 15, 2018
Details: A Bitcoin theft campaign is being conducted through google adwords. By purchasing ads with the term “blockchain” or “bitcoin wallet”, attackers are able to host malicious sites that gather credentials of users whom navigate to them. The malicious sites show up on Google as a featured site, and often utilize valid SSL certificates through Let’s Encrypt, so appear legitimate. The harvested credentials are used to steal Bitcoins from users’ Bitcoin wallets.