Rampant Cybersecurity Bulletin

November 2017

Latest Cybersecurity News

The latest cybersecurity news so that you can stay on top of what is going on in the cybersecurity world. Click titles below for more details.

Google’s Captcha Broken

Reported: October 30, 2017
Details: Researchers published a paper that shows a tool released called unCaptcha can break the Google reCaptcha service with 85% accuracy in an average of 5.42 seconds.
References:

Intel Chip Flaws Leave Millions of Devices Exposed

Reported: November 20, 2017
Details: Flaws exist in the Intel Management Engine, a subsystem that exists for administrators to remotely control devices, which could allow for an attacker to run unsigned, unverified code on intel chipsets, gaining more control by using the Management Engine as a launching point. ME can run even when the computer is off due to being on a separate microprocessor. Almost all recent Intel chip is said to be affected, including in servers, PC’s, and IoT devices. Intel has offered firmware updates for the bugs and has released a tool that will allow an admin to check the status of their network devices.
References:

No Patch Available for RCE Bug Affecting Mail Servers

Reported: November 28, 2017
Details: A remote execution flaw was found in Exim, a mail transfer agent that runs on email servers to route emails from senders to recipients. The bug was found in the two most recent versions of Exim, so even servers patched to the latest revision are affected. It is estimated that over 400,000 servers susceptible to this bug are online at any given time. Exim has recommended setting “chunking_advertise_hosts= “(blank) in order to provide a workaround until a patch is released.
References:

2017 Worst Year On Record for Data Breaches - 305% Increase

Reported: November 9, 2017
Details: Data breaches in 2017 have shown an extremely large increase, with 7.09 billion records breached through the first 9 months of 2017, up from 2.3 billion in 2016. The business sector has made up 68.5% of the breaches for the year 2017.
References:

Websites Can Use Your CPU to Mine for Cryptocurrency After Browser is Closed

Reported: November 29, 2017
Details: Malwarebytes has discovered a new method of drive-by cryptomining. Normal techniques involve malicious code installed on websites so that users who visit the site unknowingly are mining cryptocurrency for the owner of the website. However, when the browser is closed, so does the cryptomining. The technique discovered by Malwarebytes involves opening a small pop up window behind the windows taskbar so that the user will mine cryptocurrency indefinitely, even after closing their browser.
References:

Top Secret NSA and Army Data Leaked Online

Reported: November 28, 2017
Details: Classified data belonging to INSCOM (US Army Intelligence and Security Command) was found online in an Amazon S3 bucket configured for public access, allowing anyone with an internet connection to potentially browse to the classified information. The bucket contained 47 files, 3 of which were downloadable, and contained files labeled Top Secret and NOFORN. Additionally, the downloaded files contained private keys and hashed passwords from a 3rd part contractor, potentially allowing for attacks into the Pentagon’s internal network.
References:

Github Introduces Security Alerts

Reported: November 16, 2017
Details: Github has released a feature that alerts admins of code repositories to security vulnerabilities. Public repositories will have the “dependency graph” and alerts enabled by default, but private repo’s will be required to enable the dependency graph feature. The github feature detects vulnerabilities based on the dependencies used in the code. Github is starting with alerting on vulnerabilities with CVE’s but hopes to expand their security alerting process to include all vulnerabilities in the future.
References:

Previous Cybersecurity Bulletins

Not sure if you are vulnerable?  Rampant specializes in vulnerability assessments and penetration testing for small & mid-size businesses!

New High Risk Vulnerabilities

You should be aware of the following vulnerabilities, and we recommend patching them immediately if they apply to your systems.  Click titles below for more details.

Linux Kernel XFRM Privilege Escalation

Reported: November 23, 2017
Affected Products: Linux Kernel
Details: Linux Kernel could allow a remote attacker to gain elevated privileges on the system caused by a problem in the Netlink socket subsystem XFRM.
Solution: Refer to Linux Kernel Patchwork Web Site for patch.
References:

Cisco Voice Operating System-Based Products Unauthorized Access

Reported: November 15, 2017
Affected Products:
Cisco Emergency Responder
Cisco SocialMiner
Cisco Prime License Manager
Cisco Unified Intelligence Center
Details: A remote attacker could gain unauthorized access to the system due to a flaw in the upgrade mechanism, and gain root access to the device.
Solution: Refer to Cisco Security Advisory cisco-sa-20171115-vos for software updates to fix the above vulnerability. See References.
References:

Cisco Firepower 4100 Series NGFW and Firepower 9300 Service Command Execution

Reported: November 1, 2017
Affected Products:
Cisco Firepower 4100 Series
Cisco ASA for Firepower 9300 Series
Details: The affected devices could allow a remote authenticated attacker to execute arbitrary commands on the system with root privileges by configuring a malicious URL within the affected feature.
Solution: Refer to Cisco Security Advisory cisco-sa-20171101-fpwr for patch, or upgrade.
Reference:

Microsoft Excel Code Execution

Reported: November 14, 2017
Affected Products:
Microsoft Excel Viewer
Microsoft Excel 2007 SP3
Microsoft Office Compatibility Pack 2010
Microsoft Excel 2010 SP2 x64
Details: Microsoft could allow a remote attacker to execute arbitrary code on the system with privileges of a victim who was persuaded to open specially crafted content.
Recommendation: Ensure that all affected products have been updated and patched to the latest revision.
References:

Microsoft Windows Kernel Privilege Escalation

Reported: November 14, 2017
Affected Products:
Microsoft Windows Server 2008 SP2 x32
Microsoft Windows Server 2008 SP2 x64
Microsoft Windows Server 2008 SP2 Itanium
Microsoft Windows 7 SP1 x32
Details: A local authenticated attacker could gain elevated privileges on the system due to improper handling of objects in memory by the kernel. By executing a specific type of program, an authenticated attacker could execute arbitrary code on the system with higher privileges.
Solution: Patch system to latest possible version.
References:

Apache Hadoop YARN Privilege Escalation

Reported: November 8, 2017
Affected Products: Apache Hadoop 2.6, 2.7
Details: A remote authenticated attacker could gain access to files protected by HDFS transparent encryption due to a flaw in YARN’s localization mechanism.
Solution: Patch to the latest version (2.7.4 or later)
Reference:

Debian Nginx Package Privilege Escalation

Reported:  October 25, 2017

Affected Products: Debian nginx 1.6.2-5+deb8u2

Details: : A local attacker could gain elevated privileges on the system caused by a failure to properly handle log file permissions. An attacker with www-data privileges could obtain root privileges on the target system.

Solution: Refer to Debian Security Advisory – DSA-3701-1 nginx — security update for patch.

References:

https://www.debian.org/security/2016/dsa-3701

https://www.debian.org/security/2016/dsa-3701

https://www.exploit-db.com/exploits/40768/

https://securitytracker.com/id?1037104

New Threat Advisories

You should be aware of the following threats and implement the recommended mitigations to ensure your systems are not impacted.  Click titles below for more details.

Ordinypt Ransomware Wipes Disk Instead of Encrypting

Reported: November 13, 2017
Details: A ransomware variant entitled Ordinypt does not encrypt the victim’s files, but wipes the data instead by overwriting the files with random data, thus destroying any chance at recovery of the data. HR departments have been targeted with a fake email with resume and CV attachments. In order to be infected, it only takes one employee to click on a malicious attachment to compromise the entire network.
Solution: Consider utilizing Security Awareness Training in order to reduce the risk of human error. Additionally, ensure all anti-virus signatures are up to date.
Reference:

New Mirai Variant Scanning With New Exploit

Description: A potential attack originating from Argentina containing 65,000 unique IP addresses has been found scanning ports 23 and 2323 with an exploit published in the ExploitDB on October 31. This botnet is looking for devices that could allow them to get unauthorized administrator access to a vulnerable modem.
Recommendations: 
Ensure all devices have the latest firmware updates and change all all hard-coded passwords from defaults.
Resources:

IOTroop Botnet Now Utilizing Reaper Malware

Reported: November, 2017
Details: A botnet based on Internet of Things devices has been spotted being built in the wild. Similarly to Mirai from 2016, this botnet utilizes a zombie malware strain to enslave routers, cameras, and digital recording devices. Mirai was able to take down many top internet sites for almost a day in 2016 with a DDOS attack. Attack scripts are being exchanged on forums on the Dark Web, which could signal a near-future attack.
Additionally, Reaper exploits known vulnerabilities in a range of products from multiple vendors in order to build itself. The botnet is thought to be around 2 million devices at this point in time.
Solution: Prepare for a potential DDoS attack by utilizing security best practices for your network.
 References:

Vault 7 and 8 Release By WikiLeaks

Reported: November 2017
Details:  A large amount of data was published by WikiLeaks which allegedly are parts of the CIA toolkit. Although none of the actual tools, toolkits, or exploits were disclosed, the leaks may contain information regarding zero day exploits for various operating systems and encryption methods.
Affected Devices: Unknown
Solution: Maintain a proactive patching program in order to mitigate potential effects from these disclosures.
 References: