Rampant Cybersecurity Bulletin
October 2017
Latest Cybersecurity News
The latest cybersecurity news so that you can stay on top of what is going on in the cybersecurity world. Click titles below for more details.
KRACK WiFi Attack
Reported: October 16, 2017
Details: Researchers published a weakness in the WPA2 WiFi security standard that protects all modern WiFi networks. This attack works against the protocol itself, so applies to a large number of devices. However, to execute the attack, an attacker would have to be within distance of a network’s wifi signal, and there is no evidence this attack has ever been used maliciously. This attack is mainly dangerous for enterprises that have not separated their wired and wireless networks effectively, but patches have been already released, or are scheduled to be released, for a large group of products affected by this vulnerability.
References:
Kaspersky Antivirus Purged from US Government Systems
Reported: October 12, 2017
Details: In September 2017, the US Department of Homeland Security issued a binding operational directive to remove Kaspersky software from government computers within 90 days. This is in response to alleged espionage Russian agents conducted via the Kaspersky AV platform. There have been recommendations by security experts issued that all consumers who are worried about sensitive information and who use Kaspersky should change vendors.
References:
CrySiS Ransomware Targeted US Businesses Through Open RDP Ports
Reported: October 24, 2017
Details: CrySiS ransomware targeted hundreds of US businesses, to include churches, private businesses, medical facilities, law firms, and local governments who had vulnerable Remote Desktop Protocol (RDP) implementations. It is likely the attackers used an open RDP port to deploy CrySiS ransomware, which presents a challenge because the malware enters through an approved access point. This method decreases the likelihood of detection and ability for businesses to mitigate infection.
BadRabbit Ransomware Hits Ukraine and Russia
Reported: October 5, 2017
Details: A new type of ransomware has been spreading in Russia, Ukraine, Turkey, and Germany, affecting numerous websites including Interfax News Agency and Kiev’s public transportation system. Various security companies have noticed similarities between Bad Rabbit and NotPetya. Bad Rabbit requires a user to download and execute a malicious Adobe Flash Player Installer.
References:
Disqus, The Commenting System For News Websites, Confirmed Data Breach Affecting 17.5 Million Users
Reported: October 9, 2017
Details: The online comment hosting service Disqus was breached, resulting in sensitive data leakage relating to 17.5 million user accounts, including email addresses, hashed passwords, and and usernames from 2007 to 2012. Disqus has force reset the passwords of all affected users.
References:
OWASP Publishes New Top 10 Vulnerabilities List
Reported: October 9, 2017
Details: OWASP has updated their top ten security vulnerabilities list for the firs time since 2013. The main changes are the inclusion of three new categories:
XML External Entity attack
Insecure Deserialization, like the Apache Struts vulnerability that affected Equifax
Insufficient Logging and Monitoring
The list is the most downloaded document on their website. The list is as follows:
1) Injection
2) Broken Authentication and Session Management
3) Sensitive Data Exposure
4) XML External Entity Injection
5) Broken Access Control
6) Security Misconfiguration
7) Cross Site Scripting
8) Insecure Deserialization
9) Using Components with Known Vulnerabilities
10) Insufficient Logging and Monitoring
For more information, refer to the resources below.
References:
Previous Cybersecurity Bulletins
Not sure if you are vulnerable? Rampant specializes in vulnerability assessments and penetration testing for small & mid-size businesses!
New High Risk Vulnerabilities
You should be aware of the following vulnerabilities, and we recommend patching them immediately if they apply to your systems. Click titles below for more details.
Microsoft Windows Graphics Component Information Disclosure
Reported: October 10, 2017
Affected Products: Windows 10 x32, x64, and Windows Server 2016
Details: Microsoft Windows could allow a local authenticated attacker to execute a program which would allow them to gain sensitive information and launch further attacks against the system.
Solution: Update Microsoft to the latest version.
References:
Cisco Cloud Services Platform (CSP) 2100 Security Bypass
Reported: October 18, 2017
Affected Products: Cisco Cloud Services Platform 2100 2.0
Details: A remote authenticated user can bypass security restrictions and gain access to a specific VM on the Cisco CSP
Solution: Refer to Cisco Security Advisory cisco-sa-20171018-ccs for software updates to fix the above vulnerability. See References.
References:
Microsoft Skype for Business Privilege Escalation
Reported: October 10, 2017
Affected Products:
Microsoft Lync 2013 SP1 x32, x64
Microsoft Skype for Business 2016 x32, x64
Details: An authenticated attacker may be able to gain elevated privileges on the system due to improper handling of authentication requests. By using a special profile image in an instant messaging session, the attacker can steal the authentication hash of the victim and take any action the victim is authorized to take.
Solution: Upgrade to newest version for your system.
Reference:
Oracle Fusion Middleware Identity Manager Connector Microsoft Active Directory Unspecified
Reported: October 17, 2017
Affected Products: Oracle Identity Manager Connector 9.1.1.5.0
Details: An unspecified vulnerability could allow an unauthenticated attacker to cause a high impact on integrity and availability of Oracle Identity Manager Connector.
Solution: Refer to Oracle Critical Patch Update Advisory October 2017 for patch information.
References:
Microsoft Office Code Execution
Reported: October 10, 2017
Affected Products:
Microsoft Word Viewer
Microsoft Office Compatibility Pack SP3
Microsoft Word 2007 SP3
Microsoft Word 2010 SP2 x32
Details: A remote attacker could execute arbitrary code on the system with privileges of a victim who was persuaded to open specially-crafted content.
Solution: Patch system to latest possible version.
References:
Linux Kernel mmu.c Code Execution
Reported: October 16, 2017
Affected Products: Linux Kernel 4.13.5
Details: A local authenticated attacker could execute arbitrary code on the system or cause a denial of service due to a failure to properly traverse guest pagetable entries.
Solution: Patch to the latest version (4.13.7 or later).
Reference:
Linux Kernel ALSA Sequencer Interface Privilege Escalation
Reported: October 12, 2017
Affected Products: Linux Kernel 4.14-rc4
Details: : A local attacker could gain elevated privileges on the system and execute arbitrary code on the system with elevated privileges.
Solution: Apply patch for the vulnerability, available from Linux Kernel Mailing List.
References:
https://exchange.xforce.ibmcloud.com/vulnerabilities/133342
http://mailman.alsa-project.org/pipermail/alsa-devel/2017-October/126292.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15265
New Threat Advisories
You should be aware of the following threats and implement the recommended mitigations to ensure your systems are not impacted. Click titles below for more details.
Bad Rabbit Ransomware
Description: A new ransomware variant labeled “Bad Rabbit” has been reported. While this ransomware is spreading through the Ukraine and Russia, a number of high profile victims have been affected by this, including Interfax news agency. It is possible that Bad Rabbit could make its way to the Western Hemisphere, so it is important to be aware. The malware is thought to be delivered via a fake Flash Player update module. Currently, there is no indication that paying the ransom will result in retrieving a victim’s data.
Systems Affected: Windows Machines
Recommendations:
Ensure all anti-virus software and signature files are up to date
Create a local kill switch so that even if infected the files on the victim machine will not be encrypted. This can be accomplished by creating a file C:\windows\infpub.dat and setting it to read-only
Resources:
Botnet Based LFI Attack
Reported: October 11, 2017
Details: A botnet containing over 300 addresses is currently being used to conduct an aggressive local file inclusion attack. The attack is a command injection attack that traps a WGET request and attempts to write a malicious PHP script onto the victim machine, named shell.php.
Affected Services: Unix-Based Web Servers
Solution: The best solution is to avoid passing user-submitted input to any filesystem or framework API. Alternatively, it is possible to create a whitelist of files to use as identifiers for access to specific sections of the filesystem.
Reference:
Zero Day Adobe Flash Player Vulnerability Being Used In the Wild
Reported: October 16, 2017
Details: Kaspersky found a new zero-day exploit of Adobe Flash Player being used in the wild, which can result in the execution of arbitrary code on a remote system. The infection is delivered via an infected Microsoft Office Document in an email, with the final payload being labeled as “FinSpy”. The attack has been traced back to an APT known as BlackOasis, which has had other zero day exploits attributed to it in the past.
Affected Devices: Windows Devices
Solution: Update to the latest version of Flash Player, and ensure anti-virus programs and signature libraries are up to date
References:
IOTroop Botnet
Reported: Oct 17, 2017
Details: A botnet based on Internet of Things devices has been spotted being built in the wild. Similarly to Mirai from 2016, this botnet utilizes a zombie malware strain to enslave routers, cameras, and digital recording devices. Mirai was able to take down many top internet sites for almost a day in 2016 with a DDOS attack. IOTroop is 20x the size of the Mirai botnet, so it is expected this botnet will be used in the near future. Attack scripts are being exchanged on forums on the Dark Web, which could signal a near-future attack.
Solution: Prepare for a potential DDoS attack by utilizing security best practices for your network.
References: