Rampant Cybersecurity Bulletin

September 2017

Latest Cybersecurity News

You should be aware of the following vulnerabilities, and we recommend patching them immediately if they apply to your systems.  Click titles below for more details.

Equifax Data Breach: 143 Million US Consumers Affected

Reported: September 7, 2017
Details: A data breach at Equifax credit reporting agency exposed 143 million consumers’ personal information, including names, social security numbers, birth dates, addresses, and driver’s license numbers. The attack occurred over approximately 6 months, beginning March 10 and being reported in September. For information about how to take steps to mitigate the effects of the breach visit the FTC website (linked below).
Note: If your systems utilize the Struts framework, Oracle has released fixes for 6 new vulnerabilities affecting these systems. Refer to threatpost below for more details.
References:

Deloitte Data Breach Affected All Company Email And Admin Accounts

Reported: September 25, 2017
Details: Deloitte accounting firm, one of the big four accounting firms in the world, suffered a cyber attack that resulted in compromise of its internal system with an administrator account. This resulted in access to Deloitte’s entire internal email system and all of their administrator accounts.
Reference:

NIST Publishes Draft Ransomware Guidelines

Reported: September 2017
Details: NIST published guidelines for dealing with ransomware attacks. This guide sets out a solution for enterprises and businesses to prepare for and recover from the unique challenge of ransomware. The guide can help organizations develop a strategy for recovering from a cybersecurity event and help facilitate a smoother recovery in the event of an attack.
Reference:

Kaspersky Allegedly Stole NSA Cyber Defense Data

Reported: October 5, 2017
Details: Hackers working for the Russian Government allegedly stole details of US offensive and defensive cybersecurity tools and strategies. The Russians targeted an NSA contractor through the Kaspersky Antivirus software after he had saved classified documents on his home computer. The details of the data stolen reportedly include how the US penetrates foreign networks, including source code for tools used to do so.
References:

Previous Cybersecurity Bulletins

Not sure if you are vulnerable?  Rampant specializes in vulnerability assessments and penetration testing for small & mid-size businesses!

Learn More!

New High Risk Vulnerabilities

You should be aware of the following vulnerabilities, and we recommend patching them immediately if they apply to your systems.  Click titles below for more details.

Cisco IOS XE REST API Security Bypass

Reported: September 27, 2017
Affected Products: Cisco IOS XE
Details: Cisco IOS XE could allow a remote attacker to bypass authentication to the REST API of a web UI
Solution: Refer to Cisco Security Advisory (linked below) for patched software.
References:

Apache Struts REST Plugin Code Execution

Reported: September 5, 2017
Affected Products: Apache Struts 2.5.10-2.5.12
Details: A remote attacker could execute arbitrary code on the system due to a deserialization of untrusted data using the Struts REST plugin.
Solution: Upgrade to Struts 2.5.13 or 2.3.34
Reference:

Linux Kernel Bluetooth Stack Buffer Overflow

Reported: September 12, 2017
Affected Products: Linux Kernel 3.3 and 4.13
Details: A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash due to improper bounds checking by the native Bluetooth stack.
Solution: Upgrade to newest version of Linux Kernel if possible
Reference:

Microsoft Office Groove Security Bypass

Reported: October 1, 2017
Affected Products: Microsoft Office 2007
Details: A remote attacker could bypass security restrictions and execute arbitrary code on the system.
Solution: No known solution at this time.
Reference:

Microsoft Windows Failover DHCP Server Service Code Execution

Reported: September 12, 2017
Affected Products: Microsoft Windows Server 2012, 2012 R2, and 2016
Details: Windows Server could allow a remote attacker to execute arbitrary code on the system or cause the service to crash through improper handling of packets by the DHCP server service.
Solution: Patch system to latest possible version.
References:

Microsoft Windows NetBIOS Code Execution

Reported: September 12, 2017
Affected Products:
Microsoft Windows 7 SP1 x32
Microsoft Windows 7 SP1 x64
Microsoft Windows Server 2008 R2 SP1 x64
Microsoft Windows Server 2008 R2 SP1 Itanium
Details: A remote attacker could execute arbitrary code on the system through the improper handling of sequencing requirements.
Solution: Patch to the latest version.
Reference:

ZTE Microwave NR8000 Series Code Execution

Reported:  September 15, 2017

Affected Products: ZTE Microwave NR8000 series

Details: A remote attacker could execute arbitrary code on the system caused by a Java deserialization in the Java RMI service.

Solution: Upgrade to the latest version as provided by ZTE website.

References:

http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1008422

https://exchange.xforce.ibmcloud.com/vulnerabilities/132736

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10932

New Threat Advisories

You should be aware of the following threats and implement the recommended mitigations to ensure your systems are not impacted.  Click titles below for more details.

Ransomware SPAM Campaign

Description: There has been notice of a worldwide Spam campaign targeting users in the United States with payloads of Locke and FakeGlobal ransomware. The emails resemble legitimate invoices or bills with a link to a zip archive containing the malware. Being infected could mean needing to pay a ransom to get files back.
Systems Affected: Email Services
Recommendations: Ensure that all anti-virus programs and associated signature files are up to date, and utilize caution when conducting business through email links.
Resources:

MongoDB Ransom Attacks Affect 26,000 New Databases

Reported: September 4, 2017
Details: 26,000 servers were recently hijacked within the scope of a week. Attackers scanned the Internet for MongoDB databases left open and then deleted the databases, asking for a ransom to restore the data. Upon payment of the ransom, it was found that the attackers did not have the data, but had in actuality wiped the databases. This has been dubbed a continuation of the MongoDB Apocalypse that occurred in December 2016.
Solution: Ensure all MongoDB databases exposed to the Internet are updated to the latest version and that all security settings are configured correctly. Often the default security settings are insufficient to prevent hackers from exploiting the database.
Reference:

Hackers Hid Malware Inside Popular CCleaner Software

Reported: September 18, 2017
Details: Malware was distributed to 2.27 million users by hackers who were able to install malware into the CCleaner software. Users who downloaded CCleaner were also downloading malicious software contained within the application. It is possible that backdoors were installed on all systems who downloaded the infected CCleaner, including Microsoft and Cisco.
Solution: If you utilize CCleaner and have downloaded (or updated) it recently, ensure that CCleaner has been patched to the latest version as it has removed the malware from it. Additionally, it is important to conduct security scans and assessments on your network to ensure that the malware did not install a backdoor on your system.
 References:

Hackers Hid Malware Inside Popular CCleaner Software

Reported: September 16, 2017
Details: Name squatting attacks occurred in the official Python packages repository, whereby developers who made typos downloaded python packages that contained malicious code through popular tools such as “pip”. Attackers created packages with similar names to widely used packages, and copied their contents but added a few extra lines of code that installed malware on the developer’s computer when downloaded.
Solution: Check python projects from the past three months to determine if all packages are valid.
 References: