BF-SIRT Newsletter 2017-51

Google’s Project Zero released details of a local proof-of-concept attack against a fully patched Windows 10 PC that allows an adversary to execute untrusted JavaScript outside a sandboxed environment on targeted systems. These vulnerabilities was patched this month, and they have a great technical write up.

Dutch security firm Fox-IT has gone public about a cyber attack it suffered in September after not protecting its DNS entries with two-factor authentication. This seems like, different from many other examples, a good example of how to handle incidents like this.

Using publicly known information, a team of researchers from the University of Melbourne have claimed to re-identify seven prominent Australians in an open medical dataset. In theses days of GDPR this should be something to take note of when talking about “anonymization” of big data sets.

Brian Krebs has a great post where he looks at the price of stolen credentials and provides a glimpse into the fortunes that a credential thief can earn, this goes to show that leaked credentials is a bigger issue than each individual, it is a part of the criminal economy and fosters more cybercrime.

Top 5 Security Links
Project Zero Chains Bugs for ‘aPAColypse Now’ Attack on Windows 10
Fox-IT reveals hackers hijacked its DNS records, spied on clients’ files
Re-identification possible with Australian de-identified Medicare and PBS open data
The Market for Stolen Account Credentials
Attack Attribution Tricky Say Some as US Blames North Korea for WannaCry

BF-SIRT Newsletter 2017-50

This weeks top stories begins with the ROBOT attack, a bug in the implementation of RSA key exchange for products using PKCS #1 v1.5. This includes SSL\TLS if RSA is used for for exchanging keys. The bug can let an adversary decrypt traffic and even sign messages with someones else private key. The vulnerable products include F5, Citrix, and Cisco and many vendors has released patches.

A database containing over 1.4 Billion clear text passwords was discovered by security firm 4iQ while looking for passwords on the “dark web”. The full database contains over 41GB of cleartext passwords and user-names aggreated from previos leaks from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.

Security researcher discovered that a lot of HP models comes pre-installed with a keylogger that could be used to spy on user by malware or hackers. The kyelogger is disabled by default, but can be turned on by making changes to the registry in windows machines. Since this is built into the drivers by HP, this keylogger can be turned on bypassing . HP.

Tennable released Nessus Professional v7, removing API and multi-user support. These two components are looked to as essential by many security professionals and is met with criticism in the security community. But it gets even worse. When notifying its user about the new version, they added all users to a support-forum that sent out as much as 150 emails a minute for over an hour, effectively creating a spam-storm for all its users.

A new attack-framework “TRITON” is targeting Industrial Control Systems (ICS)and caused operational disruption to critical infrastructure according to Mandiant. This looks to be Nation-state sponsored attack, and could lead to physical damage of critical systems producing gas, power and other national critical infrastructure.

And don’t forget that this Tuesdays was Microsoft s patch Tuesday, with fixes for over 30 vulnerabilities, including 19 Critical browser issues.

Top 5 Security links
ROBOT attack
1.4 Billion Clear Text Credentials Discovered in a Single Database
Pre-installed keylogger found in over 460 HP laptops
Tennable released Nessus Professional v7, removing features and spaming users
TRITON Attacker Disrupts ICS Operations

BF-SIRT Newsletter 2017-49

This weeks top stories is that Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability that could lead to remote code execution in Microsoft’s own

TeamViewer Rushes Fix for Permissions Bug that let the controlled machine to take control over the controlling machine. The bug impacts Windows, macOS and Linux versions of TeamViewer.

Bugs in over 30 mail clients found letting a phisher craft perfectly spoofed emails, defeating DMARC, Sender Policy Framework(SPF) and Domain Keys Identified Mail (DKIM) showing the mail as legit in the client.
This collection of bugs has been named “Mailsploit” by the researcher that discovered it, and a list of vulnerable devices can be found here.

Two researchers from enSilo described a new code injection technique called “Process Doppelgänging”  at blackhat 2017. This new attack works on all Windows versions and researchers say it bypasses most of today’s major security products. This is a file-less attack and it is impossible to patch since it exploits core designs of Microsoft process loading mechanism. The good news is that its a very technically challenging exploit to run.

In malware news FBI, Europol, Microsoft and ESET Team teamed up to dismantle the longest running botnet to date, the Andromeda network of botnets that has been active since 2011.

Top 5 Security links
Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability
TeamViewer Rushes Fix for Permissions Bug
‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs
Patch for apples blank password bug released
“Process Doppelgänging” Attack Works on All Windows Versions

BF-SIRT Newsletter 2017-48

This weeks top stories is that half of the Internet’s email servers was vulnerable to a remote code execution, half the planets inhabitants seemingly wondered how blank password could give privilege escalation in the latest version of macOS.

Financially focused Cobalt criminal group exploited Microsoft Office’s Equation Editor in its latest campaign, patched was released in November.

A classified toolkit for potentially accessing US military intelligence networks was left in an unsecured AWS S3 silo.

Less news, but input worth considering, Linus Torvalds has offered a calmer lengthy explanation of his thoughts on security, after a classic expletive-laden first version.

Top 5 Security Links
No Patch Available for RCE Bug Affecting Half of the Internet’s Email Servers
Why <blank> Gets You Root
Older Office Cybersecurity Vulnerability Exploited by Cobalt Attackers
US intelligence blabs classified Linux VM to world via leaky S3 silo
Linus Torvalds on security: ‘Do no harm, don’t break users’